THE USE OF PERSONAL DATA IN POST 9/11 COUNTER-TERRORISM European and American approaches compared

MICHAEL TEODORI

Privacy is an essential element of a free society without which individuals would lose the ability to interact with one another in private. For instance, following the September 11 terrorist attacks in the United States and subsequent attacks on other influential western countries, new laws have been put in place arguably as an effective tool to prevent terrorist attacks and conjointly fight the war on drugs. And with the advancement in police surveillance technology, there is a clash between an individual’s right to privacy and the State’s power to infringe that right. This paper to illustrate the emerging invasion on privacy for the sake of security and in response to terrorism will focus on money laundering, terrorist financing, government investigative surveillance and data mining. Apart from using the Patriot Act of the U.S as the primary source of legislation to illustrate how governments introduce laws, unaccepted by the general population as a clear invasion of their privacy, similar anti-terrorist legislation from other western jurisdictions will be discussed for comparative purposes. Also the paper will shed light on the effectiveness of these new laws on one hand and use case law to illustrate how courts have been reluctant in invalidating laws that infringe constitutionally given right to privacy on the other. As it seeks to give possible alternative measures to deal with acts of terrorism, the paper will argue that right to privacy has seen a shift from its traditional understanding since the emergence of terrorism and therefore, to curb privacy invasion, stricter laws regulating the government’s power to interfere with privacy rights are needed.

Governments around the world collect huge amounts of personal data from their citizens (as well as foreigners) for counterterrorist purposes. While mining this data has arguably increased the security of populations, the practices through which this data is currently collected in many countries have been criticised for violating individuals' rights to privacy. Yet it is not clear what a permissible data-collection regime (if one is possible) would look like, and thus also how we could reform existing regimes to make them morally acceptable. This paper explores a number of ways in which we might justify a data-collection regime to those affected in spite of the set-backs to their privacy. In contrast to existing justifications, I argue that individuals can be asked to surrender their personal data as a requirement of reciprocity in a cooperative system in which they gain security from others doing likewise. Relying on this justification, though, has significant implications for how we should reform existing data-collection regimes. In particular, more stringent limits will need to be placed on the forms which these regimes can legitimately take.

The article analyses the legitimacy of citizens telecommunications data retention usage in the fight against terrorism. Data retention, that is the preventive storage of information on the source, data, hour and duration of a connection, type of the connection, communication tool and location of a recipient, is a powerful source of knowledge about citizens and their use should be soundly justified. However, both the European Union and Polish practices show that behind this interference in privacy there is neither a guarantee that the data stored would be used exclusively to fight terrorism and severe crimes, nor a sufficient access control mechanism. The efficiency of data use in the fight against organized crimes, including terrorism, is also dubious. In her work the author analyses Polish studies concerning information disclosure issues, Internet publications of the European Union and American reports on retention programmes, as well as Polish and foreign positions of non-governmental organizations engaged in the civil rights protection in this respect.

UNIVERSITÀ DEGLI STUDI DI PAVIA Dipartimento di Giurisprudenza Tesi di Laurea Magistrale in Giurisprudenza THE USE OF PERSONAL DATA IN POST 9/11 COUNTER-TERRORISM European and American approaches compared Relatore: Chiar.ma Prof.ssa Giulia Rossolillo Candidato: Michael Teodori Matricola 400105 Anno Accademico 2015/2016 Alla mia famiglia, a cui devo tutto. TABLE OF CONTENTS TABLE OF CONTENTS......................................................................................................I INTRODUCTION................................................................................................................1 CHAPTER I: EUROPEAN UNION COUNTER-TERRORISM POLICIES................2 1. The evolution of a European Union criminal law..............................................................3 1.1 The Treaty of Maastricht and the institutionalization of the third pillar..............4 1.2 The establishment of an Area of Freedom, Security and Justice..........................6 1.2.1 Title VI, TEU.........................................................................................6 1.2.1 Title VI, TEU.........................................................................................8 1.2.3 The 1999 European Council of Tampere...............................................8 1.3 The Lisbon Treaty..............................................................................................10 1.3.1 The AFSJ after Lisbon.........................................................................10 1.3.2 Criminal law competences after Lisbon..............................................11 1.3.3 Third-pillar residues............................................................................12 2. The evolution of the EU's response to terrorism..............................................................14 2.1 Intergovernmental approach in fighting terrorism.............................................15 2.2 Terrorism as a Union interest.............................................................................17 2.3 The Union's reaction to September 11th..............................................................18 2.3.1 Action Plan on Combating Terrorism..................................................19 2.3.2 Framework Decision 2002/475/JHA...................................................21 2.3.2.1 Elements of the FDCT...........................................................23 2.3.3 Framework Decision 2002/584/JHA...................................................28 2.3.3.1 Elements of the EAW Framework Decision.........................30 2.3.4 Counter-terrorism finance measures....................................................31 2.3.4.1 EU restrictive measures.........................................................32 I 2.3.4.2. Anti-money laundering directives.......................................34 2.3.5. Institutional changes...........................................................................36 3. Judicial review of European counter-terrorism measures: the role of the Court of Justice of the European Union.........................................................................................................38 3.1 The competence of the Court of Justice in counter-terrorism legislation..........38 3.2 Judicial review of EU restrictive measure..........................................................41 3.3 Kadi I and Kadi II...............................................................................................44 3.4 Beyond privacy and due process........................................................................51 4. Recent developments in EU counter-terrorism................................................................53 4.1 Directive on combating terrorism.......................................................................54 4.2 Fifth anti-money laundering directive................................................................56 4.3 Surveillance and border control.........................................................................56 CHAPTER II: PERSONAL DATA IN EU COUNTER-TERRORISM........................58 1. Privacy, data protection and preemptive counter-terrorism.............................................58 1.1 The rights to privacy and data protection........……………………………….. 59 1.2 Limitations of the rights to privacy and data protection: the “liberty versus security” discourse.............................................................................................62 2. Data protection in the EU....…………………………………………………………….65 2.1 Before the Lisbon Treaty. The pillar divide.........................................................66 2.1.1 Data protection in the first pillar. Directive 95/46/EC........................66 2.1.2. Data protection in the second and third pillar....................................70 2.2 After the Lisbon Treaty. Article 16 TFEU.........................................………….73 2.3 Recent developments. The 2016 Data Protection package.............…………...75 2.4 US-EU relations on data protection.....................................................………...78 2.4.1 The Safe Harbor Principles and the 2016 U.S. Privacy Shield............79 2.4.2. Information exchange in law enforcement. The 2016 Umbrella II Agreement...........................................................................................84 3. The use of telecommunication data in counter-terrorism: Directive 2006/24/EC...........85 3.1 From protection to retention. Directive 2006/24/EC..........................................85 3.2 Content of the Data Retention directive.............................................................87 3.3 Assessment of the legality of the Data Retention Directive...............................90 3.4 The Directive before the Courts.........................................................................94 3.4.1 The first ruling by the CJEU...............................................................94 3.4.2 The revolt of national courts...............................................................95 3.4.3 The second decision by the CJEU: Digital Rights Ireland..................97 4. Other measures involving use of personal data..............................................................102 4.1 Air travel data: API and PNR...........................................................................102 4.1.1 First US-EU PNR Agreement (2004)................................................103 4.1.2 The 2006 PNR judgment by the CJEU.............................................106 4.1.3 Interim (2006), Second (2007) and Third (2011) EU-US PNR Agreements........................................................................................109 4.1.4 An EU PNR framework. Recent developments...............................115 4.2 Financial messaging data..................................................................................119 4.2.1 Origins of the TFTP. The SWIFT program.......................................120 4.2.1.1. SWIFT and PNR cases compared.....................................121 4.2.2 Reactions to the SWIFT exposure.....................................................123 4.2.3 US-EU TFTP Agreements.................................................................126 4.2.3.1 TFTP I.................................................................................126 4.2.3.2 TFTP II...............................................................................128 4.2.4. Recent developments. An EU Terrorist Finance Tracking system...131 CHAPTER III: PERSONAL DATA IN AMERICAN COUNTER-TERRORISM....134 1. An overview of post-9/11 US counter-terrorism............................................................134 1.1 The US response to 9/11. From Bush to Obama..............................................135 1.2 Counter-terrorism and the Supreme Court.......................................................141 III 1.3 EU – US cooperation in counter-terrorism.......................................................149 2. Data surveillance legislation..........................................................................................153 2.1 Privacy and data protection in the US legal system.........................................153 2.2 National security surveillance law...................................................................158 2.2.1 The Foreign Intelligence Surveillance Act........................................160 2.2.2 Executive order 12.333......................................................................163 2.2.3 National Security Letters...................................................................165 2.2.4 Surveillance law after September 11th...............................................167 3. Bulk collection of data...................................................................................................171 3.1 Bulk data surveillance by the NSA after 9/11..................................................173 3.1.1. The Section 215 call records program...............................................175 3.1.2. PRISM and Upstream........................................................................181 3.2 Other government programs involving bulk collection of personal data.........193 3.3 Presidential Policy Directive 28 (PPD-28) and the USA Freedom Act...........194 4. American and European approaches compared..............................................................197 4.1 A look at the past..............................................................................................200 4.2 An eye to the future..........................................................................................204 BIBLIOGRAPHY................................................................................................................V TABLE OF CASES......................................................................................................XXVI IV INTRODUCTION The present is not a study on terrorism, or on privacy, or on technology; rather, it seeks to analyze what lies at the intersection of each and what kind of interplay is possible in concepts which are, each in their own way, in constant evolution. The larger context this study departs from is, in fact, one of evolving technologies, on one hand, and of increasing terrorist threats, on the other. Its aim is to provide the reader with an overview of how personal data, that is information relating to or produced by any given individual, is currently – and may in the future – be used as a counter-terrorism tool by the European Union and by the United States of America, the two main global counter-terrorism players. It will do so by, first, laying down the EU's overall counter-terrorism policy, updated – as much as possible – at the time of writing (December 2016). Chapter I will be entirely dedicated to that purpose. Next, in Chapter II, the EU's main counter-terrorism measures involving the use of personal data will be dealt with in depth. These include the use of three types of data: telecommunication data, travel data, and financial data. Finally, Chapter III will retrace the steps taken by the United States in its approach to terrorism, especially after the attacks of September 11th; thereafter, the discussion will focus on the measures involving the use of personal data enacted on the other side of the Atlantic, within the wider framework of American national security surveillance law, and with particular attention to the bulk data collection programs recently disclosed by the popular press. In analyzing the foregoing topics, the final objective is to contribute – or at least, attempt to do so – to the discussion surrounding the insoluble question of whether an interplay between technology and counter-terrorism, in light of the implications it carries for privacy and data protection, should be feared; allowed; or even, perhaps, desired. 1 Chapter I EUROPEAN UNION COUNTER-TERRORISM POLICIES SUMMARY: 1. The evolution of a European Union criminal law. – 2. The evolution of the EU's response to terrorism. – 3. Judicial review of European counter-terrorism measures: the role of the Court of Justice of the European Union. – 4. Recent developments in EU counter-terrorism. A study on European Union counter-terrorism measures has shown that, between 2001 and 2013, the EU has adopted some 238 separate counter-terrorism measures; of these, eightyeight are legally binding and therefore either have direct effect, or require transposition in each Member State1. This is evidence, on one hand, of the growing role the EU in itself – beyond Member State national activity, that is – is playing in the counter-terrorism domain; on the other, it also shows how the EU's counter-terrorism effort has generally lacked homogeneity and coherence, and has rather developed on the basis of an eventdriven policy instead of a more planned approach. Counter-terrorism legislation has mainly, although not exclusively, taken the form of third1 HAYES and JONES, Taking stock. The evolution, adoption, implementation and evaluation of EU counterterrorism policy, in DE LONDRAS and DOODY, The Impact, Legitimacy and Effectiveness of EU Counterterrorism, Routledge, New York, 2014, pp.13-39. The number takes into account legal acts and policy documents which, at one point in time, had been part of the EU's counter-terrorism agenda, and had been adopted or approved by an EU institution or body, or otherwise represent the official policy of the EU. 2 pillar lawmaking2. While this has been positive for overall integration in that specific area, it has however also meant that the Parliament – the only European institution perceived as the true sanctuary of democracy, and democratic accountability – was often excluded from the process3. This has lead to additional criticism of most counter-terrorism initiatives, already under strict observation because of their effect on fundamental rights and civil liberties. Moreover, scholars are warning that, following the strand of terrorist activity on European soil in 2015 and 2016, the responses elaborated by the EU depart from a traditional criminal justice based approach to fighting terrorism, and instead carry features of an intelligence-based model of law enforcement. This paradigm shift in EU counterterrorism, however, may infringe on fundamental European principles such as free movement, privacy, and, ultimately, respect for the rule of law4. 1. The evolution of a European Union criminal law. Before being object of wide mainstream media coverage, terrorist activities are first and foremost criminal offenses – and must therefore be dealt with as such. The degree to which the European Union is able to respond to such offenses depends on the broader issue concerning the criminal competences of the Union. Traditionally, the criminal law area is one of the most jealously protected by Member States, as it is considered one of the hallmarks of sovereignty. However, throughout the years and the treaties significant steps have been taken towards the creation of an actual European Union criminal law. The latest, and perhaps most important yet, is the considerable change brought by the entry into force of the Lisbon Treaty in 2009 5, by which the EU was formally recognized – although some 2 3 4 5 It is important to stress from the start that “counter-terrorism” is a broad term which can encompass measures across all the former three pillars of the pre-Lisbon Treaty, from trade sanction (in the first and second pillar), to the implementation of UN Security Council resolutions (second pillar), to police and judicial cooperation (third pillar)”. KAUNERT and ZWOLSKI, The EU as a global security actor: a comprehensive analysis beyond CFSP and JHA, Palgrave Studies in European Union Politics, 2013, p. 91. HAYES and JONES have assessed that of the 88 binding measures adopted between September 2001 and 2013 (therefore including a post-Lisbon time frame), the Parliament has had actual co-decision powers in only 23 instances. HAYES and JONES, Taking stock, p.30. BIGO, CARRERA, GUILD, et al., The EU and its Counter-terrorism policies after the Paris attacks, CEPS Paper in Liberty and Security, No. 84, November 2015. According to MITSILEGAS, “EU criminal law is perhaps the area most affected by Lisbon”. MITSILEGAS, EU Criminal Law, Hart Publishing, Oxford, 2009, p. 2. 3 ECJ rulings had already anticipated such an effect6 – as having an “indirect criminal competence”7. The Lisbon Treaty determined a new era in the relationship between European institutions and criminal law, to an extent that some scholars refer to the treaty as the last step in the process of the “europeanization of criminal law” 8. In order to assess the evolution of a European Union criminal law, it is essential to analyze the development of the legal framework in which it is enshrined, i.e. that particular field of European cooperation which used to go under the name of Justice and Home Affairs (JHA) and is now labeled as the Area of Freedom, Security and Justice (AFSJ). Throughout the years, a trend has been set towards more and more integration in this field, to an extent that it has been defined as “the fastest-growing area of EU law” 9 and “one of the most rapidly developing domains of EU policy-making”10. 1.1 The Treaty of Maastricht and the institutionalization of the third pillar. Originally, criminal law (both substantial and procedural) fell under the wider label of “Justice and Home Affairs” (JHA). Whereas initially cooperation in JHA matters between Member States took place informally11, a formal intergovernmental system was created with the Treaty of Maastricht in 199212, which was groundbreaking in developing the socalled “pillar structure” of the EU. If compared to a Greek temple, the EU system could be imagined as follows13: a pediment comprised of the common provisions of the Treaty on European Union (henceforth TEU), which applied to all areas of the Union (articles A-F); three sustaining pillars, each one referring to a specific area of the Union (namely, the European Community, governed by the Treaty establishing the European Economic 6 7 8 9 10 11 12 13 Cause C-105/03, Pupino, 16 June 2005. GRASSO, Il trattato di Lisbona e le nuove competenze penali dell'Unione Europea”, in: Studi in onore di Mario Romano, Jovene Editore, Milano, 2011. MAGRO, Manipolazione dei mercati finanziari e Diritto Penale, Giuffrè, Milano, 2012. MITSILEGAS, EU Criminal Law, introduction. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice , P.I.E. Peter Lang, Brussels, 2010. For example, through the Council of Europe or extra-EU mechanisms such as the Schengen treaty. MITSILEGAS, recalling MONAR, refers to these instruments as “laboratories of European integration in the field of Justice and Home Affairs”. MITSILEGAS, EU Criminal Law, p. 10. PEERS, Mission accomplished? EU Justice and Home Affairs Law after the Treaty of Lisbon, 48 Common Market Law Review 2011, pp. 661-693. Many scholars have suggested such analogy. Among them, DANIELE, Diritto dell'Unione Europea, Giuffrè, Milano, 2010, p. 24. 4 Community – hereinafter TEC – as amended by the Maastricht Treaty; the Common Foreign and Security Policy, governed by articles J through J.11; Justice and Home Affairs, governed by articles K through K.9); and finally, a base concerning Final Provisions (articles L-S). According to the Maastricht design, cooperation in criminal matters (as all other JHA issues) was governed by Title VI of the TEU. This was the first time that a Union competence in the field of Justice and Home Affairs was established in the Treaty 14; its powers, however, remained very limited. Besides the observation that the Treaty made no reference to a “common policy” (as it did, for example, in the second pillar) but rather to mere “cooperation” between Member States 15, what was truly striking was the weakness of the instruments which had been conceived in order to further such cooperation. The Council was given the power to adopt joint actions and joint positions 16, and to draw up conventions it could then recommend to the Member States; decisions were to take place unanimously17. Moreover, the other Institutions were assigned an even lesser role. While on one hand the Commission was granted power of initiative only “in the areas referred to in Article K.1(1) to (6)18”, thus excluding judicial cooperation in criminal matters 19, on the other hand the European Parliament was only to be “informed of discussions in the areas covered by [the VI] Title” and “consulted on the principle aspects of activities”, besides being allowed to “ask questions or make recommendations” 20. The Court of Justice was given no jurisdiction over third pillar matters, except for the interpretation of, and resolution of disputes arising from, the Conventions which expressly provided for it. This institutional framework determined the consequence that integration in third pillar matters, at least initially, proceeded at a very slow pace. Either States used the “lowest common denominator” approach, by which measures proposed by a single State were passed only when they were acceptable enough for all of the other member States, which meant stripping the proposed measure down “to the bare minimum”; or they decided for a more 14 15 16 17 18 19 20 MITSILEGAS, EU Criminal Law, p. 10. Art. K; see MITSILEGAS, EU Criminal Law, p. 10. KUIJPER notices how “[a]lthough [they] were called joint positions and joint actions, they were in reality nothing more than resolutions”. KUIJPER, The Evolution of the Third Pillar from Maastricht to the European Constitution: Institutional aspects, 41 Common Market Law Review 2004, p. 610. Art. K.3(2) and K.4(3). Art. K.3(2). Governed by art. K(7). Art. K.6. 5 traditional intergovernmental approach, through the use of conventions, the downside of which was usually the amount of time required in order for them to become effective; or, finally, settled for “non binding instruments”, such as joint positions or resolutions, “containing a sum of good intentions and ideas, but neither binding nor effective” 21. These structural deficiencies essentially lead to initial inactivity in the third pillar area. 1.2 The establishment of an Area of Freedom, Security and Justice. The structure of the third pillar underwent radical changes after the entry into effect of the Treaty of Amsterdam in 1999. The former third pillar was broken down into two bulks: asylum, immigration, border control, and judicial cooperation in civil matters were moved under the first pillar – namely, in Title IV of Part III of the TEC 22 – and thus communitarised23; police and judicial cooperation in criminal matters instead continued to be governed by Title VI of the TEU (specifically, from art. 29 to art. 41). Most importantly though, the concept of the Union as an “Area of Freedom, Security and Justice” (AFSJ) was formally established in the Treaties. This notion appeared in article 2 of the TEU as one of the objectives of the Union, and also in both parts which referred to former third pillar issues (article 29 TEU and article 61 TEC). Although it probably lacked clarity 24, the idea of the Union as an “Area” of Freedom, Security and Justice is even more significant in the context of the Amsterdam treaty, which also integrated the Schengen acquis into the EU and EC Treaties. 1.2.1 Title VI, TEU. Title VI of the TEU, the remaining third pillar (which was renamed AFSJ), contained “Provisions on Police and Judicial Cooperation in Criminal Matters”. Monar stresses how, in these matters, emphasis still lay on “cooperation” rather than integration 25. As an 21 22 23 24 25 KUIJPER, The Evolution of the Third Pillar, p. 611. TEC, Part III, Title IV: “Visas, Asylum, Immigration and other policies related to the free movement of persons”. PEERS notices how the institutional rules regarding title iv of the tec were nonetheless still rather intergovernmental. PEERS, Mission accomplished? EU Justice and Home affairs after the treaty of Lisbon, 48 Common Market Law Review 2011, p. 662 According to MITSILEGAS “the concept of 'area' is not clear, and the relationship between the three elements of 'freedom, security and justice' [...] contested”. MITSILEGAS, EU Criminal Law, p. 13. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, p. 24. 6 opening statement, art. 29 TEU set down the objective sought by the Union: “to provide citizens with a high level of safety within an area of freedom, security and justice” 26. However, it was immediately pointed out that this goal would be achieved not by common policy or action by the Union or its institutions, but by “common action among the Member States”27. The means to achieve such objective were listed shortly after: closer cooperation between police forces, custom authorities and other competent authorities; closer cooperation between judicial authorities; and, finally, “approximation – albeit only where necessary – of rules in criminal matters in the Member States, in accordance with the provisions of Article 31(e)”28. Pursuant to art. 31(e), “Common action on judicial cooperation in criminal action shall include: […] e) progressively adopting measures establishing minimum rules relating to the constituent elements of criminal acts and to penalties in the fields of organised crime, terrorism and illicit drug trafficking”. The establishment of a new Area of Freedom, Security and Justice was accompanied by sizable changes in the legal instruments available to the institutions in the third pillar area. These were listed in article 34(2) TEU, by which the Council could adopt a) common positions b) framework decisions c) decisions and d) establish conventions. Framework decisions in particular constituted the main form of third pillar law-making post-Amsterdam29 and contributed to the enhancement of the strength of third pillar law. Later on, with the Pupino decision30, the differences between first-pillar directives and framework decisions were dramatically reduced31. Joint actions and joint positions, instead, disappeared from the spectrum of adoptable instruments. Moreover, it is worth noticing that the Commission was finally granted initiative powers also in third pillar issues, pursuant to article 34(2), although it could not bring Treaty infringement proceedings against member States who failed to implement a decision or a framework decision 32. Despite the effort towards a higher degree of integration, in third-pillar matters Member States nonetheless chose to 26 27 28 29 30 31 32 Art. 29 TEU, as amended by the Treaty of Nice. Observation made by MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, at p. 24. Art. 29 TEU, as amended by the Treaty of Nice. MITSILEGAS, EU Criminal Law, p. 16. Case C-105/03, Pupino, judgment of 16 June 2005. GRASSO, Il trattato di Lisbona e le nuove competenze penali dell'Unione Europea, p. 2315. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, p. 35. 7 maintain “an armour of protection of the national systems”33 scattered across Title VI. Art. 33 held that Member State responsibility “over the maintenance of law and order and the safeguarding of internal security” remained unabridged. Moreover, art. 35(5) denied the ECJ jurisdiction over “the validity or proportionality of operations carried out by the police or other law enforcement services of a Member State, or the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security”. Furthermore, it was explicitly stated that framework decisions and decisions adopted pursuant to article 34(2) “shall not entail direct effect”. Lastly, typically intergovernmental elements, such as the requirement of unanimity in Council activities and the very marginal role assigned to the Parliament, were left in place. 1.2.2 Title IV, TEC. Even in the areas that were placed under the first pillar (under Title IV, TEC, artt. 61-69), however, a cautious approach to integration was initially maintained and then partially amended by the Nice Treaty34. Once again, the unanimity requirement in the Council was meant to suffocate unwanted integration35; and the measures to be taken in communitarised areas were limited to “minimum standards”. As Monar explains, one of the reasons behind the persistence of an intergovernmental approach as opposed to integration in the AFSJ – regardless of the pillar – was the fact that, besides its legislative dimension, the AFSJ also inevitably carried an operational dimension. Member States therefore tended to prefer mechanisms which would give them full control of their operational means36. 1.2.3. The 1999 European Council of Tampere. In sum, the Amsterdam Treaty sorted the effect of institutionalizing the AFSJ and breaking it into two blocks, which although were based in two different pillars nonetheless shared a common objective and a common institutional framework (the JHA Council). The 33 34 35 36 Definition and subsequent considerations taken by MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, p. 25. PEERS, Mission accomplished?, p. 662. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, p. 25. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, p. 31. 8 consequence of this divide, however, was to grant each institution a very different role in policy-making depending on the pillar the measure was going to be based on. Differences were exceptionally stark with reference to the powers of the European Parliament. In fact, whereas for most first-pillar measures the Parliament had co-decision powers, for third pillar measures its powers were limited to mere consultation. Hence the numerous occasions in which the EP contested the legal basis of measures adopted by the Council, claiming they should have been first-pillar and not third-pillar based, and the subsequent need for the ECJ to rule on the border between first and third pillar 37. Monar, however, also speaks of a “gradual blurring” of the pillar divide; and he does so referring precisely to criminal law. In fact, although cooperation in criminal justice was supposed to remain a third pillar issue, some ECJ decisions anticipated the effects brought by the Lisbon Treaty. The Pupino decision mentioned earlier was particularly important in that it put first-pillar directives and third-pillar framework decisions on the same position with respect to the effect they could have on national legislation. A decisive step forward, however, was brought by the European Council held in Tampere, in the south of Finland, in October of 1999. The aim of the Tampere Council Summit was to strengthen cooperation in the AFSJ, without modifying Treaty provisions38. In Salazar's words, “the sensitive innovations brought by the Treaty of Amsterdam called for a strong political answers, manifested at the highest level, which could canalize and orient the new potential of the Treaty towards more ambitious and specific goals”39. The Tampere European Council meant to provide those answers by tracing a two-pillar process. Efforts towards heightened cooperation in criminal matters were in fact to take two different forms: harmonization, on one hand, and mutual recognition of judicial decisions, on the other. Harmonization can be defined as the creation of a common model of law, which can be achieved through different degrees: from unification, the highest, to approximation, the lowest 40. The mutual recognition of 37 38 39 40 See MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice p. 36; PEERS, Mission accomplished?, p. 663. KAUNERTS and ZWOLSKI, The EU as a global security actor: a comprehensive analysis beyond CFSP and JHA, Palgrave Studies in European Union Politics, Palgrave Macmilian UK, 2013, pp. 59-61. SALAZAR, Misure di contrasto alla criminalità organizzata elaborate dall'Unione Europea, in BASSIOUNI, La cooperazione internazionale per la prevenzione e la repressione della criminalità organizzata e del terrorismo, Giuffrè, Milano, 2005, p. 134. SALAZAR also notices that the 1999 Tampere European Council was the first dedicated almost entirely to Justice and Home Affairs issues. FICHERA, The European Arrest Warrant and the Sovereign State: a marriage of convenience?, European Law Journal, Vol. 15, No. 1, January 2009, p. 75. 9 judicial decisions was instead conceived as the “cornerstone of judicial cooperation in criminal matters within the Union”41. The Conclusions reached in the European Council of Tampere would thus inspire many third pillar measures in the following years. 1.3 The Lisbon Treaty. The Lisbon Treaty of 2007, which came into effect on 1 December 2009, was meant to eliminate the pillar structure of the EU. However, the second pillar (Common Foreign and Security Policy) was not suppressed42 and is still governed by the TEU 43; the main effect of the Lisbon Treaty was rather the definitive merger of the first and third pillars, which are now both governed by Title V of the new TFEU 44. From this point of view, the Lisbon Treaty picks up from where the unsuccessful Constitutional Treaty of 2005 had left off. 1.3.1 The AFSJ after Lisbon. The Treaty of Lisbon completed the process that had started with the Treaty of Amsterdam, and had remained unfinished following the rejection of the Constitutional Treaty. The remainder of the former Maastricht third pillar (judicial cooperation in criminal law, and police cooperation), was “communitarized” and placed under Title V of Part III of the TFEU: the Area of Freedom, Security and Justice thus ceased to be a cross-pillar area, and is now governed by a homogenous legal framework. This had a number of positive consequences regarding European integration45. Firstly, as a third pillar no longer exists formally, typical third pillar measures such as framework decisions and common positions were abolished. The following paragraph will analyze the effect this has had on criminal law in particular46. Secondly, in many instances the co-decision procedure – refurbished as “ordinary legislative procedure”, and now governed by art. 294 TFEU – became the norm rather than the exception. For example, art. 75 TFEU requires the ordinary legislative 41 42 43 44 45 46 Conclusions of the Presidency, Tampere European Council of 15-16 October 1999, para. 33. See RINOLDI, Il pilastro resistente. Contrasto al terrorismo e competenze dell'Unione Europea in materia di Politica estera e sicurrezza comune: Liste nere e spazio di libertà, sicurezza, giustizia, in: GRASSO, PICOTTI, SICURELLA, L'evoluzione del diritto penale nei settori d'interesse europeo alla luce del trattato di Lisbona, Giuffrè, Milano, 2011. TEU, Title V, artt. 21-46: “General provisions on the Union's external action and specific provisions on the common foreign and security policy”. TFEU, Title V, artt. 67-89: “Area of Freedom, Security and Justice”. DANIELE, Diritto dell'Unione Europea, p. 25; MITSILEGAS, EU Criminal Law, pp. 39-41. See infra, para. 1.3.2. 10 procedure in order to pass regulations concerning “preventing and combating terrorism and related activities”47. Lisbon thus granted the European Parliament a much broader power in enacting criminal legislation, and increased the cases of qualified majority voting (QMV) in the Council instead of unanimous voting. Thirdly, the competence of the Court of Justice was extended to matters formerly belonging to the third pillar with respect to infringement proceedings (art. 258-260), preliminary rulings (art. 267), compensation for damages (art. 268), and – especially – judicial review48. 1.3.2. Criminal law competences after Lisbon. The change in the legal instruments available to the Union in AFSJ matters directly impacted its powers in the field of criminal law. Prior to the Lisbon Treaty, the main criminal law-making instruments were Framework Decisions, which the TEU explicitly stated did not have direct effect. That restriction was first partially overturned by the Pupino decision, in which the ECJ held that framework decisions could also have direct effect49, and has now been definitely abandoned. Currently, judicial cooperation in criminal matters takes place in a threefold manner50. Firstly, through the facilitation of the mutual recognition of judicial decisions, by which criminals are prevented from exploiting free movement for pursuing illegal activities 51. Secondly, through the establishment of minimum rules on criminal procedure, such as on the mutual admissibility of evidence between Member States, on the rights of the individuals on trial and of the victims of 47 48 49 50 51 Although pursuant to art. 75(2), measures implementing restrictive counter-terrorism law are adopted solely by the Council without participation by the Parliament. With respect to judicial review, Lisbon extends the ECJ's competence to removing the individual concern standing requirement for natural or legal persons challenging regulatory acts not entailing implementing measures; reviewing the compliance of legislation with the principle of subsidiarity; reviewing the legality of acts of the Institutions when they produce legal effects vis-à-vis third parties. See MITSILEGAS, EU Criminal Law, p. 40. More precisely, the Court held that individuals should be able to invoke Framework Decisions to obtain a conforming interpretation of national law in Member State courtrooms. The case in question, extensively dealt with among legal scholars, involved criminal procedure legislation concerning special arrangements for hearing testimony from potentially vulnerable witnesses. See, e.g., PEERS, Salvation outside the church: judicial protection in the third pillar after the Pupino and Segi judgments, 44 Common Market Law Review 2007, pp. 883-929. LENAERTS and GUTIÉRREZ-FONS, The European Court of Justice and fundamental rights in the field of criminal law, in MITSILEGAS, BERGSTRÖM and KONSTADINIDES, Research Handbook on EU Criminal Law, Edward Elgar publishing, 2016, p. 8. Art. 82(1) TFEU. 11 crime52. Thirdly, through the harmonization of substantive criminal law, for which the Treaty of Lisbon created a new legal framework. In particular, art. 83 should be considered as the correct legal basis for all circumstances in which criminalization of certain conducts stems from European initiatives53. Terrorism falls under art. 83(1), which refers to “particularly serious crime with a cross-border dimension”, therein including activities, besides terrorism, such as trafficking in human beings and sexual exploitation of women and children, illicit drug trafficking, illicit arms trafficking, money laundering, corruption, counterfeiting of means of payment, computer crime and organized crime 54. Such list may be added to by the Council, with a unanimous decision and with the consent of the European Parliament. Art. 83(2) refers instead to areas which have been subject to harmonization measures. Notwithstanding its literal meaning, the rule should also a fortiori apply to circumstances where the European Union does not intervene with “harmonization measures”, but has exclusive competence, such as the areas listed under art. 3 TFEU, or has intervened with unifying measures (rather than mere “harmonization”)55. In these two areas, the EU may adopt directives which establish minimum rules concerning the definition of criminal offenses, as well as the sanctions. Allowing uniformity in the definitions but denying it in sanctions may in fact jeopardize the very purpose of common criminalization56. 1.3.3.Third-pillar residues. Some provisions of the Lisbon Treaty, however, were meant to have a restraining effect on the purported integration process and show that for some aspects “the shadow of the third pillar still looms large”, to put it in Monar's words 57. From an institutional standpoint, the formal recognition of the European Council as an institution in the TEU 58 – and the role it 52 53 54 55 56 57 58 Art. 82(2) TFEU. See GRASSO, La competenza penale dell'Unione Europea nel quadro del Trattato di Lisbona, in: GRASSO, PICOTTI, SICURELLA, L'evoluzione del diritto penale nei settori d'interesse europeo alla luce del trattato di Lisbona, Giuffrè, Milano, 2011. GRASSO however notices how an exception must be made for the financial interests of the Union, to which art. 325 TFEU applies. Art. 83(1) TFEU. GRASSO, La competenza penale dell'Unione Europea, p. 698. GRASSO makes specific reference to insider trading. GRASSO, La competenza penale dell'Unione Europea, p. 700. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, p. 47. In art. 13(1) TEU. 12 is assigned in Title V – is noteworthy in that it signals a return to a political and thus intergovernmental approach inside the Union59. Pursuant to art. 68 TFEU, the European Council “shall define the strategic guidelines for legislative and operational planning within the area of freedom, security and justice”. Moreover, the Commission does not have an exclusive right of initiative in the field of police and judicial cooperation in criminal matters, but it shares it with Member States. In fact, according to art. 76 TFUE, legislation may be adopted if the initiative stems from at least a quarter of the Member States, whereas the earlier version of the TEC required initiative by only one Member State. Also, some islands of unanimity are maintained in the Council (for example, in artt. 81(3), 82(2) (d), 83(1), 86(1), 87(3), 89) and in all these instances the Parliament only has a mere consultation role. The five-year transitional period envisaged by art. 9 of Protocol 36, by which the legal effects of the acts adopted under the former third pillar were preserved until the acts were repealed, annulled, or amended, thus limiting the Commission's power to launch infringement proceedings for faulty implementation, has ended, and restrictions on the ECJ remit in these domains were therefore lifted as well. However, with respect to policing and criminal law the jurisdiction of the ECJ is limited in that, pursuant to article 276 TFEU, it cannot “review the validity or proportionality of operations carried out by the police or other law-enforcement services of a Member State or the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security”. Finally, the opt-out regime created for the UK, Ireland (Protocol No. 21) and Denmark (Protocol No. 22), by which these Member States are not bound by the measures, provisions or international agreements concluded on AFSJ matters, constitutes the “most fundamental distinction remaining between JHA matters, and non-JHA matters”60. Some of the most significant resistances to communitarization can be specifically found in the criminal law area. The reason is simple: Member States are reluctant to forgo full penal competences as they are among the highest manifestations of State sovereignty. In fact, Peers notices how the increase in QMV was compensated by “a clarification of the EU's competences over most JHA matters”61. And in fact, EU competence in the criminal law 59 60 61 MITSILEGAS, EU Criminal Law, p. 46. PEERS, Mission accomplished?, p. 690. PEERS, Mission accomplished?, p. 665. 13 field is limited to certain categories of crime – namely, those with transnational characteristics. Also, as it is explicitly stated in art. 83(1), harmonization in the criminal law field may be achieved only through the use of directives, which are measures that leave Member States a great deal of discretion in their implementation. Moreover, if one Member State fears that a draft directive “might affect the fundamental aspects of its criminal system”, it has the power to activate the so-called emergency brake mechanism, provided for by art. 83(3) TFEU. That member State may in fact request that the draft directive in question be referred to the European Council, thus suspending the ordinary legislative procedure. This blocking mechanism is compensated by the fact that if at least nine Member States are willing to proceed towards harmonization, they may do so in the form of enhanced cooperation, pursuant to art. 20 TEU. Other two provisions which are meant to guarantee Member States a higher control over EU legislative initiatives in criminal law issues are those set forth by artt. 69 and 70 TFEU 62: respectively, an ex-ante control of compliance with the principle of subsidiarity and an ex-post evaluation mechanism of the implementation of Union policies. Both instances, in fact, call for a role for National Parliaments. 2. The evolution of the EU's response to terrorism. The European Union's response to terrorism falls within the legal framework discussed above, and is inevitably affected by its development. To some scholars, however, the process is mutual: the politics of counter-terrorism have in fact, in a way, themselves contributed “to the blurring of differences between the so-called three pillars established by the Maastricht Treaty”63. Under the Lisbon Treaty, terrorism is considered “a particularly serious crime with a cross-border dimension”, therefore governed by art.83(1) which allows Member States to establish a common definition and common sanctions. The evolution of the European Union in the field of counter-terrorism is twofold: on one hand, it is progressively developing and enhancing a common response strategy which allows it to adequately provide an “added value”, compared to the abilities of the single Member 62 63 Extensively, MITSILEGAS, EU Criminal Law, pp. 48-52. EDWARDS and MEYER, Introduction: Charting a contested transformation, Journal of Common Market Studies, Vol. 46, No. 1, 2008, p. 11. 14 States, in the fight against terrorism64; on the other, it has also acquired a role as a relevant counter-terrorism player on the international scenario 65. The events of September 11th, in particular, constituted a decisive turning point and catalyst for the EU's counter-terrorism policies. Prior to 9/11, in fact, there was a general belief that terrorism was an issue to be addressed at the national level. The New York and Washington attacks, however, had the general effect of determining a paradigm shift towards stronger international cooperation in the fight against terrorism. In Europe, in particular, this role was taken up by the European Union. A briefing issued by the European Parliamentary Research Service in April 2016 has divided recent EU action in the counter-terrorism domain in five “waves” 66: the first, precisely, after 9/11; the second and third, following the attacks on Madrid, in 2004, and London, in 2005; the fourth, prompted by the Charlie Hebdo attacks in January 2015; the fifth, and current, determined by the attacks on European soil between 2015 and 2016. 2.1 Intergovernmental approach in fighting terrorism. The fight against terrorism has, since the very early stages of the European Communities, been a concern of Member States and a reason for stronger cooperation 67. However, as it has been the case with other matters falling inside the notion of Justice and Home Affairs, the approach to terrorism in Europe prior to the entry into force of the Maastricht Treaty was predominantly intergovernmental. One of the first forms of cooperation specifically dedicated to terrorism was the TREVI group (Terrorisme, radicalisme et violence international68), established in 1975. According to Monar, the very origins of the AFSJ can 64 65 66 67 68 ARGOMANIZ, BURES, KAUNERT, A Decade of EU Counter-Terrorism and Intelligence: a critical assessment, Intelligence and National Security, Vol. 30, Nos. 2-3, 2015, pp. 191-206. MONAR, The EU as an International Counter-terrorism actor: progress and constraints, Intelligence and National Security, Vol. 30, Nos. 2-3, pp. 333-356. SGUEO, Counter-terrorism funding in the EU budget, European Parliamentary Research Service Briefing, April 2016, p. 4. See, for example, the European Parliament's Resolution on acts of terrorism in the Community, O.J. No. C 299/24, 12.12.1977, where it acknowledged that “a systematic reinforcement of the joint efforts by the Governments of the Member States to fight terrorism is essential in order to provide effective protection for the citizens of the Community and its democratic system”. According to MONAR, the origin of the name actually lies in a pun stemming from the name of the Dutch Minister who chaired the meeting that established TREVI (Fonteijn – dutch for 'fountain'), and a dinner among the Ministers that took place near the Trevi fountain in Rome. MONAR, Common Threat and Common Response? The European Union's Counter-terrorism Strategy and its problems, Government and Opposition, Vol. 42, No.3, 2007, p. 292. 15 be traced back to the TREVI cooperation 69, which essentially consisted of meetings between national ministries and law enforcement authorities and had no legal framework or institutional basis. The first regional treaty concerning terrorism to be successfully drafted and signed in Europe was the Convention on the International Suppression of Terrorism, by the hands of the Council of Europe in 1977. It was innovative in the sense that in anticipated many international conventions from the 1990s in imposing obligations on States, rather than on individuals, and for over twenty years constituted “the sole common denominator in the field of terrorism”70 among European States. Despite a Parliamentary resolution calling upon member States of the then European Community to ratify the Convention71, it did not however enjoy great fortune. Its scope was in fact more procedural than substantive and it did not lay out a comprehensive definition of terrorism, but rather set a list of offenses subject to the “prosecute or extradite” principle 72. Furthermore, the Convention granted Contracting States the power to turn down requests for extradition or mutual assistance if there were “substantial grounds” for believing that the request had been made with the purpose of discriminatory prosecution 73. Artt. 12 and 13, finally, provided Contracting States the possibility of specifying territories in which the Convention would (not) apply, and allowed them to attach reservations to its application if they considered a particular offense to be of a political nature – with the only limitation of taking into due consideration “any particularly serious aspect” of it. In December 1979, Member States of the European Community signed the “Agreement concerning the application of the European Convention on the Suppression of Terrorism among the Member States of the European Communities” 74, the purpose of which was to render the 1977 Convention fully applicable inside the EC thus forgoing limitations or reservations at least among Member States. The Agreement, although signed by all Member States, was however never ratified75. Furthermore, in 1983 the Legal Affairs Committee of the 69 70 71 72 73 74 75 MONAR, Common Threat and Common Response?, p. 28. DUMITRIU, The EU's definition of terrorism: the Council Framework Decision on Combating Terrorism, German Law Journal, Vol.5, No. 5, 2004, p. 587. O.J. No. C 30/34, 7.2.1977. MURPHY, EU counter-terrorism law: pre-emption and the rule of law, Hart Publishing, Oxford, 2012, p.18 and p.51. Art. 5; art. 8. Commonly referred to as the “Dublin Agreement”. See MÜLLER-RAPPARD, The European Response to International Terrorism, in CHERIF BASSIOUNI, Legal Responses to International Terrorism – U.S. Procedural aspects, Martinus Nijhoff Publishers, Dordrecht. 16 European Parliament issued a draft report where it considered the possibility of the setting up of a European Court to deal exclusively with terrorist crimes, separate from the European Court of Justice76. The proposal, however, was never followed through. The failure of these initial attempts to uniformity in counter-terrorism can be explained by the unwillingness displayed by sovereign States to cede control over issues of internal security in the early stages of the European Community77. 2.2 Terrorism as a Union interest. Through the Treaty of Maastricht and the establishment of the pillar structure, the Union started to acquire a number of competences apt for counter-terrorism, although “scattered throughout the three pillars”78. Concerning the third pillar in particular, art. K.1 TEU required Member States to consider “police cooperation for the purposes of preventing and combating terrorism [...]” as a matter of common interest79. It has already been observed80 how the instruments available to the EU in this stage were, however, quite modest, being limited to joint positions or actions the binding nature of which was even debated. In essence, as Argomaniz puts it, “[t]he Union was regularly overlooked as a potential avenue for action in [the counter-terrorism] area”81. Between 1996 and 1998, at least three joint actions were adopted which concerned or made specific reference to terrorism 82. A 1997 European Parliament resolution83 stated that “the European Union has a duty to adopt a series of consistent measures to combat terrorism […] going beyond ad hoc proposals, which, in addition to improving the clear-up rate and prosecution, should do more to 76 77 78 79 80 81 82 83 1988, pp. 407-408. Projet de rapport sur la mise en place d'un Tribunal européen pour juger des crimes tu terrorisme, 28.03.1983, PE83.925 As MURPHY puts it, “the strong association of sovereignty and state security ensured that while terrorism was an international problem, counter-terrorism largely remained a domestic undertaking”. MURPHY, EU counter-terrorism law, p. 18. Some forms of intelligence-based collaboration for counter-terrorism purposes between Member States currently still take place through intergovernmental structures, such as the Club de Berne and the Counter Terrorism Group (CTG). MURPHY, EU Counter-terrorism law, p. 20. Article K.1(9), TEU See supra, para. 1.1. ARGOMANIZ, The EU and Counter-terrorism. Politics, polity and policies after 9/11, Routledge Contemporary Terrorism Studies, New York, 2011, p. 19. Joint Action 96/610/JHA, Joint Action 98/428/JHA and Joint Action 98/733/JHA. See BROUWER, CATZ, and GUILD, Immigration, Asylum and Terrorism: a changing dynamic in European Law, Recht & Samenleving, Nijmegen, 2003, p. 97. Resolution on combating terrorism in the European Union, O.J. 1997 C55/27. 17 prevent terrorism”, thereafter drawing a list of recommendations, directed to Member States, the Council, and the Commission, concerning the areas of preventive measures, investigation and prosecution, and police and judicial cooperation. Recital 19, in particular, expressly called on the Council to seek harmonization of criminal law in Member States regarding “serious crime with a cross-border aspect”. After the entry into force of the Treaty of Amsterdam, the legal basis for intervention in the field of terrorism was to be found in art. 29 TEU. This time, prevention of terrorism was mentioned not only as a cause for police cooperation, but also as warranting closer cooperation between judicial authorities and approximation of substantive criminal law (albeit only “where necessary”). In the first year after the enter into force of the Treaty of Amsterdam, though, and despite the importance of the Council of Tampere, counter-terrorism was not a top priority in the EU's Area of Freedom, Security and Justice agenda. Murphy even notices how a report from International and Comparative Law Quarterly in 2000 did not consider terrorism at all84. The focus was rather on other types of criminal activity, such as environmental crime, money counterfeiting and child pornography, for all of which Framework Decisions had been adopted85. A European Parliament resolution of 5 September 2001 86 acknowledged the “inadequacy of traditional forms of judicial and police cooperation in combating terrorism” and the existence of “legal loopholes” exploitable by terrorist groups, thus inviting the Council to adopt framework decisions on the establishment of minimum rules relating to the constituent elements of criminal acts and penalties in the field of terrorism, on the adoption of the principle of mutual recognition of decisions on criminal matters, and on the adoption of measures for the implementation of a European search and arrest warrant. 2.3 The Union's reaction to September 11th Europe's approach to terrorism changed dramatically after the attacks occurred on September 11th, 2001. The New York and Washington attacks had a strong impact on the 84 85 86 MURPHY, EU Counter-terrorism law, p. 22. PEERS, EU responses to terrorism, The International and Comparative Law Quarterly, Vol. 52, No.1, January 2003, p.238 European Parliament Recommendation of 5 September 2001 on the role of the European Union in combating terrorism, O.J. 2002 C72E/135-141. 18 EU, to an extent that the fight against terrorism was officially recognized as a priority objective of the Union87, and a vast array of measures was quickly set up in each of the three pillars. For some of them, the New York and Washington attacks provided the necessary spur for action which had been delayed in the past, due to the absence of the political will to enhance cooperation in certain matters. A note d'information addressed to the Commission on behalf of Commissioners Patten (external relations) and Vitorino (justice and home affairs) pointed out, for example, that the proposals for framework decisions on a definition of terrorism and on the European Arrest Warrant, tabled for discussion the week following the attacks, “address intra-EU aspects and were never intended as a response to the Twin Towers/Pentagon attack” 88; moreover, they urged the Union and the Member States “to ensure that the momentum generated by recent events is not lost, and that both the Commission and the Member States are committed to making real and rapid progress”. The following paragraphs will attempt to retrace the first steps taken by the European Union in the immediate wake of the 9/11 terrorist attacks, starting from the Action Plan on Combating Terrorism, currently still the main EU policy driver in the field of counter-terrorism. The analysis will then shift to the two main legislative instruments adopted by the Union in that time frame, that is Framework Decision 2002/475/JHA and Framework Decision 2002/584/JHA, and on the measures enacted by the Union to counter terrorist financing. Finally, the main changes in the Union's institutional structure will be briefly addressed. 2.3.1 Action Plan on Combating Terrorism On 21 September 2001 an extraordinary session of the European Council took place “to impart the necessary impetus to the actions of the European Union” 89. This was the first time that terrorism was the first priority of a European summit. The outcome of this meeting was the definition of a “European Policy to Combat Terrorism”, the embryo of 87 88 89 See for example Recital 1 of Council Common Position 2001/930/CFSP, OJ 2001 L344/90. ARGOMANIZ, in The EU and Counter-terrorism, at p. 19, argues that the 9/11 attacks “represent the first of the three critical junctures generating new paths of institutional development that steered the formation of this domain”. The second and third were represented, respectively, by the attacks in Madrid in 2004 and London in 2005. SEC(2001) 1429/3, point 1. Conclusions and Plan of action of the Extraordinary European council meeting on 21 September 2001, SN 140/01, p. 1 19 what would come to be known as the EU Action Plan on Combating Terrorism 90. Action plans are not defined in the Treaties; they are not legal instruments but rather policy guides which specify and manage a prolonged implementation process of a single objective 91. During the extraordinary meeting, however, the European council set five objectives to achieve92: enhancing police and judicial cooperation; developing international legal instruments; putting an end to the funding of terrorism; strengthening air security; and coordinating the EU's global action. Although the first impetus towards a comprehensive counter-terrorism effort thus flowed from the European Council, its place was shortly after taken over by the Council, especially in the JHA formation, who on September 20 th had already laid down a number of measures to be taken “to step up the fight against terrorism within the European Union”93. These measures, along with the European Council's Action Plan, lead to the adoption by the Council of an Anti-Terrorist road-map on 26 September 200194. The road-map essentially consisted in a four-part chart describing the measures that needed to be taken, their deadline, the body responsible for implementation, and the implicated action. For example, number one and two on the list were, respectively, the adoption of the European Arrest Warrant and of a common definition of terrorism, to be achieved by December 2001. The Council's road-map went on to take the place of the European Council's Action Plan (albeit this latter name was maintained) as leading policy guide in the counter-terrorism realm, and underwent constant changes and updates in the following years which also lead to some critique concerning its effectiveness 95. A significant revision occurred in 2005, after the London bombings, when the Council (under the UK presidency) presented a renewed Counter Terrorism Strategy based on four pillars: prevent, protect, pursue, respond96. Although according to Bossong this “did little more than to repackage and better publicly present the still incoherent and ill-coordinated set of 90 91 92 93 94 95 96 For an extensive analysis of the Action Plan on Combating Terrorism, see BOSSONG, The Action Plan on Combating Terrorism: a flawed instrument of EU security governance, Journal of Common Market Studies, Vol. 46, No. 1, 2008, pp 27-48. BOSSONG, The Action Plan, p. 29. SN 140/01, pp. 1-3. Conclusion adopted by the Council (Justice and Home Affairs), 20 September 2001, SN 3926/6/01. Anti-terrorism Roadmap, 26 September 2001, SN 4019/01. According to BOSSONG, the Action Plan was a typical example of garbage-can model of policy-making, which occurs when “preexisting policy proposals are matched to new problems under conditions of bounded rationality”. BOSSONG, The Action Plan, p. 31. The European Union counter-terrorism strategy, 30 November 2005, doc. 14469/4/05 REV 4. 20 EU counter-terrorism policies”97, the effort was nonetheless relevant as it effectively organized all the counter-terrorism measures that had been adopted until then under a more coherent framework; the very same structure is still present in the latest update of the Action Plan98. The first strand of the EU counter-terrorism strategy is concerned with the prevention of radicalization and recruitment of young people especially. The second objective is the protection of citizens and infrastructures from terrorist threats. The third part deals with the pursuit and investigation of terrorists across Europe and thus represents the legislative core of the Action Plan. It involves matters such as data sharing, PNR, TFTP, National structures for Counter-terrorism coordination, Europol and Eurojust, criminal law approximation, customs, and operational cooperation. Murphy points out how “filing terrorist offenders in court” appears at the very end of the introductory list of objectives to pursue in this section, suggesting that this is an obvious sign of the increasing shift from punishment to preemption in EU counter-terrorism policy. Lastly, the fourth element involves issues pertaining to response strategies in the event of terrorist activities, such as civilian response capacity, early warning systems and crisis management in general. 2.3.2 Framework Decision 2002/475/JHA Peers defines the Framework Decision on Combating Terrorism (hereinafter FDCT) as the “flagship” measure in EU counter-terrorism99. It was proposed by the European Commission on 19 September 2001, together with the Framework Decision on the European Arrest Warrant, and a final version was agreed upon on 6 December 2001 and formally adopted in June 2002, after scrutiny by the European Parliament 100. Member States were required to implement the framework agreement by 31 December 2002; an ambitious objective considering that at the time only six member states had standing counter-terrorism legislation. It was later amended in 2008, following – rectius, inspired by 97 98 99 100 BOSSONG, The Action Plan, p. 41. EU Action Plan on combating terrorism, 15 November 2010, 15893/10. PEERS, EU responses to terrorism, p. 228. Similarly, DUMITRIU refers to it as “the cornerstone of the fight against terrorism” (The EU's definition of terrorism, p. 590) and MURPHY as “the central plank of EU counter-terrorism action” (EU Counter-terrorism law, p. 51). It is worth noting that at the time of its adoption the European Parliament held a very limited role in third-pillar law making. 21 – the UN Security Council Resolution 1264 of 2005 and the Council of Europe Convention on the Prevention of Terrorism, which entered into force in 2007 101. Weyembergh and Santamaria point out102 how international law, stemming from the UN and the Council of Europe, and the existing national laws of six member states 103 both constituted sources d'inspiration for the Framework Decision – along, as well, with preceding EU law, such as Common Action of 21 December 1998 on the criminalization of the participation in organized crime inside a Member State. The legal basis for the adoption of the FDCT was art. 31(1)(e) of the post-Amsterdam TUE104; Dumitriu105 also notices how the action taken by the Union in the aftermath of the 9/11 attacks fell well within the boundaries of the subsidiarity principle as defined by art. 2(2) TEU and art. 5(2) TEC, given that terrorism was surely not an area of exclusive competence but yet one in which Member States alone could not sufficiently achieve the objective of the proposed action. The FDCT contained the first definition of terrorism at the European Union level. A preliminary concern raised by Murphy regards the purpose behind the definition of terrorism and thus its criminalization. Murphy argues that the reason behind a common definition of terrorism is not so much to punish terrorist activities after they have been committed, but rather to prevent them in the first place. Deciding on what is and what is not terrorism grants governments authority to pursue certain policies which go beyond those normally enacted for other criminal offenses and, at the same time, defines the scope of their application; in Murphy's words, the aim of a definition of terrorism is “to outlaw political violence itself; to delineate those against whom preventive powers can be used; to justify the use of such measures”. Many authors have raised concerns regarding compliance of the FDCT with basic criminal law principles such as the principle of legality. While it is not the intent of this dissertation to analyze the FDCT from the perspective of penal law doctrine, it nonetheless must be noted that claims have been made that both the substantial and the formal dimension of the principle in question have been 101 102 103 104 105 MURPHY, EU Counter-terrorism law, p. 69. WEYEMBERGH and SANTAMARIA, Lutte contre le Terorrisme et droits fondamentaux dans la cadre du troisième piler, in RIDEAU, Les droits fondamentaux dans l'Unione européenne, Bruylant, Bruxelles, 2009, p. 204-208 The UK, France, Spain, Italy, Portugal, and Germany. See supra, 1.2.1. DUMITRIU, The EU's definition of terrorism, p. 590. 22 affected by it106. On the one hand, the vagueness and breadth of its dispositions conditioned implementation in member states and especially in those where preexisting laws on terrorism were not present. On the other, being the FDCT a third-pillar measure, the Parliament was to be merely consulted; this aggravated the shortcomings of the FDCT from the democratic accountability viewpoint. On a last note, at the time of writing the FDCT is applicable to all Member States with the exception of the United Kingdom, who pursuant to Article 10(4) of Protocol no. 36 annexed to the TEU and the TFEU has decided to opt out from this legal framework, with effect from 1 December 2014. 2.3.2.1. Elements of the FDCT. The first four articles of the FDCT set the ground for a common European definition of terrorism. More specifically, art. 1 contains a list of activities to be deemed as terrorist offenses; art. 2 and art. 3 deal with, respectively, offenses relating to a terrorist group and offenses linked to terrorist activities; art. 4 disciplines inchoate offenses. The current structure is the result of the negotiations following the original proposal by the Commission, which outlined just two types of offenses: terrorist infractions per se, and inchoate offenses. The former, however, included acts which are now dealt with separately in artt. 2 and 3. Art. 1 of the FDCT sums up all of the terrorist activities outlawed by previous UN Conventions107. Whereas the UN conventions dealt with each offense specifically, the FDCT combines all of them under one heading and places them at the very beginning of the framework decision108. Only letters (h) and (i) represent a novelty, as they had not been object of a previous Convention. The offenses listed in art. 1 are comprised of three constitutive elements: the outlawed action and the nature or context of the act, which constitute the objective elements, and the aim or intention, which constitutes the subjective element. The criminalized actions are the following: a) attacks upon a person's life which may cause death; b) attacks upon the physical integrity of a person; c) kidnapping or hostage taking; d) causing extensive destruction to a Government or public facility, a transport system, an infrastructure facility, including an information system, a fixed 106 107 108 Consideration taken by WEYEMBERG and SANTAMARIA, Lutte contre le Terorrisme, pp. 226-227. PEERS, EU responses to terrorism, p. 231. FDCT, art. 1(1), (a) through (i). 23 platform located on the continental shelf, a public place or private property likely to endanger human life or result in major economic loss; e) seizure of aircraft, ships or other means of public or goods transport; f) manufacture, possession, acquisition, transport, supply or use of weapons, explosives or of nuclear, biological or chemical weapons, as well as research into, and development of, biological and chemical weapons; g) release of dangerous substances, or causing fires, floods or explosions the effect of which is to endanger human life; h) interfering with or disrupting the supply of water, power or any other fundamental natural resource the effect of which is to endanger human life; i) threatening to commit any of the acts listed in (a) to (h). For any of the aforementioned offenses to be punishable under the FDCT, however, other two prongs must be met. First of all, they must be such that “given their nature or context, [they] may seriously damage a country or an international organization”. Whereas the original proposal by the Commission included this requirement in the subjective element109, the final version separated it from the aim pursued by the perpetrator thus elevating it to an autonomous, objective element. Its meaning, however, is not unambiguous. Dumitriu claims that its purpose is to differentiate actual terrorist offenses from less serious offenses 110. Peers argues that this specification actually renders the EU measure narrower in scope if compared to the related UN Conventions, given that any of the acts listed from (a) to (i) would not be punishable if they do not entail “serious damage” to a county or an international organization111. Saul, on the other hand, points out how the conduct need not cause actual damage, being it sufficient that it create “a likelihood or even a possibility of damage”112. Moreover, contrary to the interpretation offered by Peers, he argues that the requirement may be construed so as to widen the scope of the offenses “by eliminating the need to prove an intention to intimidate, compel, or destabilize” 113. However, Weyembergh and Santamaria as well seem to acknowledge the eminently objective nature of this 109 110 111 112 113 DUMITRIU, The EU's definition of terrorism, p. 596. DUMITRIU, The EU's definition of terrorism, p. 595. For example, the act of hijacking a plane with the aim of extorting money. PEERS, EU responses to terrorism, p. 232. SAUL, Defining terrorism in international law, Oxford University Press, New York, p. 164. SAUL, Defining terrorism, p. 164. MURPHY however counters that “there is no basis for this claim in the text”, given that “the phrase in question is part of art. 1(1) and does not appear to be an alternate requirement to the three parts of the motivation test in art. 1(2). MURPHY, EU Counter-terrorism law, p. 59. 24 requirement114. Secondly, the offenses must be committed for one of the three purposes listed in art. 1(1). These are: seriously intimidating a population; unduly compelling a government or international organization to perform or abstain from performing any act; seriously destabilizing or destroying the fundamental political, constitutional, economic or social structures of a country or an international organization. The original proposal by the Commission only referred to countries, governments and populations; it was later broadened so as to include international organizations as well 115, although NGOs and other non-international groups, as well as other juridical persons other than States or international organizations, remain outside the scope of the FDCT 116. It is noteworthy that no relevance whatsoever is assigned to the motive behind the act: what matters is not the ideological, political or religious cause behind the offense but rather the specific aim it purports to accomplish117. The wording of the article was deeply inspired by the 1999 UN Convention on the Suppression of the Financing of Terrorism, according to which the acts it prohibits are outlawed only when their purpose is “to intimidate a population, or to compel a government or international organization to do or abstain from doing any act”. The FDCT, though, requires serious intimidation and undue compulsion; moreover, the third aim (serious destabilization) is completely new 118. Other differences pointed out by scholars119 relate to the scope of the criteria taken by the Terrorist Financing Convention: in the context of the FDCT not only do they apply to every one of the offenses listed in art. 1 (and are thus not limited only to the financing of terrorism), but also to the connected conducts laid down by artt. 2, 3 and 4. Art. 2 incriminates “offenses relating to a terrorist group”. A terrorist group is preliminarily defines as being “a structured group of more than two persons, established over a period of time and acting in concert to commit terrorist offenses”. This apparently strict definition – 114 115 116 117 118 119 By describing it as “la gravité de la mise en danger que les acts […] impliquent”, thus stressing that attention must be brought to the act itself rather than the intention of the perpetrator. WEYEMBERG and SANTAMARIA, Lutte contre le Terorrisme, p. 203. WEYEMBERG and SANTAMARIA refer to this as the “internationalisation du bien juridique protégé” in Lutte contre le Terorrisme, at p. 209. SAUL, Defining terrorism, p. 164. In fact, the original design of the FDCT was meant to also include any form of “urban violence”, to an extent that Italy was hopeful it could cover the protests against the G8 summit in Genoa. SAUL, Defining terrorism, p. 165; MURPHY, EU Counter-terrorism law, p. 58. MURPHY however argues that “the third part should be omitted entirely”, as it is “superfluous” and “may unnecessarily limit legitimate political action”. MURPHY, EU Counter-terrorism law, p. 59. PEERS, EU responses to terrorism, p. 231. 25 which leaves out groups formed to commit a single offense 120 – is mitigated by the subsequent structure requirement, pursuant to which a group may nonetheless be defined structured even absent “formally defined roles for its members, continuity of its membership or a developed structure”121. Conducts taking place inside terrorist groups which are thus outlawed separately from those in art. 1 are the acts of directing such groups, and participating in their activities. Whereas the former is not further specified, in order for the latter offense to be punishable, instead, “knowledge of the fact that such participation will contribute to the criminal activities of the terrorist group” is required. Both wordings, however, offer room for criticism. With regard to the conduct of “directing”, scholars note that, firstly, as the act is not qualified in any manner, direction which might even be laudable – such as the instruction to cease activities – would also in theory be punishable122; secondly, culpability does not rest on the director's knowledge of the criminal activities of the group but only on the act of directing a group which is terrorist. This second objection may however be addressed by realistically admitting that directing a terrorist group somewhat implies knowledge of activities which are, to the least, criminal. Turning to the conduct of “participating” 123, it is noteworthy that in order for it to be punishable, knowledge must concern “criminal” and not terrorist activities. This means that one may be punishable under the FDCT if he or she, while taking part in the terrorist group in the manners defined by art. 2(2), is aware of activities which are criminal albeit not terrorist ex art. 1(1). Although the same objection as above may be raised, Saul points out how by these standards donating money for charitable purposes to groups which also perform terrorist functions would nonetheless, again in theory, be punishable124. Art. 3, which was amended by Framework Decision 2008/919/JHA, incriminates offenses linked to terrorist activities. These were originally limited to aggravated theft, extortion, and drawing up false administrative acts; while the first two are punishable when they are perpetrated “with a view to committing one of the acts listed in art. 1(1)”, drawing up false 120 121 122 123 124 MURPHY, EU Counter-terrorism law, p. 62. MURPHY points out that this loose definition is mindful of the diverse organization methods of terrorist networks. MURPHY, EU Counter-terrorism law, p. 62. MURPHY, EU Counter-terrorism law, p. 62; SAUL, Defining terrorism, p. 168. Which, according to art. 2(2)(b) FDCT, includes “supplying information or material resources, or funding its activities in any way”. SAUL, Defining terrorism, p. 168, referring in particular to certain Palestinian groups. Undeniably, however, this circumstance seems less likely to occur in Europe. 26 documents is punishable when there is “a view to committing one of the acts listed in art. 1(1)(a) to (h)”, thus excluding art. 1(1)(i), “and art. 2(2)(b)”. This category of acts was not mentioned in the Commission's proposal and was brought up by the Council, perhaps as an expression of the Member States' will to be granted heightened powers in the earliest stages of criminal activity125. The 2008 amendment added three new offenses, each preceded by an autonomous definition: public provocation to commit a terrorist offense, recruitment for terrorism and training for terrorism126. Finally, art. 4 concludes the portion of the FDCT concerning prohibited acts by criminalizing the inchoate offenses of inciting, aiding or abetting a terrorist offense, and attempting to commit a terrorist offense. These, however, are not autonomously defined by the FDCT – to an extent that the divide between this category of offenses and the preceding ones is not as sharp as it is advocated it should be 127. Moreover, whereas the 2002 version of art. 4 required Member Stated to ensure that these activities were made punishable tout court, the amended version of 2008 lowers the requirement by simply giving Member States the option to punish attempts to recruit or train for terrorism. Murphy explains that this formulation is a compromise which takes into account different opinions between institutions as to weather such conducts should (or even can) be criminalized128. The FDCT continues by establishing minimum penalties for the offenses listed in artt. 1 through 4129, which should be higher than those imposable under national law, and also determines mitigating circumstances which may lead to penalty reductions for terrorists130. Next131, it sets rules on the liability of legal persons which appear to be in 125 126 127 128 129 130 131 DUMITRIU, The EU's definition of terrorism, p. 598. Art 1(1) FD 2008/919/JHA, introducing the new art. 3(1) FDCT by which “For the purposes of this Framework Decision, 'public provocation' shall mean the distribution or otherwise making available, of a message to the public, with the intent to incite the commission of one one of the offenses listed in art. 1(1)(a) to (h), where such conduct, whether or not directly advocating terrorist offenses, causes a danger that one or more such offenses may be committed; 'recruitment for terrorism' shall mean soliciting another person to commit one of the offenses listed in art.1(1)(a) to (h), or in art. 2(2); 'training for terrorism' shall mean providing instruction in the making or use of explosives, firearms or other weapons or noxious or hazardous substances, or in other specific methods or techniques, for the purpose of committing one of the offenses listed in art. 1(1)(a) to (h), knowing that the skills provided are intended to be used for this purpose.” DUMITRIU stresses in particular the uncertain boundary between participation ex art. 2 and complicity ex art. 4 FDCT. DUMITRIU, The EU's definition of terrorism, p. 599. MURPHY, EU Counter-terrorism law, p. 68. Art. 5 FDCT. Art. 6 FDCT. Art. 7 FDCT. 27 line with other EU post-Amsterdam criminal law measures, but at a closer look are different in that they seem not to exclude the possibility of State responsibility132. However, while on one hand it is hard to believe that Member States could be involved in terrorist activities133, on the other hand responsibility of non-Member States can not be determined by means of internal EU legislation 134. Moreover, the penalties subsequently set for legal persons135 are clearly meant for private law entities rather than public law entities. The FDCT also sets out innovative rules on jurisdiction 136. The first significant element to be considered is the breadth of these rules, which lay down three situations in which a Member State may have jurisdiction over an offense: principle of territoriality, principle of active personality and principle of passive personality. As this has the obvious possible consequence of endowing multiple States with jurisdiction over a single case, pursuant to art. 9(2) Member States “shall cooperate in order to decide which of them will prosecute the offender with the aim, if possible, of centralizing proceedings in a single Member State”. Moreover, a guideline for priority jurisdiction is provided 137, according to which – in the event of multiple States having jurisdiction over the same issue – certain factors must be taken in sequential account138. 2.3.3 Framework Decision 2002/584/JHA. Alongside and in parallel with the FDCT, a “sister” framework decision 139 was also adopted in the immediate aftermath of the events of September 11: the Framework 132 133 134 135 136 137 138 139 PEERS infers this from an a contrario interpretation of Recital 11 of the Preamble of the FDCT which, by expressly excluding “actions by armed forces […] governed by international humanitarian law” from the scope of the Framework Decision, would apparently include all other conducts. PEERS, EU responses to terrorism, p. 234. MURPHY, EU Counter-terrorism law, p. 60. DUMITRIU cites art. 34 of the Vienna Convention on the Law of Treaties, establishing the principle of opposability of treaties, by which “A treaty does not create either obligations or rights for a third State without its consent”. DUMITRIU, The EU's definition of terrorism, p. 602. Art. 8 FDCT: exclusion from entitlement to public benefit or aid; temporary or permanent disqualification form the practice of commercial activities; placing under judicial supervision; judicial winding-up order; temporary or permanent closure of establishments which have been used for committing the offence. Art. 9 FDCT. PEERS notices how this is unprecedented in EU acts. PEERS, EU responses to terrorism, p. 233. These are: Member State in the territory of which the acts were committed; Member State of which the perpetrator is a national or resident; Member State of origin of the victims; Member State in the territory of which the perpetrator was found. Art. 9(2) FDCT. The two Framework Decisions were in fact proposed and passed on the same days (respectively 19 September 2001 and 13 June 2002). 28 Decision on the European arrest warrant and the surrender procedures before Member States. Differently from the FDCT, which consisted in an intervention on Member States' substantive criminal law, the European Arrest Warrant (henceforth EAW) framework decision concerned rules on criminal procedure; in particular, through the EAW the European legislator sought to speed up surrender procedures between Member States concerning, among others, individuals suspected of or convicted for conducting terrorist activities, while at the same maintaining the safeguards stemming from traditional rules on extradition. It has been submitted, however, that defining the EAW a simplified version of extradition is overly reductive140. The adoption of the EAW thus determined the introduction of a “small common criminal procedure”141. The EAW is a clear example of how acts of terrorism may provide the decisive push for the adoption of legislation involving heightened cooperation between Member States in a field as sensitive as criminal law. The concept of a EAW can in fact be traced back to the 1999 European Council of Tampere, where it was first proposed as one possible expression of the principle of mutual recognition of judicial decisions – itself a notion firstly introduced by the 1998 European Council of Cardiff142. However, in the 2000 Program on Mutual Recognition, the EAW was not listed as a top-priority achievement: precedence was given to other instruments such as the mutual recognition of decisions on the freezing of evidence, and the mutual recognition of orders to freeze assets. It was only following 9/11 that the adoption of the EAW “was prioritized over any other measure” 143. A proposal was submitted by the Commission on 19 September 2001; however, unanimity was not initially reached in the JHA Council of 6-7 December because of opposition by Italy. Moreover, the Parliament – who, in third pillar matters, as of 2002 still had mere consultation powers – advanced reservations on the proposal when it was first consulted on 29 November. Both 140 141 142 143 MARCHETTI, Rapporti giurisdizionali con autorità straniere, in CONSO, GREVVI, BARGIS, Compendio di Procedura Penale, CEDAM, Padova, 2014, p. 1164. SELVAGGI, Il mandato di arresto europeo: l'esperienza giurisprudenziale e l'uso del canone di interpretazione conforme, in RAFARACI, La cooperazione di polizia e giudiziaria in materia penale nell'Unione Europea dopo il trattato di Lisbona, Giuffrè, Milano, 2011, p.70. SALAZAR, Misure di contrasto alla criminalità organizzata elaborate dall'Unione Europea, in BASSIOUNI, La cooperazione internazionale per la prevenzione e la repressione della criminalità organizzata e del terrorismo, Giuffrè, Milano, 2005, pp. 126-127. On the principle of mutual recognition see PASQUERO, Mutuo riconoscimento delle decisioni penale: prove di federalismo, Giuffrè, Milano, 2007, pp. 53-82. FICHERA, The European Arrest Warrant and the Sovereign State: a marriage of convenience?, European Law Journal, Vol. 15, No. 1, January 2009, pp. 71-72. 29 objections were eventually withdrawn and, following the Parliament's approval of the final text on 6 February, the Framework Decision was adopted by the Council on 13 June. The EAW Framework Decision was adopted on a different legal basis than the FDCT, namely art.31(1)(a) and (b) TEU144; moreover, art. 29 TEU is not recalled. While this choice has been criticized by some, on the grounds that art.31(1)(b) allows for the facilitation, and not abolition, of extradition, art.31(1)(a) can however be considered broad enough to cover the abolition of extradition as well 145. Although the scope of the EAW framework decision is larger than the fight against terrorism, its adoption was undeniably accelerated by the attacks of 2001, to the extent that it is often indicated as one of the major counter-terrorism measures adopted by the EU in the 9/11 aftermath, along with the FDCT and the EU-US agreements on extradition and mutual legal assistance146. 2.3.3.1 Elements of the EAW Framework Decision. To begin with, the EAW is defined as “a judicial decision issued by a Member State with a view to the arrest and surrender by another Member State of a requested person, for the purposes of conducting a criminal prosecution or executing a custodial sentence” 147. Moreover, Member States shall execute any European arrest warrant on the basis of the principle of mutual recognition”148. These two provisions have been defined as the “essence” of the EAW framework decision 149: the surrender of individuals suspected of or convicted for a number of serious crimes listed in art.2(2) (therein including terrorism, unsurprisingly listed for second) must always take place, irrespective of the existence of an extradition agreement between the two Member States involved, on the grounds of the existence of a judicial decision. It has been noticed that the dialogue is therefore no longer between sovereign states, but rather between independent judges150. Art. 2 defines the 144 145 146 147 148 149 150 Art. 31(1) TEU: “Common action on judicial cooperation in criminal matters shall include: a) facilitating and accelerating cooperation between competent ministries and judicial or equivalent authorities of the Member States, including, where appropriate, cooperation through Eurojust, in relation to proceedings and the enforcement of decisions; b) facilitating extradition between Member States [...]”. WOUTERS and NAERT, Of Arrest Warrants, Terrorist Offences and Extraditional deals: an appraisal of the EU's main criminal law measures against terrorism after 11 September, 41 Common Market Law Review 2004, p. 914. WOUTERS and NAERT, Of Arrest Warrants, p. 910. Art. 1(1). Art. 1(2). WOUTERS and NAERT, Of Arrest Warrants, p. 912. FICHERA, The European Arrest Warrant, p. 78. 30 scope of the EAW. Member States can issue a EAW for “acts punishable by law of the issuing Member State by a custodial sentence or detention order for a maximum period of at least 12 months or, where a sentence has been passed or a detention order has been made, for sentences of at least four months” 151. The Member State receiving the EAW, on its part, must surrender the sought-after individual “without verification of the double criminality of the act” where the offense committed is punishable in the issuing Member State by a custodial sentence or a detention order of at least three years, and at the same time falls under one of the 32 categories listed in art.2(2) 152. The EAW framework decision thus, for these serious crimes at least, abolished the traditional extradition principle of dual criminality, i.e. that a request may be carried through only if the act in question is punishable in both countries. Pursuant to art.2(4), however, the principle of dual criminality was maintained for crimes other than those falling under the list in art. 2(2). The EAW Framework Decision then provides grounds for mandatory and optional nonexecution of the EAW153, and rules concerning determination of the competent judicial authorities, and the possibility of establishing a central national authority 154. Chapter II of the Framework Decision (artt. 9-25) is entirely dedicated to the surrender procedure, and chapter III (artt. 26-35) to the effects of the surrender. Finally, an annex to the Framework Decision provides a model for a EAW. 2.3.4. Counter-terrorism finance measures In the wake of the New York attacks, action was also taken by the European Union to disrupt terrorist financing. One the one hand, asset-freezing measures (targeted sanctions) were enacted against natural and legal persons believed to have connections with terrorist activities; on the other, the scope of existing anti-money laundering legislation was extended to include terrorist financing as well. 151 152 153 154 Art. 2(1). Including, but not limited to: participation in a criminal organization; terrorism; trafficking in human beings; sexual exploitation of children and child pornography; illicit trafficking in drugs and weapons; corruption. Pursuant to art. 2(3), the list can also be expanded . In artt. 3 and 4, respectively. Artt. 6 and 7 respectively. 31 2.3.4.1 EU restrictive measures. The EU has set up two different counter-terrorism sanction regimes, which are still in force, and are both implementations of UN Security Council Resolutions. Although these are not the only types of targeted sanctions implemented by the EU 155, they are the only two that are specifically counter-terrorism oriented and, therefore, not geographically defined (i.e. do not affect specific countries). The first strand of targeted sanctions is based on UNSC Resolution 1373(2001), adopted on 28 September 2001, which called for all States to freeze “without delay” funds and other financial assets or economic resources of natural persons or entities either involved in terrorist activities, or associated with such persons, and to refrain from active or passive support for terrorism. In the EU, Resolution 1373 was implemented through the Common Position on Combating Terrorism, a composite measure comprised of four different acts which, although issued in December 2001, already borrowed the definition of terrorism from the yet to be adopted FDCT. Under the Amsterdam Treaty, common positions were instruments which could be adopted either under the second-pillar, pursuant to article 15 TEU, or under the third-pillar, pursuant to article 34(2)(a). In both cases they were meant to “define the approach of the Union to a particular matter”156, and were to be adopted without participation of the European Parliament157. Of the four acts comprising the Common Position, the first two were the Common Position on combating terrorism (2001/930/CFSP 158) and the Common Position on the application of specific measures to combat terrorism (2001/931/CFSP 159). Both of these common positions adopted in December 2001 shared the purpose of implementing Resolution 1373; they did so, however, in a different manner and degree. The former, in fact, called for the adoption of general measures against any person or 155 156 157 158 159 For a complete overview of EU restrictive measures see ECKES, EU restrictive measures against natural and legal persons: from counterterrorist to third country sanctions, 51 Common Market Law Review 2014, pp. 869-906. Although art. 15 TEU is more precise in adding that such matter must be “of a geographical or thematic nature”. See JIMENO-BULNES, After September 11th: the Fight against terrorism in National and European Law. Substantive and Procedural Rules: some examples, European Law Journal, Vol. 10 No. 2, March 2004, pp. 246-247; BROUWER, CATZ, and GUILD, Immigration, Asylum and Terrorism, pp. 107113. Pursuant to art. 39 TEU, “the Council shall consult the European Parliament before adopting any measure referred to in art. 34(2)(b), (c), and (d)”, thus excluding measures under art. 34(2)(a) from the scope of the article. PEERS, Eu responses to terrorism, p. 238. O.J. L 344, 28 December 2001, 90. O.J. L 344, 28 December 2001, 93. 32 entity who committed, attempted to commit or participated in the commission of terrorist acts160, and differs from the UN Resolution in that it made several advisory measures mandatory, and transformed the obligation for States to refrain from supporting terrorist activities into an obligation for individuals 161. The latter, instead, applies more specific measures and also sets down the criteria for listing of persons, groups, and entities. The measures established therein are of two types: measures relating to the freezing of financial assets and bans on transfers of funds162, and enhanced measures related to police and judicial cooperation163. Moreover, and this is the characteristic trait of Common Position 2001/931, they only apply to the persons and entities listed in the subsequent Annex 164. The lists are reviewed with a frequency of at least every six months. The third act of the package is Regulation 2580/2001165, a first-pillar measure “needed at Community level and complementary to administrative and judicial procedures regarding terrorists organizations”166: without such a measure, in fact, targeted individuals would be able to defeat, in court, the second-pillar common position by relying on a first-pillar basic freedom such as the free movement of capital 167. The Regulation was thus meant to implement the Community law aspects of Common Position 2001/931/CFSP 168 and in fact provides a more detailed definition of “funds” and “financial services”, and a full description of freezing procedures. The last element of the Common Position package is Decision 2001/927/EC169, which further implements Regulation 2580 by establishing the list provided for in Article 2(3) of the same Regulation170. Although instruments such as the 160 161 162 163 164 165 166 167 168 169 170 Measures listed in CP 2001/930/CFSP include the freezing of funds and assets (art. 2 and art. 3), the denial of safe haven (art. 6), enhanced border control (art. 10), exchange of operational information (art. 11). PEERS, Eu responses to terrorism, p. 238. Art. 2 and 3, Common Position 2001/931/CFSP. Art. 4, Common Position 2001/931/CFSP: “Member States shall, through police and judicial cooperation in criminal matters […] afford each other the widest possible assistance in preventing and combating terrorist acts. To that end they shall […] fully exploit, upon request, their existing powers in accordance with acts of the European Union [...]”. The latest update of the annex was provided by Council Decision (CFSP) 2016/1136 of 12 July 2016. Council Regulation on specific restrictive measures directed against certain persons and entities with a view to combating terrorism, O.J. L 344/70, 28.12.2001. Recital (6), Regulation 2580/2001. Observation by GUILD, The Uses and Abuses of Counter-terrorism Policies in Europe: the case of 'terrorist lists', Journal of Common Market Studies, Vol. 46, No. 1, 2008, p. 179. See Recital (5), Regulation 2580/2001; PEERS, EU responses to terrorism, p. 238. O.J. L 344/83, 28.12.2001. Regulation 2580/2001, Art. 2(3): The Council, acting by unanimity, shall establish, review and amend the list of persons, groups and entities to which this Regulation applies, in accordance with the 33 ones set out by this Common Position were not a novelty in the EU context, Peers criticizes the disproportionate effect such restrictions may have on persons who have not been convicted or at least seriously indicted for terrorism, but instead only suspected of terrorist activity on the basis of soft intelligence information171. The second strand of EU targeted sanctions is more limited in scope as it is directed exclusively against persons and entities associated with Usama bin Laden, the Taliban, and the Al-Qaida Network. They are meant to implement a series of UNSC Resolutions imposing strong sanction regimes against the Talibans: namely, Resolution 1267(1999), Resolution 1333(2000), and Resolution 1390(2002). In particular, the Council adopted Common Position 2002/402/CFSP on 27 May 2002, alongside Regulation 881/2002, therefore replicating the structure used for the first strand of restrictive measures (that is, a second pillar Common Position and an implementing first pillar Regulation) and the nature of the measures as well, as the Taliban measures consisted essentially in the freezing of funds, financial assets and economic resources, or the unavailability thereof for the benefit of the individuals in question. More recently, a new Decision was adopted by the Council on 1 August 2011172 amending Common Position 2002/402/CFSP, in order to implement UNSC Resolution 1989(2011) which expunged references to Usama bin Laden and the Talibans from the scope of the measures. 2.3.4.2. Anti-money laundering directives. The Union's effort against terrorist financing also passed through already existing legislation concerning money laundering. In 1991, the EC had adopted the first money laundering directive173, incorporating at the Community level principles that had been established in the international fora174: on one side, it provided a definition of money 171 172 173 174 provisions laid down in Article 1(4), (5) and (6) of Common Position 2001/931/CFSP” PEERS, Eu responses to terrorism, p. 239. Council Decision 2011/487/CFSP of 11 August 2011 concerning restrictive measures against Usama bin Laden, members of the Al-Qaida organization and the Taliban and other individuals, groups, undertakings and entities associated with them, O.J. L 199/73, 2.8.2011. Council Directive 91/308/EEC of 10 June 1991 on the prevention of the use of the financial system for the purpose of money laundering, O.J. L 166/77, 28.06.91. Namely, through the UN Convention on drug trafficking of 1988, the Council of Europe money laundering Convention of 1990, and the 40 Recommendations by the Financial Action Task Force (FATF) issued in 1990. 34 laundering and required Member States to prohibit such activity 175, while on the other it introduced obligations for private actors, such as credit and financial institutions, to cooperate with competent authorities by identifying customers, keeping records, refraining from and reporting suspicious transactions. In October 2001, the Financial Action Task Force (FATF) – an intergovernmental organization established in 1989 and devoted to the fight against money laundering, and including among its participants the European Commission and several Member States – issued a series of eight “Special Recommendations” specifically concerning terrorist financing, with a ninth adopted in October 2004176. These were meant to “set out the basic framework to detect, prevent, and suppress the financing of terrorism and terrorist acts” 177, and consisted in: ratification and implementation of UN instruments; criminalizing the financing of terrorism and associated money laundering; freezing and confiscating terrorist assets; reporting suspicious transactions related to terrorism; international co-operation; heightened control of alternative remittance systems and wire transfers; the review of legislation concerning nonprofit organizations; and, finally, measures against unlawful cross-border cash flows. While the Union did not implement these measures in its second money-laundering Directive, which was adopted in December 2001178, the reason behind its third amendment of the Directive in 2005 was precisely the incorporation of the FATF Special Recommendations on terrorist financing. The third money-laundering Directive 179 thus explicitly includes “terrorist financing” in its heading, and money laundering and terrorist financing were essentially put on the same level as to the effort which should be conducted for their prevention: “massive flows of dirty money can damage the stability and 175 176 177 178 179 MITSILEGAS and GILMORE point out that Member States had reached a compromise to “prohibit” money laundering, instead of criminalizing it tout court, because the pre-Maastricht structure of the EC did not allow Community competences in the criminal law area. MITSILEGAS and GILMORE, The EU legislative framework against money laundering and terrorist finance: a critical analysis in the light of evolving global standards, International Comparative Law Quarterly, Vol. 56, January 2007, p. 136. FATF IX Special Recommendations, available at: http://www.fatfgafi.org/publications/fatfrecommendations/documents/ixspecialrecommendations.html FATF IX Special Recommendations, p. 2. Directive 2001/97/EC of the European Parliament and the Council of 4 December 2001 amending Council Directive 91/308/EEC on prevention of the use of the financial system for the purpose of money laundering, O.J. L 334/76, 28.12.2001. Directive 2005/60/EC of the European Parliament and the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, O.J. L 309/15, 25.11.2005. 35 reputation of the financial sector and threaten the single market, and terrorism shakes the very foundations of our society. In addition to the criminal law approach, a preventive effort via the financial system can produce results” 180. The Directive defines “terrorist financing” as “the provision or collection of funds, by any means, directly or indirectly, with the intention that they should be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offenses within the meaning of artt. 1 through 4 of the Terrorist Framework Decision” 181, thus establishing a direct link with the FDCT. The scope of the Directive was widened compared to its 1991 and 2001 predecessors, also including, besides credit and financial institutions, entities such as auditors, tax advisers, notaries and other independent legal professionals, trust or company service providers, real estate agents, and casinos182. All such entities are to perform “customer due diligence”183, i.e. the verification of the identity of their customers and the monitoring of their business relationship; moreover, the third money laundering directive significantly modified the section relating to “reporting duties” 184 by requiring Member States to establish national Financial Intelligence Units, to which “any activity which [is regarded] as particularly likely, by its nature, to be related to money laundering or terrorist financing, and in particular complex or unusually large transactions and all unusual patterns of transactions which have no apparent economic or visible lawful purpose” must be reported. 2.3.5. Institutional changes. Lastly, it is worth also briefly addressing the changes the events of September 11 th have determined in the EU at the institutional level. Most notably, Eurojust was established in February 2002, through Council Decision 2002/187/JHA185. In the 1999 European Council of Tampere, Member States had agreed to set up, by the end of 2001, a unit (which already then had been called Eurojust) composed of national prosecutors, magistrates or police 180 181 182 183 184 185 Directive 2005/60/EC, recital 1. Directive 2005/60/EC, art.1(4). Directive 2005/60/EC, art. 2(1). Directive 2005/60/EC, artt. 6-19. Directive 2005/60/EC, artt. 20-29. Council Decision of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime, O.J. L 63/1, 6.3.2002. 36 officers, with the task “of facilitating the proper coordination of national prosecuting authorities and of supporting criminal investigations in organized crime cases” 186 Moreover, the role of Europol was deeply enhanced in the counter-terrorism area: despite terrorism not being a new competence for Europol 187, a terrorism unit was however established within its structure and additional financing was granted to the agency; Europol's cooperation capacities with third States, and especially the US, was also increased188. In January 2016, a European Counter-Terrorism Center (ECTC) was also set up within Europol as a platform for information sharing among Member States with the purpose of monitoring and investigating foreign terrorist fighters. Finally, following the Madrid attacks of 2004, the European Council issued a declaration189 where it called for the establishment of a Counter-Terrorism Coordinator (CTC). The CTC is a senior office with supporting staff operating within the Council's General Secretariat, that is in charge of coordinating the work of the Council in combating terrorism, monitoring the implementation of the Union's counter-terrorism strategy and also improving communication between the EU and third countries with respect to counter-terrorism matters190. Since 2007, the position is held by Mr. Gilles de Kerchove, who has taken the position previously held by Mr. Gijs de Vries – who had been appointed as the first CTC two weeks after the Atocha railway station bombings. The CTC issues regular reports on existing EU counter-terrorism legislation, policies and activities; its mandate, however, does not cover the analysis of the legitimacy, or even effectiveness, of such EU activity. 186 187 188 189 190 Conclusions of the Presidency, Tampere European Council of 15-16 October 1999, para. 46. Terrorism has been within Europol's remit since 1999. See GREGORY, The EU's response to 9/11: a case study of institutional roles and policy processes with special reference to issues of accountability and human rights, Terrorism and Political Violence, No.17, 2005, pp.113-117. Council Decision 2003/48/JHA on the implementation of specific measures for police and judicial cooperation to combat terrorism, O.J. L16/28, 22.12.2003. See WOUTERS and NAERT, Of Arrest Warrants, pp. 742-743; BURES, Intelligence sharing and the fight against terrorism in the EU: lessons learned from Europol, European View, No. 15, 2015, pp. 58-60. European Council declaration on combating terrorism, 25 March 2004. Source: https:// www.consilium.europa.eu/en/policies/fight-against-terrorism/counter-terrorismcoordinator/ 37 3. Judicial review of European counter-terrorism measures: the role of the Court of Justice of the European Union. Peers wrote that “anti-terrorist legislation inevitably raises concerns about adequmate protection for human rights and civil liberties” 191. With respect to EU originated counterterrorism measures, these concerns have been addressed primarily by the Court of Justice. Although the overall number of cases in which the Court has actually annulled EU legislation on human rights grounds is relatively low, the area where the court is most active, on this account, is precisely the counter-terrorism domain 192. The majority of actions lodged before the Court of Justice concern complaints against restrictive measures against natural and legal persons; more recent decisions, instead, have struck down EU legislation regarding general surveillance mechanisms enacted for counter-terrorism purposes. This latter jurisprudence will be discussed extensively throughout the next chapter; in the following paragraph, attention will be reserved to the former line of seminal cases. It must be pointed out, however, that a detailed analysis of the overall European jurisprudence involving counter-terrorism measures and their chilling effects on fundamental rights would require much more attention, and therefore exceeds the scope of this dissertation. Here, the focus will lie exclusively on the role that justices in Luxembourg have had in shaping EU counter-terrorism action. It must be mentioned, however, that the case law of the European Court of Human Rights, on the matter, is also particularly florid193. 3.1 The competence of the Court of Justice in counter-terrorism legislation. The judicial review of counter-terrorism measures touches on two aspects. The first is the degree to which human rights are protected in the EU; the second is the degree to which 191 192 193 PEERS, EU Responses to Terrorism, p. 235. More in general, concerning the relationship between human rights and terrorism, see DOSWALD-BECK, Human Rights in times of conflict and terrorism, Oxford University Press, New York, 2011. CRAIG and DE BÚRCA, EU Law: Texts, cases, materials, Oxford University Press, New York, 2011, pp. 372-373. For a punctual analysis of the most important cases brought before the ECtHR concerning terrorism and the contracting parties' counter-terrorism responses, see SALINAS DE FRÍAS, Counter-terrorism and human rights in the case law of the European Court of Human Rights, Council of Europe Publishing, November 2012, pp. 163-434. 38 the Court may review legislation enacted in the AFSJ or in the second pillar. The judicial review of counter-terrorism measures sits at the crossroads of these two areas of evolving competence of the Court of Justice and is on the way of becoming an independent strain of CJEU jurisprudence. It has been pointed out that, unlike longer-standing national judiciaries, the Court of Justice was placed in the “invidious position of having to develop its counter-terrorism jurisprudence after 11 September 2001: 'the mother of all events'” 194; moreover, if compared to the ECtHR, the Court of Justice has a more complicated role as it was given the task “of creating jurisprudence for a supranational legal system without being in a position to directly address all questions of law or fact in all cases” 195. As explained above, in fact, EU counter-terrorism legislation has largely developed in the second and third pillar and, in particular, in the Area of Freedom, Justice and Security (AFSJ); areas which, at least until the changes brought by the Treaty of Lisbon, have been largely impenetrable for the Court of Justice. Before then, in fact, the jurisdiction of the Court of Justice was limited in all areas belonging to the AFSJ: to a lesser extent in those which had already been communitarized after the Treaty of Amsterdam, to a greater extent in police and judicial cooperation in criminal matters196. The entry into force of the Lisbon Treaty has instead determined that the entire array of powers granted to the Court of Justice under the Community method was extended to all areas falling under the AFSJ; moreover, the transitional period envisioned by the Treaty of Lisbon, by which (the former) art. 35 TEU, encompassing and thus limiting the competences of the Court in judicial and police cooperation in criminal matters, would continue to apply for a period of five years to acts adopted before 1 December 2009, expired on 30 November 2014. This means that the Court now enjoys full jurisdiction over all EU acts, irrespective of their date of adoption. The Court has now jurisdiction over: actions for the annulment of EU acts 194 195 196 MURPHY, Counter-terrorism and Judicial Review: the challenge for the court of justice of the European Union, in DAVID and DE LONDRAS, Critical Debates on Counter-terrorism Judicial Review, Cambridge University Press, 2016, p. 286. MURPHY, Counter-terrorism and Judicial Review, p. 288. See LENAERTS, The contribution of the European Court of Justice to the Area of Freedom, Security and Justice, International and Comparative Law Quarterly, Vol. 59, No. 2, April 2010, pp. 255-301. Under the rules in place before the Treaty of Lisbon, procedural limitations existed for the sectors of the AFSJ governed by Title VI TEU, as well as those governed by Title IV TEC. Concerning the former, in particular, the jurisdiction of the Court of Justice was established by art. 35 TEU, pursuant to which: the only remedy against Union acts was the action for annulment; infringement proceedings against Member States were not contemplated; and the power to deliver preliminary rulings was significantly restricted. 39 adopted within the AFSJ framework; individual actions for damages against the Council; infringement procedures brought by the Commission or other Member States against a Member State who fails to implement AFSJ legislation; and, finally, it may issue preliminary rulings without any restriction. The only remaining limitation of the Court's power is found in art. 276 TFEU, by which the Court “has no jurisdiction to review the validity or proportionality of operations carried out by the police or other law-enforcement services of a Member State or the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security”. To some scholars, however, this must be considered a serious limitation, in consideration of the fact that many acts of police, and possibly prosecutors, may potentially meet the criteria set by art. 276 TFEU 197. The second pillar, instead, remains – in the Lisbon Treaty as well – an area beyond the competences of the Court. Art. 275 TFEU, however, provides two exceptions: firstly, the Court of Justice “has jurisdiction to monitor compliance with art. 40 TEU”, which prevents the Institutions from resorting to second pillar (i.e. intergovernmental) procedures in areas assigned to the Union's competence ex art. 3 and 6 TFEU where the Treaties require the legislative, or other nonintergovernmental, procedure; moreover, the Court “may rule on proceedings […] reviewing the legality of decisions providing for restrictive measures against natural or legal persons adopted by the Council on the basis of Chapter 2 of Title V TEU”, a provision which essentially empowers the court to review targeted sanctions adopted by the EU pursuant to art. 215 TFEU198. Alongside a full extension of its jurisdiction to the former third pillar, and an acquisition of small – yet significant, for the purposes of a check on counter-terrorism measures – competences over CFSP matters, the Court of Justice has also contributed to the development of a higher human rights standard in EU legislation in general, and in police and judicial cooperation in criminal matters in particular. It is worth recalling that as early as 1974199 the Court had stated that, in the event of a conflict, general principles of law 197 198 199 RIJKEN, Re-balancing security and justice: protection of fundamental rights in police and judicial cooperation in criminal matters, 47 Common Market Law Review 2010, p. 1455. Despite the presence of a first-pillar legal base for targeted sanctiojns (art. 75 TFEU), all current EU operated sanctions, whether independent or of UN origin, are adopted on the basis of art. 215 TFEU. ECKES, EU Restrictive measures, p. 880. Case 4/73, Nold KG v. Commission, judgment of 14 May 1974. 40 would take precedence over specific Community measures. The Treaty of Lisbon, however, has endowed the Union with a stronger institutional framework for the protection human rights200. Most importantly, perhaps, pursuant to art. 6(1) TEU the Charter of Fundamental Rights, essentially the EU's own Bill of Rights, was granted the same binding legal value of the Treaties: therefore, the Court's mandate ex art. 19(1) TEU to ensure that the law is observed in the interpretation and application of the Treaties includes ensuring observation of the rights and freedoms enshrined in the Charter. Concerning counterterrorism measures in particular, the attitude of the Court of Justice has evolved from an initially deferential position towards the executive and legislative measures enacted following 9/11, to a more confident stance in defense of fundamental rights201. 3.2 Judicial review of EU restrictive measures. A first line of cases involve controversies concerning the Court's role in granting judicial protection to individuals who had been subjected to EU restrictive measures pursuant to Common Position 2001/931/CFSP. As explained above, although said common position implemented UNSC Resolution 1373 (2001) against terrorist financing, it was nonetheless a measure completely within the remit of the EU as the individuals to be listed were entirely decided at the European level202 – differently, therefore, from the measures adopted against the Talibans and associates of Usama bin Laden 203. In two early cases, Segi204 and Gestoras pro-aministía205, the applicants sought reimbursement by the Council for the 200 201 202 203 204 205 On the structure and competences of the Court of Justice, see BARENTS, The Court of Justice after the Treaty of Lisbon, 47 Common Market Law Review 2010, pp. 709-728. FABBRINI divides the Court's approach to post-9/11 counter-terrorism measures into three phases: in the beginning it held a deferential approach towards the executive, with minimal judicial review; it then passed to an intermediate phase, where it began to scrutinize the enacted measures more attentively; finally, in a last phase, it reacquired its role as protector of the rule of law. FABBRINI, The role of the judiciary in times of emergency: judicial review of counter-terrorism measures in the United States Supreme Court and the European Court of Justice, Yearbook of European Law, Vol. 28, 2010, pp. 664697. Acts by the Council are generally adopted upon proposals by Member States. See infra, para 3.3. Court of First Instance, case T-338/02, Segi, Araitz Zubimendi Izaga and Aritza Galarraga v. Council of the European Union, order of 7 June 2004; followed by the appeal before the ECJ, case C-355/04 P, Segi, Araitz Zubimendi Izaga and Aritza Galarraga v. Council of the European Union, judgment of 27 February 2007. Court of First Instance, case T-333/02, Gestoras pro-amnistía and others v. Council, report not published; followed by the appeal before the ECJ, case C-354/04 P, Gestoras Pro Amnistía, Juan Mari Olano Olano and Julen Zelarain Errasti v Council of the European Union, judgment of 27 February 2007. 41 alleged damage suffered because of their inclusion in the list provided by Common Position 2001/931 by, inter alia, claiming that their right to effective judicial protection under art. 6(2) TEU had been violated. The Court of First Instance rejected their claim, and the decision was also subsequently upheld by the ECJ on the grounds that the Court did not have jurisdiction over the claimants' application for damages, neither under art. 35 TEU and nor under art. 41 TEU 206 . According to the Court, in fact, its powers concerning third- pillar issues207 as listed in art. 46 TEU were to be considered exhaustive; art. 35 TEU, moreover, “confers no jurisdiction on the Court of Justice to entertain any action for damages whatsoever”208. Concerning judicial protection, instead, the Court acknowledged that “the treaties have established a system of legal remedies in which, by virtue of art. 35 TEU, the jurisdiction of the Court is less extensive under Title VI […] than it is under the EC Treaty. It is even less extensive under Title V” 209. However, it also held that “the appellants cannot validly argue that they are deprived of all judicial protection” 210. In fact, although common positions such as the one contested by the applicants, under the Amsterdam Treaty, could not be subject to an action of annulment before the Court because they were not supposed, in their nature, to produce legal effects in relation to third parties, the Court observed that they should nonetheless, despite the strict wording of art. 35(1) TEU, allow for requests for preliminary rulings. The Court went on to state that “the right to make a reference to the Court of Justice for a preliminary ruling must therefore exist in respect of all measures adopted by the Council, whatever their nature or form” 211, thereby including common positions. In Mitsilegas's words, “the Court indicated its willingness to look behind the formal classification of a measure and to provide a mechanism for review for measures affecting the rights of individuals irrespective of such classification – albeit in a decentralized manner, via the preliminary rulings route” 212; this 206 207 208 209 210 211 212 JOHNSTON, The European Union, the ongoing search for terrorists' assets and a satisfactory legal framework: getting warmer or colder?, The Cambridge Law Journal, Vol. 66, No. 3, November 2007, pp. 523-525. The Court also considered its powers within the third pillar as Common Positions, such as the one contested by the claimants, could be adopted either under the second or under the third pillar. Judgment of the Court, para. 46. See PEERS, Salvation outside the church: judicial protection in the third pillar after the Pupino and Segi judgments, 44 Common Market Law Review 2007, pp. 892-902; MITSILEGAS, EU criminal law, pp. 20-23. Judgment of the Court, para. 50. Judgment of the Court, para. 51. Judgment of the Court, para. 53. MITSILEGAS, EU criminal law, p. 22. 42 resulting in a balance-striking activity, by the Court, between truthful interpretation of the terms of the Treaties, and the establishment of effective and uniform forms of control of the legality of EU acts213. The leading case in this area, however, is the OMPI case214. As with Segi and Gestoras, the case involved an entity (the Organisation des Modjahedines du peuple d'Iran) who had been added by the Council to the list of terrorist groups subject to restrictive measures pursuant to the system set up by Common Position 2001/931/CFSP. In particular, the applicant's name had been added to the terrorist list by means of Common Position 2002/340/CFSP and Council Decision 2002/334/EC; both measures were thereafter repealed and replaced by other measures215, but the claimant's name was regularly maintained in each update of the terrorist list. OMPI thus lodged an action seeking the annulment of the Common Position, and of the implementing Decision as well, in the parts concerning the applicant. The claimant's plea was successful216. The Court of First Instance, in fact, annulled the Council Position implementing the restrictive measures against OMPI217. The Court essentially made a distinction between the designation of an individual under the terrorist list (i.e. adding the individual's name to the list), and the application of the measure to said individual: while the former activity remains free from judicial scrutiny, as it consists in a measure adopted under the second pillar 218, the latter, being enacted through a Regulation, must instead be subject to the rule of law. In particular, three requirements of due process must be fulfilled for the application of targeted sanctions to be lawful: respect for the individual's right to a fair hearing; the issuing authority's obligation to state the reasons for the application of the measure; the 213 214 215 216 217 218 PEERS, Salvation, p. 897. Case T-228/02, Organisation des Modjahedines du pueple d'Iran v. Council, judgment of 12 December 2006. Initially, for example, by Common Position 2002/462/CFSP, and Council Decision 2002/460/EC. For commentaries of the case, see GUILD, The Uses and Abuses of counter-terrorism policies in Europe: the case of the 'terrorist lists', Journal of Common Market Studies, Vol. 46, No. 1, 2008, pp.173-193; TRIDIMAS and GUTIERREZ FONS, EU Law, international law, and economic sanctions against terrorism: the judiciary in distress?, Fordham International Law Journal, Vol.32, Issue 2, January 2009, pp. 660730. The Court however refused to consider the request for annulment of the Common Position, as common positions, being acts adopted either under Title V or under Title VI of the post-Amsterdam TEU, went beyond its scope of competence. The judgments in Segi and Gestoras were recalled by the Court in this occasion. And, in fact, the applicant's request for annulment of the Common Position was dismissed. 43 individual's right to judicial protection. The Court then proceeded to an in depth-analysis of all three features219, and found shortcomings in the Council's conduct relating to all three aspects. With respect to the right to a fair hearing, the Court proved to be aware of the jeopardizing implications that a full and extensive recognition of such right to the individual subject to the restrictive measure might have on the purpose for which the measures itself is adopted220; the right of the targeted individual to a fair hearing, according to the Court, must therefore be read, restrictively, as the right to receive timely notification of the evidence adduced against him, and the right to request immediate re-examination of the initial measure freezing his funds221. Neither, however, had been fulfilled by the Council in the present case. Concerning the obligation to state reasons, the Court held that it could not “accept the position advocated by the Council that the statement of reasons may consist merely of a general, stereotypical formulation”222. Lastly, the Court stressed that “review is all the more imperative because it constitutes the only procedural safeguard ensuring that a fair balance is struck between the need to combat international terrorism and the protection of fundamental rights”223. According to legal scholars, the OMPI judgment was particularly important because it introduced the possibility of a judicial check in an area which traditionally, instead, “seems to have been tarnished by the arbitrary”224. 3.3 Kadi I and Kadi II. A second line of cases concerns actions against EU legislation implementing UN acts. In these cases, the issue of the violation of fundamental rights by EU measures is intertwined with the more general issue regarding the relationship between the European Union and the international legal order. The most prominent and well known of these controversies 225 219 220 221 222 223 224 225 Judgment of the Court, paras. 89-174. In the Court's words, “an initial measure freezing funds must, by its very nature, be able to benefit from a surprise effect and to be applied with immediate effect. Such a measure cannot, therefore, be the subjectmatter of notification before it is implemented”. Judgment of the Court, para. 128. Judgment of the Court, paras. 129-130. Judgment of the Court, para. 143. Judgment of the Court, para. 155. GUILD, The Uses and Abuses of counter-terrorism policies in Europe, p. 181. See also joined cases C-399/06 P, Faraj Hassan v. Council of the European Union and European Commission, and C-403/06 P, Chafiq Ayadi v. Council of the European Union; and, although the restrictive measures involved are based on a different UNSC Resolutions than the Kadi cases, case C548/09 P, Bank Melli Iran v Council. 44 are the Kadi cases, generally referred to in the plural as they consist in two separate decisions by the Court of Justice involving the same claimant – Kadi I226, in 2008, and Kadi II227, in 2013. In both instances, the final judgment by the ECJ was preceded by decisions by the General Court (formerly CFI)228. Mr. Kadi, a Swedish citizen of Somali origin, Mr. Yusuf, a Saudi businessman, and the Al Barakaat International Foundation, Somalia's largest money transfer system, were all subjected to restrictive measures (targeted sanctions) between October and November 2001, by means of Regulation 467/2001 (precursor of Regulation 881/2002). As explained above, Regulation 467/2001 (as well as the subsequent Regulation 881/2002) was meant to give implementation at the Community level to UNSC Resolutions 1267/1999 and 1333/2000, which mandated Member States to adopt targeted sanctions against individuals associated with the Talibans and Usama bin Laden. The Union had therefore little discretion in implementing said asset-freezing measures, and essentially took action against the persons indicated in the lists updated by the UN229. Mr. Kadi, Mr. Yusuf and the Al Barakaat Foundation all lodged actions for annulment of the Community measures, arguing that they had suffered an infringement of their fundamental rights – namely, the right to a fair hearing, the right to effective judicial protection, and the right to respect for property. The cases were first brought before the Court of First Instance 230. In a surprisingly deferential ruling, the CFI held that reviewing the contested regulation was beyond its power, as the regulation itself was but a carbon copy of the UNSC Resolution 231. The court thus essentially recognized the primacy of UN law over the Community legal order; furthermore, it equalized, as to their binding nature232, obligations stemming directly from the Charter, and those created 226 227 228 229 230 231 232 Joined cases C-402/05 and C-415/05P, Kadi and Al Barakaat International foundation v. Council and Commission, judgment of 3 September 2008. Joined cases C-584/10P, C-593/10 P and C-595/10 P, European Commission and others v. Yassin Abdullah Kadi, judgment of 18 July 2013. Case T-315/01, Kadi v. Council and Commission, and case T-306/01, Yusuf and Al Barakaat International Foundation v. Council and Commission, judgments of 21 September 2005; Case T-85/09, Yassin Abdullah Kadi v. European Commission, judgment of 30 September 2010. ECKES, Judicial Review of European anti-terrorism measures – the Yusuf and Kadi judgments of the Court of First Instance, European Law Journal, Vol. 14, No. 1, January 2008, pp.75-76. Cases T-315/01 and T-306/01. Judgment of the Court, para. 225: “the resolutions of the Security Council at issue fall, in principle, outside the ambit of the Court's judicial review and […] the Court has no authority to call in question, even indirectly, their lawfulness in the light of the Community law”. The CFI recognized, however, that the actual legal bind derived not from the UN Charter directly, but rather from the TEC, so that the EU is only indirectly bound by the obligations stemming from UN 45 by SC Resolutions – as well as by the Sanctions Committee. A full scrutiny of the contested regulation would therefore amount to a review of the SC Resolution which, in the CFI's opinion, was not within the remit of the Court. Rather, the Court could only limit its review to the examination of the regulation's (and thus the resolution's) compliance with jus cogens233, which it found, however, satisfactory. The Court thus ultimately upheld regulation 881/2002234. This decision was strikingly in opposition with previous Court of Justice decisions as, for example, in the Bosphorus235 and Ebony Maritime236 cases, where Regulations implementing a Security Council resolution were nonetheless reviewed against the general principles of Community law, and not passively accepted as emanations of untouchable UN legislation. However, for precisely this reason (i.e. the acknowledgment of the EU's subordination to UN legal order) the Court's stance to assert its jurisdiction to review Security Council resolutions in light of jus cogens was surprising as well, and determined that “the judgment present[ed] a provocative picture of a regional organization at once faithful and subordinate to, yet simultaneously constituting itself as an independent check upon, the powers exercised in the name of the international community under the U.N. Charter”237. In November 2005, the applicants appealed the decision of the CFI to the ECJ. A decision was reached by the Grand Chamber of the ECJ, however, only in September 2008238. The Court overturned the decision of the CFI, acknowledging that the applicant's fundamental rights had indeed been violated, and annulled Regulation 881/2002239. However, if the Court's stance in favor of human rights appears to be a significant portion of the ruling, it is not the only aspect dealt with by the Court: the ECJ also – to some, primarily – addressed the issue of the relationship between European and 233 234 235 236 237 238 239 provisions. The Court defines jus cogens as “a body of higher rules of public international law binding on all subjects of international law, including the bodies of the United Nations, and from which no derogation is possible”. Judgment of the Court, para. 226. ECKES, Judicial Review, pp. 82-91. Case C-84/95, Bosphorus Hava Yollari Turizm ve Ticaret AS v. Minister for Transport, Energy and Communication and other, judgment of 30 July 1996. Case C-177/95, Ebony Maritime and Loten Navigation v. Prefetto della Provincia di Brindisi and others, judgment of 27 February 1997. DE BÚRCA, The European Court of Justice and the International Legal Order After Kadi, Harvard International Law Journal, Vol. 51, No. 1, Winter 2010, p. 22. Joined cases C-402/05P and C-415/05P For a commentary of the judgment, see GATTINI, Case Law. Joined cases C-402/05 and C-415/05, 46 Common Market Law Review 2009, pp. 213-239. 46 international legal order, in a manner somewhat departing from its traditional fashion 240. The Court, in fact, took a decisively dualist approach to the issue at hand, separating the international legal order from that of the Community and stating that the EC is “an autonomous legal system which is not to be prejudiced by an international agreement” 241; because of this, “the review by the Court of the validity of any Community measure in the light of fundamental rights must be considered to be expression, in a community based on the rule of law, of a constitutional guarantee stemming from the EC treaty” 242. The Court thus concluded that the CFI had erred in law in holding that Regulation 881/2002 was in principle immune from judicial review only because it constituted an implementation of a UNSC Resolution. Concerning the fundamental rights analysis, the Court found that the applicants' rights to effective judicial protection and to property had been violated. In both occasions, the Court found that, in principle, such rights could nonetheless be restricted in light of the valid purpose behind the Community's action – i.e. the fight against terrorism. However, concerning effective judicial protection, the Court observed that Regulation 881/2002 did not provide a mechanism for communicating the evidence acquired against the entity or individual subjected to the restrictive measure, nor the possibility of being heard in advance243; concerning the right to property, the Court found that the applicants had been deprived of the opportunity to bring their case before the competent authorities, an essential condition for a lawful restriction of said right 244. These reasons lead the Court to conclude that, although the purpose of the Community action was significant, it was nonetheless furthered in violation of the applicants' fundamental rights of defense and property. Despite the fact that in the Advocate General's Opinion the issue of the possible infringement of the applicant's human rights should have been “the principal aspect of the case”245, the degree to which the Court's central interest, in the Kadi case, were in fact fundamental rights is arguable and highly controversial. Claims have been made that “the Court's scrutiny might have been triggered less by a concern for human rights and more for 240 241 242 243 244 245 For an explanation of the Court's strong dualist approach, see DE BÚRCA, The European Court of Justice and the International Legal Order After Kadi, pp. 1-49. Judgment of the Court, Grand Chamber, para. 316. Judgment of the Court, Grand Chamber, para. 316. Judgment of the Court, Grand Chamber, paras. 333-353. Judgment of the Court, Grand Chamber, paras. 354-371. Opinion of A.G. Maduro, para. 41. 47 the autonomy of EU law”246. It has been also pointed out that the Court did not address the issue of the hierarchy between economic rights, on one side, and civil and political rights, on the other; and that an argument can be made that the Court “resort[ed] to the hallow language of fundamental rights to widen its own authority”, and that “Mr. Kadi's rights were merely incidental to this titanic struggle between the EC legal order and international law”247. Some authors, however, argue that the Court's decision must not be read as exclusively furthering a dualist or pluralist approach in its relation to international law, but rather as an act of “civil disobedience” – or, in other words, as an act intentionally departing from international law with the purpose of protecting fundamental rights of the individual248. As anticipated above, the Court ultimately annulled Regulation 881/2002 insofar as it concerned Mr. Kadi and the Al Barakaat Foundation; however, it also held that the effects of the Regulation would be maintained for a maximum of three months after the ruling, in order to give the Council some time to comply with it and remedy the infringements found. In November 2008, after receiving written comments by Mr. Kadi and by the Al Barakaat Foundation, the Commission issued Regulation 1190/2008 249, by which it essentially re-entered their names in the same terrorist list; the Commission, this time, had provided the subjects in question with the summary of the reasons for the relisting, yet not the proof supporting such action. Mr. Kadi thus lodged a new complaint to the General Court250, leading to the so-called Kadi II trial. The General Court, this time, heeded the applicant's requests, stating that, again, the rights to effective judicial protection and to property had been violated, and annulled Regulation 1190/2008. In particular, the General Court found that “in spite of the judgment of the Court in Kadi, neither Regulation 881/2002 nor [Regulation 1190/2008] provide for any procedure for communicating to the applicant the evidence on which the decision to freeze his assets was based or for enabling to comment on that evidence”251; furthermore, “the mere fact of sending the applicant the 246 247 248 249 250 251 GRANGER and IRION , The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection, European Law Review, Vol. 39, no. 4, 2014, p. 844, at note 76. ISIKSEL, Fundamental rights in the EU after Kadi and Al Barakaat, European Law Journal, Vol. 16, No. 5, September 2010, p. 560. ISIKSEL, Fundamental rights, pp. 551-577. Commission Regulation 1190/2008 of 28 November 2008 amending for the 101 st time Council Regulation No. 881/2002, O.J. L 322/25, 2.12.2008. Case T-85/09, Yassin Abdullah Kadi v. European Commission, judgment of 30 September 2010. Judgment of the General Court, para. 156. 48 summary of reasons cannot reasonably be regarded as satisfying the requirements of a fair hearing and effective judicial protection”252. In sum, the Court found, “the applicant's rights of defense have been observed only in the most formal and superficial sense” 253. Likewise, the Court also found that the conditions set by the ECJ in Kadi for lawful restriction of property rights had not been followed, thus reiterating the violation of the applicant's right to property as well254. Upon annulment of Regulation, the Commission, the Council and the UK appealed the decision before the ECJ: the cases were joined and treated together 255. The decision, which was landed on 18 July 2013, was preceded by an interesting Opinion delivered by Advocate General Bot on 19 March 2013256. Advocate General Bot reiterated that the ECJ should not alter its refusal, set out in Kadi, to afford EU acts giving effect to restrictive measures at the international level immunity from jurisdiction 257. However, Advocate General Bot did stress that the extent and intensity of the review conducted by the European judiciary should indeed be reconsidered: in his view, the Court's review should be limited. Limited review, he points out, is different from no review: in his opinion, the General Court in Kadi II erred in law when it essentially compared the absence of judicial review to the existence of a review of lesser intensity. What the ECJ meant by “in principle full review” in Kadi, in fact, should not be referred to the intensity of the review which the Court may conduct on EU acts, but rather should be interpreted as to emphasize that judicial review extends to all acts, either adopted pursuant to a rule of international law, or completely domestic 258. In the view of Advocate General Bot, “the specific context of the contested regulation”, meaning its counter-terrorism nature, “justifies the aspects relating to the external lawfulness of the regulation being subject to a normal review”; the aspects relating to the internal lawfulness of the regulation in question, instead, “should be subject of a limited review” 259: in particular, the limited 252 253 254 255 256 257 258 259 Judgment of the General Court, para. 157. Judgment of the General Court, para. 171. Judgment of the General Court, paras. 192-195. Joined cases C-584/10 P, C-593/10 P, and C-595/10 P, European Commission and others v. Yassin Abdullah Kadi, judgment of the Court of 18 July 2013. For a commentary, see GRADONI, Raccontare “Kadi” dopo “Kadi II”: perché la Corte di Giustizia dell'Unione Europea non transige sul rispetto dei diritti umani nella lotta al terrorismo , Diritti Umani e Diritto Internazionale, Vol. 7, No. 3, 2013, pp. 607-609. Opinion of Advocate General Bot delivered on 19 March 2013 in joined cases C-584/10 P, C-593/10 P, and C-595/10, para. 46. Opinion of Advocate General Bot, paras. 53-90. Opinion of Advocate General Bot, para. 95. 49 review standard is substantiated by “ascertaining the existence of a manifest error” 260. Lastly, turning to the issue of the alleged violation of the appellant's rights, the Advocate General – rather briefly, compared to the lengthy discussion on the nature of the review EU acts should be subject to – found that the General Court had erred in law when acknowledging the existence of the violation of the claimant's rights of defense, effective judicial protection, and property261. Advocate General Bot concluded suggesting that the ECJ set aside the General's Court decision, and therefore dismiss Mr. Kadi's action. In its judgment rendered in July 2013262, however, the ECJ did not follow the conclusions of the Advocate General263. First of all, the Court stated that the review to which EU acts are subject must be full, and not limited, and that it is up to the Courts of the European Union to ensure that a restrictive measure which affects a person individually “is taken on a sufficiently solid factual basis”, which entails a verification of the factual allegations in the summary of reasons underpinning that decision”, with the consequence that “judicial review cannot be restricted to an assessment of the cogency in the abstract of the reasons relied on, but must concern whether those reasons […] are substantiated” 264. According to the Court, such a review “is all the more essential” since, despite the improvements in the UN targeted sanctions architecture (namely, the introduction of a delisting procedure and an ex officio re-examination at UN level), the targeted individual still does not have the guarantee of an effective judicial protection 265. The Court thus essentially furthered its very own version of the Solange doctrine266: as long as effective judicial protection can not be guaranteed at the UN level, it will be up to the Court of Justice of the European Union to verify its respect. Secondly, the Court maintained that the applicant's rights to judicial protection, defense, and property had been violated in the case at hand. The ECJ thus confirmed the General Court's ruling annulling Regulation 1190/2008, dismissing the appeals by the Commission, the Council, and the UK. The Kadi ordeal, although 260 261 262 263 264 265 266 Opinion of Advocate General Bot, paras. 105-110. Opinion of Advocate General Bot, paras. 111-123 Joined cases C-584/10 P, C-593/10 P, and C-595/10 See SAVINO, Kadi II, ultimo atto: un modello globale per la prevenzione amministrativa?, Giornale di diritto amministrativo, Vol. 11, 2013, pp.1052-1059. Judgment of the Court, para. 119. Judgment of the Court, para. 133. SAVINO, Kadi II, ultimo atto, pp.1055-1056; GRADONI, Raccontare “Kadi” dopo “Kadi II”, p.590. On Solange, see infra, Chapter II, para. 3.4.2. 50 questioning the EU's ability of being a “good international citizen” 267, nonetheless confirmed and even pushed forward the Court's tendency to strenuously defend human rights irrespective of the provenance of the act determining the violation. 3.4 Beyond privacy and due process. The cases mentioned above revolve around only a limited number of rights infringed upon in the name of counter-terrorism: namely, property and procedural rights. EU counterterrorism legislation, however, has raised concerns among scholars for the negative effects it might carry on other fundamental rights. Murphy, for example, while commenting on the offense of incitement or provocation for terrorism268, argues that the “the provocation offense is arguably the most dangerous of all the terrorism-related and inchoate offenses, setting boundaries on acceptable speech in Europe and raising the possibility of genuine political debate being outlawed as terrorist”269. EU counter-terrorism legislation, therefore, may also impinge on the right to free speech. While the Court of Justice has not yet had the chance to address the issue, the European Court of Human Rights has instead already laid down the legal foundation for a possible limitation of free speech in the name of counterterrorism270. Yet another aspect of EU counter-terrorism legislation which may clash with the protection of fundamental rights is the broad definition of “terrorist group” laid down by Framework Decision 2002/475/JHA271. In particular, it is argued that the wording of the law allows no distinction between groups that engage in direct action against a democratic State, and those who instead engage in similar activities inside the European Union to overthrow totalitarian States overseas: there is no explicit exemption clause, in fact, for domestic protesters exercising political rights to freedom of association272. 267 268 269 270 271 272 Sic DE BÚRCA, The European Court of Justice and the International Legal Order After Kadi, p. 40. Art. 3(1)(a), Framework Decision 2002/475/JHA. MURPHY, EU Counter-terrorism Law, p. 71. ECtHR, Leroy v. France, application no. 36109/03, final judgment of 6 April 2009, where the prosecution of a cartoonist who had glorified the attack of September 11 th with a vignette on a newspaper was not considered a violation of free speech. In particular, the Court held that “even if every caution must be adopted when dealing with freedom of expression and incitement to terrorism […] the author of the cartoon approved violence carried out against thousand of civilians and offended the memory of the victims [...]”. SALINAS DE FRÍAS points out that for the first time freedom of expression was linked by the Court to the protection of victims of terrorism. SALINAS DE FRÍAS, Counter-terrorism and human rights, p.140 at note 48. Art. 2, FDCT. MURPHY, EU Counter-terrorism Law, pp. 62-64. 51 On a final note, it is also worth mentioning the recent position held by the ECJ in H.T. v. Land Baden-Württemberg273, involving the request for a preliminary ruling on the interpretation of art. 24 of Directive 2004/83/EC on minimum standards for the qualification and status of third-country nationals or stateless persons as refugees. Art. 24(2), in particular, governs the issuing or renewal of the residence permit, which can be denied in the presence of “compelling reasons of national security or public order”; the travaux of the Directive reveal that this provision was proposed by Germany following the events of 9/11 and, thus, with a counter-terrorism view – in order to prevent third country citizens from traveling freely within the Schengen area 274. Among other issues, the Court was called upon to answer the question concerning whether the expression “compelling reasons of national security or public order” include the circumstance where a beneficiary of a refugee status has supported an organization recognized as being a terrorist group 275. The Court found that, while in general the support provided by a refugee to an organization engaging in terrorist activities (in the case at hand, the PKK) constitutes a valid reason for the revocation of the residence permit, it is however still necessary to verify, on a case by case basis, whether the acts of the organization in question can actually endanger national security or public order, and the role actually played by the individual in question in their perpetration276. The Court thus rejected the idea of an automatism between the support to an organization labeled as terrorist, by inclusion in the list established through Common Position 2001/931/CFSP, and revocation of the residence permit. 273 274 275 276 Case C-373/13, judgment of 24 June 2015. BIONDI DAL MONTE, Terrorismo, ordine pubblico e sicurezza nazionale nell'Unione Europea, Quaderni Costituzionali, Settembre 2015, p. 789. The case involved a Turkish citizen, Mr. T, who had moved to Germany in 1989, where he had been granted the status of refugee because of his affiliation and political activism with the PKK. Such activities, initially allowed in Germany, were however outlawed in 1993. Criminal proceedings were thus initiated against Mr. T, which eventually lead to the issuing of an expulsion order against him. Given that Mr. T was living with his family, however, his expulsion was suspended by the competent authority; his residence permit, though, was revocated. Mr. T filed an appeal to the Verwaltungsgerichtshof BadenWürttemberg, who in turn sought a preliminary ruling before the ECJ. Judgment of the Court, paras. 82-99. 52 4. Recent developments in EU counter-terrorism. One of the main characteristics of European counter-terrorism, as it also appears from the overview provided above, is its shock wave nature: “the dynamics behind EU counterterrorism can be compared to successive shock waves, propelled by major attacks, but gradually winding down once the sense of urgency had faded away” 277. In other words, scholars generally agree that EU counter-terrorism is mostly event-driven, rather than coherently planned in advance278. In the aftermath of terrorist episodes, counter-terrorism is generally the number one policy priority; as time passes and the sense of urgency wanes, counter-terrorism generally loses ground. In particular, between 2005 and 2015 Europe experienced a period of relative peace from terrorist attacks on its soil; this coincided with, as CTC de Kerchove stated, a sense of “CT fatigue” 279. A paper published in late 2014, containing an overall evaluation of the EU's response to terrorism, points out that although “the European Union has accomplished a surprising amount in the past decade”, the area of counter-terrorism is still “not a clearly defined area in its broadest and fullest sense”280. This trend, however, is being inverted once again. The number of terrorist attacks has increased dramatically in Europe in the years 2015 and 2016. In a span of less than 48 months, 270 people have been killed in eight major incidents – a number higher than that resulting from the 2004 and 2005 attacks on Madrid and London combined, in what arguably constituted the last period of critical terrorist emergency before the present one. Europe is thus facing a renewed threat which, again, will inevitably affect its policies and legislation, and thus perhaps open new scenarios for European integration. For the first time, for example, a request for assistance pursuant to art. 42(7) TEU 281 was filed by a Member State (France). What has changed, in particular, is the nature of the terrorist threat282. This is due to a number of social and technological factors that will not be 277 278 279 280 281 282 COOLSAET, EU counterterrorism strategy: value added or chimera?, International Affairs, Vol. 86, Issue 4, 2010, p.858. See MONAR, Common Threat and Common Response?, pp. 292-299. Note by the EU Counter-terrorism Coordinator to the Council, 15359/09/REV, 26.11.2009, cited by COOLSAET, EU counterterrorism strategy, p. 861, note 12. ARGOMANIZ, BURES, and KAUNERT, A decade of EU counter-terrorism, pp. 192-197. Pursuant to art. 42(7) TEU, “[i]f a Member State is the victim of armed aggression on its territory, the other Member States shall have towards it an obligation of aid and assistance by all the means in their power [...]”. GALLI, Terrorism, in MITSILEGAS, BERGSTRÖM and KONSTADINIDES, Research Handbook on EU 53 addressed in this dissertation. However, the EU has been – and will be – forced to module its response to terrorism based on the evolving nature of the terrorist threat. The following paragraph will try to outline the main directions contemporary EU counter-terrorism is headed towards. Again, what emerges with great clarity is, despite the improvements, the persistent lack of a structural and comprehensive design behind the EU's response to terrorism. 4.1. Directive on combating terrorism. In the aftermath of the Paris attacks of 13 November 2015, the JHA Council in extraordinary session adopted Conclusions on Counter-terrorism283 in which it welcomed “the intention of the Commission to present a proposal for a directive updating the FDCT before the end of 2015”284. The proposal was indeed presented on 2 December 2015 285. The purpose of this amendment proposition is to update the FDCT in order to implement the obligations arising from the UN Security Council Resolution 2178(2014) 286, the 2015 Additional Protocol to the Council of Europe Convention on the prevention of terrorism, and the updated Financial Action Task Force Recommendations 287. The main purpose of these measures, in turn, is to contrast the phenomenon commonly known as “foreign terrorist fighters” (FTFs), i.e. individuals who travel abroad to countries such as Syria and Iraq for the purposes of fighting or training with terrorist groups in conflict zones, and in some cases also return to Europe 288. The Commission's proposal entails an extensive 283 284 285 286 287 288 Criminal Law, Edward Elgar publishing, Cheltenham (UK), 2016, p. 401. Conclusions of the Council of the EU and of the Member States meeting within the Council on CounterTerrorism, 20 November 2015, 14406/15. Conclusions of the Council, p. 7. European Commission proposal for a directive of the European Parliament and of the Council on combating terrorism and replacing Council Framework Decision 2002/475/JHA on combating terrorism, 2 December 2015, COM(2015) 625 final. The aim of the UN, in issuing Resolution 2178, was to specifically address the risk posed by foreign fighters upon return to their home country. See DE CAPITANI, 'Foreign fighters' and EU implementation of the UNSC resolution 2178. Another case of 'legislate in haste, repent at leisure...'?, FREE Group, 6 April 2015, available at https://free-group.eu/2015/04/06/foreign-fighters-and-eu-implementation-of-theunsc-resolution-2178-another-case-of-legislate-in-haste-repent-at-leisure-1/ Additional Protocol to the Council of Europe Convention on the Prevention of Terrorism, signed at Riga on 22 October 2015. The Additional Protocol supplemented the provisions of the Convention on the Prevention of Terrorism by adding the following terrorist offenses: participating in an association or group for the purposes of terrorism (art.2); receiving training for terrorism (art. 3); traveling abroad for the purpose of terrorism (art.4); funding traveling abroad for the purposes of terrorism (art.5); organizing or otherwise facilitating traveling abroad for the purposes of terrorism (art. 6). A report by the ICCT (International Centre for Counter Terrorism) published in April 2016 found that 54 revision of the entire FDCT, laid out in the Explanatory Memorandum accompanying the legal text. The new legal framework will take the form of a Directive, pursuant to article 83(1) TFEU, which will incorporate all of the provisions of the FDCT, albeit repositioned in a different and more structured manner, with the addition of three new offenses: receiving of training for terrorist purposes; traveling abroad for terrorism; organizing or otherwise facilitating traveling abroad for terrorism 289. With respect to the first offense, the Explanatory Memorandum points out that “the participation in otherwise lawful activities, such as taking a chemistry course at university, taking flying lessons or receiving military training provided by a State, may also be considered as unlawfully committing the offense” where a terrorist intent by the perpetrator can be proven. In the same way, the subjective element is of paramount importance in the second new offense as well – it needs to be demonstrated that “the intended purpose of that travel is to commit, contribute to or to participate in terrorist offenses”. The last offense to be introduced anew outlaws conducts intended to provide practical support or assistance to those who travel abroad for terrorist purposes. Moreover, the directive reserves a separate article 290 to “terrorist financing”, currently confined in article 2(2)(b) FDCT as a specification of the broader conduct of participating in the activities of a terrorist group. The new provision requires Member States to incriminate any form of funding used to commit terrorist offenses, offenses related to terrorist groups or terrorist activities; it does not require that the offense is actually committed, nor that a precise link is established to a specific terrorist offense. Lastly, an entire title291 is dedicated to the protection, support and rights of victims of terrorism. The Commission proposal has been subject to modification both by the Council and by the Parliament, who have issued their positions concerning the Directive in, respectively, March and July 2016, thus paving the way for the opening of the trilogue negotiations with the aim of the adoption of the Directive292. 289 290 291 292 around 30% of foreign fighters from EU Member States return to their home countries. Artt. 8, 9, and 10 respectively. Art. 11. Title V, artt. 22-23. See VORONOVA, Combating Terrorism, European Parliament Research Service Briefing, PE 586.628, July 2016. 55 4.2. Fifth anti-money laundering directive Although a new anti-money laundering package, comprising of a Regulation and a Directive, was adopted in May 2015 293, the Commission has nonetheless tabled a proposal to amend the existing legislation294. The proposal was adopted in observance of the conclusions of the European Council of December 2015, which urged the Council and the Commission to “take rapidly further action against terrorist finance” 295. According to the Commission, the proposed Directive will, inter alia, address possible threats linked to the use of new technologies in financial transactions, and strengthen and harmonize checks on financial flows from high-risk third countries; more powers will be granted to national Financial Intelligence Units as well, and cooperation among them will be improved. 4.3. Surveillance and border control. Yet another area of intervention, directly linked to the attacks occurred in Europe between 2015 and 2016, is that of enhanced surveillance, information sharing, and border control. This response in particular is perhaps the most controversial, as it raises concerns with respect to its compatibility with one of the cardinal principles of the EU – free movement296. In December 2015 the Commission presented a proposal for a Regulation on the reinforcement of checks against relevant databases at external borders, following the JHA Council's call for “a targeted revision of the Schengen Border Code to provide for systematic controls of EU nationals, including the verification of biometric information, against relevant databases at external borders of the Schengen area”. The Council issued its position in February 2016, stating that “reaching an agreement on this proposal is a matter of absolute priority”297. The proposal will, essentially, oblige Member States to carry out 293 294 295 296 297 Regulation 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation 1781/2006, O.J. L 141/1 of 5.6.2015; Directive 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation 648/2012 and repealing Directive 2005/60 and Directive 2006/70 (so-called “fourth money laundering Directive), O.J. L 141/73, 5.6.2015. Commission proposal for a Directive of the European Parliament and of the Council amending Directive 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, COM (2016) 450 final, 5 July 2016. Conclusions of the European Council of 17 and 18 December 2015, EUCO 28/15, p. 4, para. 10. See BIGO, CARRERA, GUILD, et al., The EU and its Counter-terrorism policies after the Paris attacks, CEPS Paper in Liberty and Security, No.84, November 2015. Council of the European Union, interinstitutional file 2015/0307 (COD), 24 February 2016. 56 systematic checks, against databases on lost and stolen documents, on all persons (including those enjoying the right to free movement under EU law) when they cross the external border of the Union. This measure is in line with the conclusions of the European Council of December 2015, which stressed “the urgency of enhancing relevant information sharing” and called for the strengthening of existing databases, such as SIS II and ECRIS298. Most recently, one of the longest-awaited acts of the EU in the field of data collection and information sharing – an EU PNR Directive establishing an autonomous European PNR system – was adopted in April 2016299. Surveillance, in general, is a recurring topic in the most recent EU counter-terrorism policies. A critical assessment of the existing surveillance techniques – in particular, those relying on the use of persona data of individuals – will be conducted in the next chapter. 298 299 Conclusions of the European Council of 17 and 18 December 2015, EUCO 28/15, p. 3, para. 5. See infra, Chapter II, para. 4.1.4. 57 Chapter II PERSONAL DATA IN EU COUNTER-TERRORISM SUMMARY: 1. Privacy, data protection and preemptive counter-terrorism. – 2. Data Protection in the EU. – 3. The use of telecommunication data in counter-terrorism: Directive 2006/24/EC. – 4. Other measures involving use of personal data. 1. Privacy, data protection, and preemptive counter-terrorism. The collection and exchange of information has always been considered a key factor in the fight against terrorism300, even more so after the most recent attacks in Madrid and London301, first, and Paris and Brussels, after. In particular, the use of personal data as a counter-terrorism tool is increasingly important. According to some scholars, instruments that facilitate the storage, exchange and access to personal information are the major contribution of the EU to security in general 302. However, the problem with counterterrorism measures involving the use of personal data is that they often affect not only 300 301 302 See, for example, 1994 UN Declaration on measures to eliminate international terrorism: “in order to combat effectively the increase in, and the growing international character and effects of, acts of terrorism, States should enhance their cooperation in this area through, in particular, systematizing the exchange of information concerning the prevention and combating of terrorism [...]” See Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences. OJ L 253, 29.09.2004, pp. 22-24. HIJMANS and SCIROCCO, Shortcomings in EU data protection in the third and the second pillars. Can the Lisbon treaty be expected to help? 46 Common Market Law Review 2009, p. 1524. 58 individuals suspected of or wanted for being terrorists, but everyone else as well – to an extent that expressions such as global surveillance, mass surveillance, or dataveillance are commonplace in the political and legal debate; not to mention ominous references to Orwell and Big Brother. On the background of these discussions, in fact – or in the forefront, depending on the point of view –, stand the rights to privacy and data protection. In the last years, the European Union has increased its commitment towards the protection of these rights. The mere fact that they have been (and are) consistently treated as fundamental rights should not be taken for granted: in the American legal context, privacy is not assigned such a high status. The year the present work is being written (2016) is proving to be particularly important for the privacy and data protection discourse 303. A new comprehensive European data protection package, consisting of a Regulation and a Directive, has been adopted. The EU-US Privacy Shield was enacted in February, after the CJEU declared the preceding Safe Harbor Privacy Principles invalid. Furthermore, after the recent annulment of the Data Retention Directive by the CJEU, the Commission announced that the e-Privacy Directive is under way of being amended again. Finally, the long-awaited PNR Directive has finally seen the light of day, its birth sadly accelerated by the terror strikes in Paris and Brussels. While the impact that counter-terrorism measures involving the use of personal data have on the rights to privacy and data protection is quite obvious, the real question is whether it might be justified in the name of keeping Europe safe(r). 1.1 The rights to privacy and data protection. Privacy is a complex and multifaceted notion. Whitman states that it is an “unusually slippery concept” which is “embarrassingly difficult to define” 304 Although Warren and Brandeis are often indicated as the first theorisers of the right to privacy 305, that is not entirely accurate with respect to its continental development. Scholarly discussion in France and Germany was already thriving at least a decade before that landmark article 306; 303 304 305 306 See PROUST, A historic week for EU privacy law, 19 April 2016, available at http://privacylawblog.fieldfisher.com/2016/a-historic-week-for-eu-privacy-law/ WHITMAN, The two western cultures of privacy: dignity versus liberty, The Yale Law Journal, Vol.113, No. 6, April 2004, p. 1153. WARREN and BRANDEIS, The right to privacy, Harvard Law Review, Vol. 4, No. 5, 1890, pp.193-220. WHITMAN, The two western cultures of privacy, p.1205. 59 the authors themselves cite a French provision of 1868, by which “toute publication dans un écrit periodique relative à un fait de la vie priveé constitute une contravention punie d'un amende de cinq cent francs”307. In fact, it is not entirely clear where the notion of privacy came from: it is not a tradition constitutional right, nor one that was typically demanded by 18th century revolutions308. On an international level, the first trace of a right to privacy lies in the Universal Declaration of Human Rights, whose article 12 states that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence [...]”. This wording is almost exactly reproduced in article 17 of the International Covenant on Civil and Political Rights 309, the first UN treaty to bind Member States to the respect of the privacy of the individual. In Europe, the leading role in the safeguarding of the right to privacy was held by the Council of Europe, through article 8 of the ECHR310. According to Clapham, contemporary privacy comprises at least five distinct aspects. First, privacy is the space where personalities may develop free from external control or intrusion: this dimension has been particularly important in the American evolution of privacy311. Second, it safeguards mental and physical well-being. Third, it warrants freedom from unwanted observation. Fourth, it protects the individual's communications with others from third parties. Finally, and most importantly for the purposes of this study, it quenches the desire to restrict circulation of information and images about the individual312. The concept of data protection emerged only in the 1980s as a consequence of the evolution of information and communication technologies (ICTs)313. Although some scholars refer to data protection as an extension of the right to privacy, namely under the label of “information privacy” 314, the predominant opinion 307 308 309 310 311 312 313 314 WARREN and BRANDEIS, The right to privacy, p. 214. CLAPHAM, Human rights. A very short introduction, 2007, Oxford university press, New York, p. 109. International Covenant on Civil and Political Rights, 1966, art. 17: “No one shall be subjected to arbitrary or unlawful interference with his privacy, home or correspondence […]. Council of Europe, European Convention on Human Rights, 1950, art. 8(1): “Everyone has the right to respect for his private and family life, his home and his correspondence”. The leading cases are Griswold v. Connecticut, 381 U.S. 479 (1965), Roe v. Wade, 410 U.S. 113 (1973), and Lawrence v. Texas, 539 U.S. 558 (2003), which determined that issues such as, respectively, contraceptives, abortion and homosexuality be considered in light of the individual's right to privacy. CLAPHAM, Human rights, p. 111. NINO, Terrorismo internazionale, privacy e protezione dei dati personali, Editoriale Scientifica, Napoli, 2012. For an overview of ICTs, see SANTOSUOSSO, Diritto, scienze, nuove tecnologie, CEDAM, Padova, 2016. BLUME, Data protection and privacy – basic concepts in a changing world, Scandinavian Studies in Law, Vol.56, 2010, p. 163. 60 argues that data protection and privacy are closely related but are not, in fact, identical 315. Of course, the legal concept behind the safeguard of personal data stems from the right to privacy, but data protection has in recent years acquired independent legal dignity. In fact, the inability of article 8 ECHR to adequately safeguard the processing of personal data in light of the evolution of ICTs led to the adoption by the Council of Europe of the 1981 Convention for the protection of individuals with regard to automatic processing of personal data, more famously known as Convention 108, which constituted the first international legal instrument specifically aimed at ensuring the right to data protection 316. It was not meant to apply directly to Member States, as it relied on national implementation. Although it maintained the notion of data protection as an emanation of the right to privacy, at the same time it somewhat severed the necessary link between one and the other, by connecting data protection to 'fundamental rights and freedoms', therein including privacy, but not limited to it 317 – thus laying the ground for the evolution of a concept of data protection possibly even wider than that of privacy 318. One year before Convention 108, the Organization for Economic Cooperation and Development (OECD) had adopted Guidelines on the protection of privacy and trans-border flows of personal data. The formal distinction between the two was finally sanctioned by the explicit recognition of the right to data protection in the context of the Charter of the Fundamental Rights of the EU, first, and in the Treaty on the Functioning of the European Union, after. More specific European legislation followed thereafter: above all, directive 95/46/EC 319. Data protection law in general is comprised of certain basic principles which should always recur regardless of the particular legal source at hand. To begin with, the entities who are in charge of processing such data (“controllers”) are subject to a number of obligations, the extent of which informs the very validity of the data protection scheme 315 316 317 318 319 NINO, Terrorismo internazionale, p. 34; HIJMANS and SCIROCCO, “Shortcomings in EU data protection, pp. 1485-1525. NINO, Terrorismo internazionale, p. 67. Convention 108 has been ratified by all 47 Member States of the Council of Europe (most recently by Turkey on 2 May 2016), and also by Mauritius and Uruguay who are non Member States. Source: http://www.coe.int/it/web/conventions/full-list/-/conventions/treaty/ 108/signatures Convention 108, art. 1: “The purpose of this convention is to secure […] for every individual […] respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him”. See HUSTINX, Data Protection in the European Union, P&I 2005, p. 62. Mr. Hustinx held the office of European Data Protection Supervisor between 1993 and 2004. See infra, para. 2. 61 elaborated. These include, for example, that the data be processed in a lawful manner and for legitimate purposes, and only for the time strictly necessary for the purpose for which the processing is taking place. Next, the individuals whom the data refers to (“data subjects”) are entitled to a series of rights regarding the processing: the right to access, erase, and rectify the data; most recently, the right to be forgotten 320. Finally, the entire processing should take place under the supervision of an independent authority in charge of guaranteeing its lawfulness. Although each data protection statute differs, to some degree, from the other, these key elements constitute the core of modern data protection law. 1.2 Limitations of the rights to privacy and data protection: the “liberty versus security” discourse. Preemptive counter-terrorism measures can affect many fundamental rights 321. This chapter will focus in particular on the effect that preemptive counter-terrorism measures involving the use of personal data may have on the rights to privacy and data protection. Such measures, as will be explained, all rely on massive or bulk collection of data: that is, data belonging to a more or less large amount of the population (depending on the envisioned system) rather than to specific individuals who have been previously identified. The underlying question is thus whether government measures involving systems of mass surveillance may find a place within the purview of the rule of law, or are to be considered falling entirely outside the realm of legality. The answer is not a simple one, and thus calls for caution in the assessment of an appropriate answer. Some preliminary points must therefore be taken into consideration. Firstly, one must consider whether systems of mass surveillance infringe on the rights to privacy and data protection. This is, however, an all but obvious feature of mass surveillance programs. Secondly, one must analyze whether the right to privacy in principle allows some degrees of interference. On an international level, all the major covenants or legal texts which expressly recognize the right to privacy also foresee the possibility of a limitation of the right to privacy in certain cases. While art. 4(1) of the ICCPR, for example, permits derogating from the obligations it imposes on 320 321 Case C-131/12, Google Spain v. Agencia Española de Protección de datos, 13 May 2014. See supra. 62 Member States “in time of public emergency which threatens the life of the nation”, art. 4(2) simultaneously excludes some provisions from the derogation rule 322; art. 17, establishing the right to privacy, is not among them. The same can be observed in the ECHR: art. 15(1) allows derogation from the Convention “in time of war or other public emergency threatening the life of the nation”, excluding however derogation from the provisions listed in art. 15(2)323. Again, the right to privacy – enshrined in art.8 – is not among the untouchable rights. The ECHR, however, goes even further than the ICCPR. Art. 8(2) ECHR, in fact, specifically concerns the possibility of public authorities interfering with individual privacy. Such infringements are prohibited unless certain conditions are satisfied: they must be “in accordance with the law”, “necessary in a democratic society”, and undertaken for a valid purpose 324. Any restriction of the right to privacy must therefore, first of all, be based on a national law. The ECtHR has consistently interpreted the expression “in accordance with the law” as requiring not only the purely formal existence of a law, but also the nature and quality of the law itself: the law in question must be accessible to the person concerned and formulated with sufficient precision in line with the seriousness of the interference 325. Secondly, and perhaps most importantly, the limitation must be necessary in a democratic society, and undertaken for a valid purpose. The valid purposes for which restrictions of privacy are warranted are listed in art. 8(2) itself. Whether a restriction is “necessary in a democratic society”, instead, is much more difficult to asses. In fact, while the first prong set by art. 8(2) is of a juridical nature, as it is satisfied by the existence of national law with certain features allowing for an intrusion in the right to privacy, the second is instead purely political. In other words, what is necessary in a democratic society “can not be found in an exegetic reading of the text or in a strict application of logical rules. […] Behind this requirement lies the true constitutional question with regard to law enforcement and privacy. What is 'proportionate' 322 323 324 325 Art. 6, on the right to life; art. 7, on the prohibition of torture; art. 8, on the prohibition of slavery; art. 11, on the prohibition of imprisonment for debts; art.15, on the nullum crimen, nulla poena sine lege principle; art. 16, on the right to recognition as a person; art. 18, on the right to freedom of thought. Art. 2, on the right to life; art. 3, on the prohibition of torture; art. 4(1) on the prohibition of slavery; art. 7, on the nullum crimen, nulla poena sine lege principle. Valid purposes ex art.8(2) ECHR include: a) the interest of national security, public safety or the economic well-being of the country; b) the prevention of disorder or crime; c) the protection of health or morals; d) the protection of the rights and freedoms of others. BREYER, Telecommunications data retention and human rights: the compatibility of blanket traffic data retention with the ECHR, European Law Journal, Vol. 11, No. 3, May 2005, p. 367. 63 will depend on the circumstances”326. Although the ECtHR has developed a proportionality test, consisting in the fact that the interference in question must respond to a pressing social need and must be proportionate to the legitimate aim pursed327, the Court has also recognized that national authorities enjoy a “margin of appreciation, the scope of which will depend not only on the nature of legitimate aim pursued but also on the particular nature of the interference involved”328; as a consequence, ascertaining what is and what is not a necessary measure in a democratic society is a burden the Court itself often leaves to the single contracting States329. Differently from other fundamental rights, it is therefore accepted that the right to privacy may lawfully suffer restrictions under certain circumstances. National security concerns, thus including counter-terrorism efforts, can be ascribed to those circumstances. In one judgment from the late seventies330, the ECtHR held that, because “democratic societies nowadays find themselves threatened by highly sophisticated forms of espionage and by terrorism”, it had to be accepted that “the existence of some legislation granting powers of secret surveillance over the mail, post and telecommunications is, under exceptional conditions, necessary in a democratic society in the interests of national security and for the prevention of disorder or crime”. It also recognized, however, the danger such legislation might pose “of undermining or even destroying democracy on the grounds of defending it”. The question is not thus if privacy may be invaded, but rather how privacy may be invaded in order for the invasion to be legitimate. As noticed before, the answer to this question is not simple when referring to national measures. It is even less simple if supranational measures, such as those of EU origin, are taken into consideration. The development of the AFSJ has made it possible for the EU to implement stronger counterterrorism measures involving the use of personal data. The extent to which these measures are justified, in light of the growing importance assigned to privacy and data protection, on one side, and the increased exposure of Europe to terrorist attacks, on the other, has been 326 327 328 329 330 DE HERT, Balancing security and liberty within the European human rights framework. A critical reading of the Court's case law in the light of surveillance and criminal law enforcement strategies after 9/11, Utrecht Law Review, Vol.1, Issue 1, September 2005, p. 80. ECtHR, Leander v Sweden, 26 March 1987, App. No.9248/81, para. 58. ECtHR, Leander v Sweden, 26 March 1987, App. No.9248/81, para. 59. NINO, Terrorismo internazionale, p.63. ECtHR, Klass and others v.. Germany, 6 September 1978, App. No. 5029/71. 64 and will be the object of recent evaluation by the CJEU331. 2. Data protection in the EU The Treaty of Lisbon can be considered the first major divide in EU data protection legislation. Before 2009, the level of protection accorded to personal information pertaining to individuals varied considerably between the three pillars. Whereas the first pillar enjoyed fairly comprehensive legislation, most importantly through Directive 95/46/EC, the same was not true for the second and third pillars. In the AFSJ, legislation was introduced piecemeal and with no ambition of realizing an organic framework; in the second pillar, because of its peculiar nature, no provisions on the subject had been passed at all. The entry into force of the Lisbon Treaty brought two essential changes to data protection legislation: first, by placing the Charter of Fundamental Rights on the same level as the treaties, the right to data protection enshrined therein was fully embraced as a basic right inside the Union as well; second, a specific provision on the protection of personal data was introduced – rectius, placed in a more relevant position and thus given more importance – in the TFEU under Title II, concerning “provisions having a general application”. Although this was a signal of the Union's commitment to ensure a homogenous level of protection throughout its areas of competence, it was however not sufficient to override all the shortcomings due to the fragmentary nature of the existing data protection legislation. Shortly after the entry into force of the Lisbon Treaty, in fact, the Commission released a communication where it stressed that the rapid development of technology and globalization called for a comprehensive and coherent approach to the protection of personal data332. This set in motion a law-making process, to which the Commission, the Council and the Parliament all took part, towards the realization of a definitive framework for EU data protection law. The combined institutional effort ultimately resulted in the adoption of a Regulation and a Directive which entered into force 331 332 Case C-293/12, Digital Rights Ireland; case C-362/14, Schrems; Joined cases C-203/15, Tele2 Sverige AB v Post-och telestyrelsen, and C-698/15, Secretary of State for the Home Department v. Watson, Brice, and Lewis. Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of Regions. A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4.4.2010. 65 in May 2016, and now constitute the core elements of the completely renewed European data protection framework. 2.1 Before the Lisbon Treaty. the pillar divide. The data protection framework in place before the entry into force of the Treaty of Lisbon was characterized by a high level of fragmentation, due to the structural incapacity of the EU, at that stage, to adequately safeguard the right to protection of personal data in a uniform manner. Personal data may, in fact, be processed for different reasons depending on the area of activity: first-pillar processing takes place essentially for commercial reasons; third-pillar processing, instead, relates to security concerns. While ensuring the individual right to data protection, in the pre-Lisbon framework, was feasible in the context of the first-pillar, through the legal instruments set forth by the TEC, the second and third pillar – relying more con cooperation between Member States than integration – did not allow an appropriate development of data protection measures. These deficiencies did not spark great concern, initially, because of the fact that personal data was predominantly exploited for commercial and, thus, first-pillar purposes. After the terrorist attacks of 2001, however, a considerable number of security-related measures involving the use and exchange of personal information were adopted at national and European level – thus highlighting the insufficiency of EU data protection legislation in the areas of judicial cooperation and CFSP. 2.1.1 Data protection in the first pillar. Directive 95/46/EC. The European Parliament and Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted on 24 October 1995 and took effect three years later, on 25 October 1998. Its declared purpose was to “protect the fundamental rights and freedoms of national persons”, as well as “the free flow of personal data between Member States” 333. Article 2 provides a set of definitions of core terms such as “personal data”, “processing of personal data” and “controller”334. Personal data, in particular, is defined as “any information 333 334 Art. 1. Art. 2. 66 relating to an identified or identifiable natural person ('data subject')”; moreover, the directive in question applies to processing of personal data by public as well as private entities. The scope of the directive is not limited to the processing of personal data by automatic means, but also extends to processing otherwise than by automatic means, thus covering a wider set of operations than those addressed by Convention 108 335. A vast number of exceptions are however listed in Article 3(2): processing of data that occurs in second and third pillar activities, as well as in any operation – irrespective of the pillar it is formally carried under – concerning public security, defense, State security and the activities of the State in the areas of criminal law, are not governed by the Directive. This provision represented the main limp to which ECJ jurisprudence sought to put a cast around, albeit not always successfully, by means of an extensive interpretation of the directive336. Chapter II of the directive contains general rules on the lawfulness of the processing of personal data. It starts by establishing the general principle of “data quality”, which it then articulates in five subcategories337: personal data must be processed fairly and lawfully, and for legitimate purposes; it must be proportional in relation to the purposes it is processed for; it must be accurate ad kept up to date; finally, it must not be stored for more than the amount of time necessary for the purposes for which it is being collected. Personal data which satisfies these requisites may be processed only under certain conditions, namely that the data subject has given his consent or that the processing is necessary for contractual reasons, for compliance with a legal obligation to which the controller is subject, or for the purposes of the interests of the data subject, the public interest or the legitimate interest of a third party. Moreover, the processing of special categories of data338 is prohibited unless special circumstances apply. The Directive also grants the data subject a number of enforceable rights: the right to obtain information from the controller concerning his identity and the purpose of the processing of that data; the right to access the data, therein including confirmation as to whether the data relating to 335 336 337 338 Convention 108, art. 3(1): “The Parties undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors.” Joined cases C-465/00, C-138/01, C-139/01, Österreichischer Rundfunk et al., 20 May 2003; Case C101/01, Bodil Lindqvist, 6 November 2003. See NINO, Terrorismo internazionale, p. 77 Special categories of data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. 67 the data subject are indeed being processed, and rectification, erasure or blocking of data the processing of which is not compliant with the Directive; and the right to object to unlawful processing of data. In the event of a breach of the obligations arising from the Directive, the data subject has the right to judicial remedy and, if damage occurs, compensation as well. The Directive also generally calls for Member States to lay down sanctions for faulty conduct of the controllers, although it provides for no specific punishment. Chapter IV of the Directive is of great relevance as well, as it concerns the transfer of personal data to third countries. The basic rule is that the transfer shall be allowed “only if the third country in question ensures an adequate level of protection”. To some339, this represented the Commission's attempt to extend the reach of the Directive on a global scale, given that the adequacy prong was not further specified and its assessment rested on a somewhat discretionary evaluation by Member States and the Commission 340. Lastly, the Directive called for Member States to establish independent public supervisory authorities responsible for monitoring the application of the provisions adopted pursuant to the Directive; and also set up a Working Party on the Protection of Individuals with regard to the processing of personal data, comprised of representatives from the supervisory authorities from each Member States. The duties of Article 29 Working Party, as it is commonly referred to, include issuing opinions and recommendations, giving advice, and drawing up reports on the level of data protection in Member States. The European Union itself sought to implement these rules in the Community institutions and bodies through Regulation 45/2001, which is essentially a carbon copy of Directive 95/46 with respect to the rights of the data subject and the obligations of the controllers, but it is tailored for application “to the processing of personal data […] insofar as such processing is carried out in the exercise of activities which fall within the scope of Community Law”341. In other words, this Regulation is the implementation of Directive 95/46 at the European level342. Innovations brought by Regulation 45/2001 include the 339 340 341 342 FROMHOLZ, The European Union Data Privacy Directive, Berkeley Technological Law Journal, Vol. 15, No. 1, 2000, p. 474. Pursuant to art. 25, “particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectorial, in force in the third country in question and the professional rules and security measures which are complied with in that country.” Regulation 45/2001, art. 3. HUSTINX, Data Protection in the European Union, p. 4. 68 appointment of a Data Protection Officer inside each Community institution and body343, and the establishment of the European Data Protection Supervisor (EDPS)344. The quick technological development which was taking place in the 1990s even led to the adoption of specific legislation in certain areas. For example, Directive 97/66/EC, later replaced by Directive 2002/58/EC, was meant to harmonize data protection rules in the telecommunications sector by “particularizing and completing Directive 95/46” 345. The scope of Directive 2002/58 is nearly identical in wording to that of Directive 95/46 and thus excludes activities concerning public security, defense, State security, and State activities in the area of criminal law. After laying down general provisions on the obligations of providers and Member States to, respectively, “safeguard security of the services” and “ensure the confidentiality of communications and related traffic data”, the e-privacy directive (as it is commonly referred to) sets processing standards with regard to traffic data346, caller identification, and location data347. To begin with, traffic data must be erased or made anonymous when no longer needed for the purpose of the transmission of a communication, unless it is necessary for the purpose of subscriber billing and interconnection payments, or for marketing purposes. In the former case, processing is permissible only until payment may be legally pursued by the provider, while in the latter the user must also give explicit consent. Both, however, require the provider to inform the user on the type of data that is being processed, and the duration of such processing. Moreover, providers must offer the possibility to the calling user and subscriber of preventing the caller identification. Furthermore, location data may be processed only when made anonymous or with the consent of the data subject, and only for the duration necessary. In sum, with regard to telecommunication data Directive 2002/58 set a framework of heightened protection for the individual, which must be ensured by public authorities as well as by private entities, and where the rule is the destruction of such data, and processing is allowed only under strict conditions. In fact, the word “retention” 343 344 345 346 347 Art. 24. Art. 41. Art. 1. Traffic data is defined in art. 2(b) as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”. Pursuant to art. 2(c), location data means “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”. 69 appears only once in the Directive: Member States may adopt legislative measures providing for the retention of data only for a limited period and only if such invasive means constitute a “necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, public security, and the prevention, investigation, detection and prosecution of criminal offenses”348. 2.1.2. Data protection in the second and third pillars. As anticipated, the absence of an organic legislative framework set to safeguard the right to data protection in the external action of the Union and in the JHA area – although stemming from structural limitations of the pillar division – became more evident only after the adoption of the strict measures which characterized EU counter-terrorism policy following the 9/11 attacks349. The lack of any reference to data protection in the second pillar can be ascribed to the nature of the area in discourse, focused on more general strategies and activities such as peacekeeping and strengthening international security350. The very limited role assigned to individuals per se thus renders data protection not a top priority of the field. In the third pillar, this deficiency was partly remedied first by specific provision which more or less addressed data protection, though in the context of broader measures 351, and then by Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (data protection framework decision, henceforth DPFD). The aim of the DPFD was to acquire, in the third pillar, the same importance that Directive 95/46 already had, at the time, in the first 348 349 350 351 Art. 15. NINO, Terrorismo internazionale, p. 85. HIJMANS and SCIROCCO, Shortcomings in EU data protection, p. 1497. Data protection is addressed in the Convention implementing the Schengen Agreement of 1990, in the 1995 Europol Convention, in Council Decision 2002/187/JHA, and in the Prüm Treaty. As DE HERT and PAPAKONSTANTINOU point out, this amounted to “reversing the normal law-making order; usually, first a general text lays down the general rules and principles and then case-specific legislation follows […]. Security-related data protection legislation in the EU did exactly the opposite: case specific provisions were released (and indeed have bee implemented widely) and only after several years has the general, principle-laying text (the DFDP) followed”. DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008 regarding police and judicial cooperation in criminal matters – A modest achievement however not the improvement some have hoped for, Computer Law & Security Review, Vol. 25, 2009, p. 413. 70 pillar352. Although it undoubtedly constituted a step forward towards the adoption of a general data protection framework in the third pillar, it did not completely satisfy scholars insofar as the level of protection is concerned. The outline of the DPFD replicates that of Directive 95/46: although there is no chapter division, which makes reading slightly more confusing, the succession of the articles mirrors the order of the Data Protection Directive. The difference between the two is highlighted by art. 1: the purpose of the DPFD is to “ensure a high level of protection of the fundamental rights and freedoms of national persons, and in particular their right to privacy with respect to the processing of personal data, in the framework of police and judicial cooperation in criminal matters, provided for by Title VI of the TEU, while guaranteeing a high level of public safety”. However, the DPFD only applies to processing or exchange of personal data which takes place between Member States, or between a Member State and a third State (or private party); and not to processing inside each Member State (“domestic data”)353. This fundamental limitation is due essentially to a political compromise rendered necessary by the opposition of a number of Member States354 to the proposal for a potential domestic application of the DPFD, which would have entailed an unprecedented encroachment in National State powers in the area of security. Member States were unwilling to forgo exclusive authority over security issues: the unanimity requirement thus compelled the Council to adopt the DPFD with the broad scope exception355. Moreover, the DPFD is without prejudice to essential national security interests and specific intelligence activities in the field of national security356. The basic set of processing principles are summed up between article 3 and article 8. According to De Hert and Papakonstaninou357, the rules established in the DPFD derogate from the ordinary data protection principles in two manners. To begin with, processing of persona data for purposes other than those for which they were collected (“further 352 353 354 355 356 357 DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008, p. 406. Art. 1(2). The UK, Denmark, Ireland, Iceland, Malta, Sweden, and the Czech Republic. See DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008, p.410-411; HIJMANS and SCIROCCO, Shortcomings in EU data protection, at p. 1494, also notice how “it is moreover questionable how these limitations will work in practice. At the moment of the collection of personal data by a police authority in a Member State, it will normally not be foreseeable whether those data might at a later stage be used in a cross-border context”. Art. 1(4). DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008, p. 411. 71 processing”) is, although under certain conditions, permitted: the wording of Directive 95/46, in this regard, was exactly the opposite. The power of “further processing” is granted to the recipient Member State as well: despite the fact that the provision in question358 is structured as if the cases in which further processing is allowed are exemptions, “the list of exemptions is so far-reaching that in practically every case data may be used for purposes totally unrelated to those for which they were originally transmitted or made available”359. Secondly, exemption clauses were also applied to other principles: for example, pursuant to article 4(1), the data shall be completed or updated “only where it is possible and necessary”; under article 4(2), data that is no longer required for the purposes for which they were lawfully gathered must be erased or made anonymous, but they can be archived in a separate database. Other differences concern the processing of special categories of data, and automated individual decisions 360. Here, in fact, the principle set by the DPFD is again opposite to the one set by the Data Protection Directive: whereas in the latter the processing of special categories of data, as well as automated individual decisions are explicitly prohibited 361, in the former both activities “shall be permitted” by Member States, albeit under strict conditions. The transfer of data to third States is allowed if four conditions are met. First, the transfer must be necessary for the purposes indicated by the DFDP; secondly, the receiving body must be competent for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties; thirdly, the Member State from which the data are originally from must give its consent 362; lastly, the receiving body must ensure an adequate level of protection for the intended data processing. This last requirement, however, is extremely discretionary as it is up to each Member State to evaluate the third State's level of protection. The DPFD also allows transfer of personal data to private parties363: this provision has been questioned by scholars, who argue that a third-pillar measure with law-enforcement purposes should hardly call for the need of private parties 358 359 360 361 362 363 Art. 11. DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008, p. 412. See NINO, Terrorismo Internazionale, p. 89. In, respectively, Art. 8 and Art. 15 of Directive 95/46/EC. Unless the data “is essential for the prevention of an immediate and serious threat to public security of a Member State or a third state”. Art. 13(2). Art. 14. 72 for any particular reason. The DPFD, despite representing a “much-needed text”364 in the third-pillar context, did not however achieve the result it was meant for – i.e. providing the area of police and judicial cooperation in criminal matter with an organic data protection framework. This can also be inferred by the provision concerning the relationship between the DPFD and prior Title VI measures365: specific conditions relating to the use of personal data introduced by acts adopted before the entry into force of the DPFD take precedence over the DFDP. 2.2 After the Lisbon Treaty. Article 16 TFEU. The extent to which the Lisbon Treaty has affected the overall structure of the Union has already been discussed. With regard to data protection, two significant novelties were introduced. First of all, pursuant to art. 6(1) TFEU the principles set in the EU Charter of Fundamental Rights were given the same legal value as the treaties, and thus acquired a binding status. This meant that the process of progressive recognition of data protection as a right distinct from privacy, inside the EU, was officially complete: article 8 of the Nice Charter, in fact, is exclusively dedicated to the protection of personal data, whereas the right to privacy is governed by article 7. The second innovation consisted in the adoption of a provision, replacing article 286 TEC, which established the right to protection of personal data among the provisions having general application. Pursuant to art. 16 TFEU, “everyone has the right to the protection of persona data concerning them”; moreover, “the European Parliament and the Council […] shall lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data”. Three features of this new provision should be stressed. First, it set – at least formally – a common data-protection ground for all areas of the EU, thus including the former second and third pillars. Secondly, the protection of personal data was recognized as a right having direct effect. Lastly, it imposed on the 364 365 DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008, p. 414. It is worth recalling that before the Treaty of Lisbon, police and judicial cooperation in criminal matters were governed by Title VI TEU. 73 European Parliament and on the Council an obligation to provide data protection legislation, which, according to some scholars 366, could even in principle be legally enforceable through an action for failure to act. Despite the Lisbon Treaty being acclaimed as having “marked a new era for data protection” 367, some edges still relating to the pillar division were not entirely polished368, thus constituting exceptions which undermine the ability of art. 16 TFEU to effectively provide a legal basis for a common provision on data protection. Concerning common foreign and security policy, art. 16 TFEU is derogated by art. 39 TEU, which excludes from the scope of art. 16 the processing of personal data by Member States in CFSP activities. A wide portion of the former second pillar therefore still remains outside of the general data protection framework, and with no role assigned to the European Parliament. Some limitations also prevented art. 16 from applying in its entirety to police and judicial cooperation in criminal matters. In fact, the abolition of the pillar structure, or, in other words, the communitarization of the second and third pillar, did not entail an automatic extension of Directive 95/46/EC to former-JHA areas: the Data Protection Directive expressis verbis excluded (“in any case”) from its scope of application “processing operations concerning public security, defence, State security, and the activities of the State in the areas of criminal law”. On top of that, the already mentioned Protocols to the TFEU concerning the position of the UK, Ireland and Denmark contain reservations by which those Member States can opt not be bound by rules established on the basis of art. 16. Furthermore, the Intergovernmental Conference which adopted the Treaty of Lisbon added two declarations where it acknowledged, on one hand, that the peculiar nature of the field of police and judicial cooperation in criminal matters may warrant the adoption of specific rules on the protection of personal data 369; and, on the other, that when rules adopted on the basis of Article 16 have direct implication for national security matters, these must be taken into due account 370. According to Nino371, these declarations – although their juridical nature is not clear – are part of the broader 366 367 368 369 370 371 HIJMANS and SCIROCCO, Shortcomings in EU data protection, p. 1520. HIJMANS, Recent developments in data protection at European Union Level, ERA Forum 11, 2011, p. 220. NINO, Terrorismo Internazionale pp. 96-101; HIJMANS and SCIROCCO, Shortcomings in EU data protection, pp. 1515-1517; HIJMANS, Recent developments, pp. 220-221. Declaration 21. NINO, Terrorismo Internazionale, p. 99. NINO, Terrorismo Internazionale, p. 99. 74 trend the Union still follows, notwithstanding the innovations brought by the Lisbon Treaty, in considering data protection in the area of police and judicial cooperation as a separate and specific legal profile, in light of the possibilities offered by the use of personal data in the fight against terrorism and organized crime. To this purpose, it is worth reminding that pursuant to article 87(2)(a) TFEU, the European Parliament and the Council may adopt measures concerning “the collection, storage, processing, analysis and exchange of relevant information”. 2.3 Recent developments. The 2016 Data Protection package. The entire data protection framework has been revised in 2016 through the adoption of a Directive372 and a Regulation373, the former repealing Framework Decision 2008/977/JHA and the latter replacing Directive 95/46/EC. Among the spurs which lead to the reform, scholars mention the need to address the advances in technology, as well as some closelyreleased seminal decisions by the CJEU concerning privacy and data protection issues 374. This “herculean law-making effort”375, which began in 2009 upon the release of a public consultation by the Commission, is meant to cover in an organic way the entire dataprotection spectrum to an extent that “there is very little personal data processing that will remain unaffected by the combined effect of the Regulation and the Directive” 376. The choice of these two legal instruments can warrant opposite considerations. On one hand, the adoption of a Regulation represents a decisive step forward in European integration not only in data protection, but in EU law in general – as it signals a forced exit of a particular field of law from Member State level to EU level 377. On the other hand, though, partly 372 373 374 375 376 377 Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data. O.J. L 119, 4.5.2016, pp. 89-131. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. O.J. L 119, 4.5.2016, pp. 1-88. See BURRI and SCHÄR, The Reform of the EU Data Protection Framework: Outlining Key Changes ad Assessing their fitness for a data-driven economy, forthcoming in Journal of Information Policy, Vol. 6, 2016. The cases in question are Google Spain (C-131/12), Digital Rights Ireland (C-293 & C-594/12) and Schrems (C-362/14). DE HERT and PAPAKONSTANTINOU, The New General Data Protection Regulation: still a sound system for the protection of individuals?, Computer Law & Security Review, Vol. 32, 2016, p. 181. DE HERT and PAPAKONSTANTINOU, The New General Data Protection Regulation, p. 180. DE HERT and PAPAKONSTANTINOU, The New General Data Protection Regulation, p. 182. 75 allowing Member States to be flexible in the implementation of one of the two new measures ultimately amounts to adopting a two-speed process in the harmonization of the EU data protection framework378. In other words, in assessing this new data protection endeavor, stress can be put either on the fact that a Regulation was adopted in an unprecedented field, or on the missed opportunity for total harmonization that a Directive inevitably entails. Regardless, however, of the light one wishes to put the new data protection package under, the reorganization of the matter shows commitment on the Union's side of leaving no (or at least very little) unregulated ground in the field of data protection: the two instruments are homogenous from a formal point of view as well, basically sharing the same chapter division379 and thus following a very similar and comparable structure. Numerous differences, however, still remain in the level of protection accorded to the individual in the two sectors. The General Data Protection Regulation (GDPR) applies in any circumstance the processing of personal data takes place, by automated or non-automated means, except for the situations listed in art. 2(2), 2(3) and 2(4). In particular, the GDPR does not apply where data is processed for the purpose of activities which fall outside the scope of Union Law, or within the second pillar; and for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguard against and the prevention of threats to public security. The processing of data for this latter aim, in the exact same wording, is the subject matter of Directive 2016/680. The first striking novelty introduced in the GDPR and in Directive 680 is enshrined in artt. 5 and 4 respectively, concerning “principles relating to processing of personal data”. For the first time, these principles are listed together under the same heading and, in the GDPR, are also given an “official” name380. These are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability. Transparency and accountability, in particular, are new 378 379 380 DI FRANCESCO MAESA, Balance between security and fundamental rights protection: and analysis of the directive 2016/680 for data protection in the police and justice sectors and the Directive 2016/681 on the use of passenger name record, available at http://rivista.eurojus.it/balance-between-security-andfundamental-rights-protection-an-analysis-of-the-directive-2016680-for-data-protection-in-the-policeand-justice-sectors-and-the-directive-2016681-on-the-use-of-passen/, 24.05.2016. Chapter I through VIII carry the same heading and progression in both instruments. DE HERT and PAPAKONSTANTIONU, The New General Data Protection Regulation, p. 185. 76 additions which were not mentioned in previous data protection legislation. The two instruments diverge sensibly with regard to the processing of special categories of data. Whereas under the GDPR these “shall be prohibited”, unless one of the conditions in article 9(2) apply, under Directive 680 these “shall be allowed” – although only where strictly necessary, and only if the conditions listed in art. 10(a), (b) and (c) are met 381. Automated individual decision making is also regulated differently: while in the GDPR the relevant article is placed under Chapter III, concerning the rights of the data subject, and thus holds that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her”382, in Directive 680 the relevant article – situated in Chapter II, concerning “general principles” – makes no reference to an individual right, and simply instructs Member States to provide for decisions “based solely on automated processing […] which produce[s] an adverse legal effect concerning the data subject […] to be prohibited unless authorised by Union or Member Law”383. Chapter III of Directive 680, on the data subjects' rights, is much less structured than its counterpart in the GDPR. In the latter, the entire Chapter is even subdivided into sections which are instead completely missing in Directive 680, where the articles are also less numerous and also generally shorter. To begin with, under the GDPR communications from the controller to the data subject must be made “in a concise, transparent, intelligible and easily accessible form” 384. For third pillar data processing, instead, the transparency requirement is omitted 385. Moreover, whereas under the GDPR the information to be given to the data subject when collection and processing of his data take place can be withheld only if the data subject already has such information386, Directive 681 allows Member States to adopt legislation “delaying, restricting or omitting the provision of information to the data subject” where such a measure “constitutes a necessary and proportionate measure in a democratic 381 382 383 384 385 386 Processing of such data is allowed (a) if it is authorized by Union or Member State Law, (b) to protect the vital interests of the data subject or of another natural person and (c) where it relates to data which are manifestly made public by the data subject. Art. 22, GDPR. Art. 11, Directive 680/2016. This is nonetheless a pronounced upgrade compared to the related provision in Framework Decision 2008/977/JHA analyzed above. Art. 12(1) GDPR. No mention to the principle of transparency is made in art. 4 of Directive 681, regarding general principles relating to the processing of personal data. Art. 13(4) GDPR. 77 society” when aiming to protect public and national security 387. Another stark difference between the two instruments can be noticed with respect to the right of access by the data subject. The relevant article in the GDPR starts off by stating that “[t]he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and […] access to the personal data”, as well as to information listed thereafter388, and only in a separate (and following) provision envisages the possibility of a restriction of said rights “when such a restrictions respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society” 389. On the contrary, under Directive 680 the outset of the relevant provision immediately states390 that the right of access is “subject to Article 15”, concerning, precisely, limitations of the right to access; thus inverting the underlying logical process. Finally, although both instruments provide for the right to rectification or erasure of personal data and restriction of processing, it is noteworthy that while under the GDPR restriction of processing is undoubtedly built as a right of the individual 391, this is not as obvious in Directive 680, where restriction of processing is apparently considered as an alternative to the erasure of data where certain conditions apply 392. The GDPR is set to apply starting from May 2018, and an equivalent deadline shall apply for implementation of Directive 680. 2.4 US-EU relations on data protection. The United States and the European Union regard privacy and data protection in a highly different manner. In the United States, in fact, there is no overarching privacy framework comparable to the Directive 95/46/EC, but legislation is more sector-specific and generally less rigorous than in Europe. However, the fact that the US and the EU are close trade and investment partners, as well as foreign-relations allies, entails that exchanges of information – therein including personal data – between European and American entities, both public and private (situation generally referred to as the “transatlantic flow of data”) 387 388 389 390 391 392 Art. 13(3) Directive 680/2016. Art. 15(1) GDPR. Art. 22(1) GDPR. Art. 14(1) Directive 680/2016. Art. 18 GDPR. Art. 16(3) Directive 680/2016. 78 occur with a very high frequency due to the increasing digital nature of the global economy. Given the distances between the respective data protection standards, the US and the EU – starting from shortly after the adoption of the Data Protection Directive – have thus sought agreements aimed at avoiding a blockage of such transatlantic flows of data and concerning data transfers relating to commercial purposes, as well as – more recently – law enforcement purposes. 2.4.1 The Safe Harbor Principles and the 2016 U.S. Privacy Shield. The transatlantic flow of data is extremely relevant, first of all, for commercial purposes between private entities. US and EU companies that need to transfer personal data between each other must do so in compliance with European standards. In particular, pursuant to art.25(1) of the Data Privacy Directive, onward transfers of personal data are permissible if the third country in question ensures an adequate level of protection. As the United States, given its legislative framework, are considered not to ensure an adequate level of data protection, mechanisms were developed pursuant to art. 25(6) in order to allow American companies to receive data nonetheless. The most important of such mechanisms were the Safe Harbor Principles393. The Safe Harbor Principles were negotiated between the U.S. Department of Commerce and the European Commission and finalized on 21 July 2000 394. They consisted in a list of data protection principles 395 applicable to US corporations only, the adherence to which would grant such companies an “adequacy presumption”: in other words, the possibility of lawfully processing personal data coming from European soil. Adhering corporations were to self-certify the implementation of such principles, entirely optional, through a letter sent to the US Department of Commerce 396. Based on the Safe Harbor Principles, the Commission issued an adequacy decision covering the processing of 393 394 395 396 Alternative existing mechanisms include the adoption of model contract clauses or binding corporate rules, or consent from the data subject. WEISS and ARCHICK, US-EU Data Privacy: From Safe Harbor to Privacy Shield, Congressional Research Service Report, R44257, 19 May 2016. Safe Harbor Privacy Principles issued by the Department of Commerce and Frequently Asked Questions, 21 July 2000. The principles in question relate to the following seven areas: notice; choice; onward transfer; data security; data integrity; access; enforcement. It is worth pointing out that not all companies could use this self-certifying mechanism, but only those subject to regulation under the Federal Trade Commission (FTC) and the Department of Transportation (DoT). Notable exclusions include corporations operating in the financial sector. 79 personal data by organizations who would implement the principles in question 397. The Safe Harbor Agreement, however, did not constitute a binding international law treaty; furthermore, the Department of Commerce had maintained that adherence to the principles in question could be limited for “national security, public interest or law enforcement requirements”. Following the 2013 Snowden revelations, which exposed the United States government's system of mass acquisition of personal data from private entities, Europe's trust in the effectiveness of the Safe Harbor scheme was crippled 398. In that same year, Maximillian Schrems, a young Austrian law student, brought a complaint to the Irish Data Protection Supervisor399 concerning the data processing activities undertaken by Facebook and, in particular, the transfer of personal data from Facebook's European servers to its US servers, which he alleged were taking place in violation of European data protection laws. Facebook, however, was among the corporations which adhered to the Safe Harbor principles; for this reason the case was dismissed by the Irish DPS, who held that it was bound by Decision 2000/520 to recognize Facebook as providing an adequate level of protection of the persona data it processed. The case was thereafter taken before the Irish High Court who in turn sought a preliminary ruling by the CJEU concerning two issues: first, the relation between the powers of the Commission and those of Independent Data Protection Supervisors400; second, the overall validity of the Safe Harbor system. In its decision landed on 6 October 2015401, the CJEU declared that the Safe Harbor Agreement was incompatible with European data protection standards and thus invalidated Decision 2000/520 ab initio402. In its judgment, the Court first found that an adequacy decision 397 398 399 400 401 402 Commission decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce, O.J. L 215/7-47, 25.8.2000. NINO, Il caso Datagate: i problemi di compatibilità del programma di sorveglianza PRISM con la normativa europea sulla protezione dei dati personali, Diritti umani e diritto internazionale, Vol. 3, 2013, pp. 727-746. The complaint was brought to the Irish DPS because Facebook's European headquarters and servers are in Ireland. Specifically, the relation between art. 25(6) and art. 28 of Directive 95/46/EC. Case C-362/14, Max Schrems v. Data Protection Commissioner, 6 October 2015. NINO, La Corte di giustizia UE dichiara l'invalidità del sistema di Safe Harbor: la sentenza Schrems, SIDIblog, 24 October 2015; GIATTINI, La tutela dei dati personali davanti alla Corte di Giustizia dell'UE: il caso Schrems e l'invalidità del sistema di 'approdo sicuro', Diritti Umani e Diritto Internazionale, Vol. 10, No. 1, 2016, pp. 247-254; AZOULAI and VAN DER SLUIS, Institutionalizing 80 issued by the Commission pursuant to art.25(6) of the Data Protection Directive does not prevent a Supervisory Authority of a Member State from being able to examine the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him403. Next, the Court assessed the validity of Decision 2000/520. While noting that the Directive does not in fact contain a definition of “adequate level of protection”404, the Court observed that the word “adequate” must be interpreted in the sense of “essentially equivalent”405. Because of this, “the Commission's discretion as to the adequacy of the level of protection ensured by a third country is reduced” 406. In particular, when assessing whether a third country ensures an adequate level of protection, the Commission must not omit to consider domestic law or international commitments of the third country in question, pursuant to art. 25(6); the Court observed that in the case at hand, however, the Commission had failed to do so407. Moreover, the Court pointed out that pursuant to the Agreement, “national security, public interest or law enforcement requirements” have primacy over the Safe Harbor principles: private entities will therefore be bound to disregard those principles when in conflict with those requirements 408. These reasons lead the Court to believe that Decision 2000/520 had been adopted in violation of art.25(6) and was, thus, invalid. The invalidation of Decision 2000/520 called for the rapid adoption of a new framework for transatlantic data flows. Negotiations concerning an update of the Safe Harbor principles had actually begun already by late 2013, in the wake of the Datagate revelations. The Court's decision in Schrems provided the impetus for new discussions which culminated with the agreement between the Commission and the Department of Commerce on 2 February 2016 on a new EU-US Privacy Shield. The full text of the new agreement was released, together with the Commission's first draft adequacy decision, on 29 February 2016. Opinions by data protection watchdogs, namely Article 29 Working 403 404 405 406 407 408 personal data protection in times of global institutional distrust: Schrems, 53 Common Market Law Review 2016, pp. 1343-1372. Case C-362/14, Schrems, Judgment of the Court, para.66. Case C-362/14, Schrems, Judgment of the Court, para.70. Case C-362/14, Schrems, Judgment of the Court, para.73. Case C-362/14, Schrems, Judgment of the Court, para.78. Case C-362/14, Schrems, Judgment of the Court, paras.81-83. Case C-362/14, Schrems, Judgment of the Court, para.86. 81 Party409 and the EDPS410, followed shortly thereafter, underscoring the improvements compared to the Safe Harbor framework despite the remaining shortcomings 411. A revised set of principles was issued by the U.S. Department of Commerce on 7 July 2016, and the definitive adequacy decision was finally adopted on 12 July 2016 412. Similarly to the Safe Harbor Agreement, the EU-US Privacy Shield is not an international agreement in the proper sense as neither did the parties expressly purport to conclude an international treaty, nor was the appropriate procedure ex art.218 TFEU followed413. The Privacy Shield is rather a composite document comprised of the Commission's adequacy Decision, on one hand, and a long series of annexes from U.S. Government authorities (“Privacy Shield Package”414) on the other. The essence of the new Agreement lies in Annex II, containing the EU-US Privacy Shield Framework Principles. The new system, which remains optional for corporations, is structured in the same way Safe Harbor was programmed: companies that wish to sign up to the Privacy Shield must implement the Principles therein established; upon doing so, they obtain a certification which allows them to process data originating from Europe. Although the system is still based on self-certification, a feature which was criticized by the CJEU in Schrems, stronger enforcement powers are now assigned to the Department of Commerce and the FTC, and the rights of EU citizens are 409 410 411 412 413 414 Article 29 Working Party, Opinion 1/2016 on the EU-US Privacy Shield draft adequacy decision, 13 April 2016. European Data Protection Supervisor, Opinion 4/2016 on the EU-US Privacy Shield draft adequacy decision, 30 May 2016. CRESPI, La nuova proposta di decisione di adeguatezza della Commissione Europea riguardo agli USA: lo scudo UE/USA per la privacy, Eurojus.it, 26 April 2016, available at http://rivista.eurojus.it/la-nuovaproposta-di-decisione-di-adeguatezza-della-commissione-europea-riguardo-agli-usa-lo-scudo-ueusa-perla-privacy/ Commission Implementing Decision of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and the Council on the adequacy of the protection provided by the EU-US Privacy Shield, C(2016) 4176 final, 12.7.2016. SALUZZO, Tutela dei dati personali e deroghe in materia di sicurezza nazionale dopo l'entrata in vigore del Privacy Shield, SIDIblog, 13 September 2016, available at http://www.sidiblog.org/2016/09/13/ tutela-deidati-personali-e-deroghe-in-materia-di-sicurezza-nazionale-dopo-lentrata-in-vigore-del-privacy -shield/ The package includes seven annexes: I) letter from International Trade Administration and new arbitral model; II) Privacy Shield framework principles; III) letter from the Department of State and memorandum on the establishment of a Privacy Shield Ombudsperson; IV) letter from the Federal Trade Commission on its enforcement of the Privacy Shield; V) letter from the Department of Transportation on its enforcement of the Privacy Shield; VI) two letters from the Office of the Director of National Intelligence on safeguards and limitation applicable to US national security authorities; VII) letter from the Department of Justice on safeguards and limitations on US Government access for law enforcement and public interest purposes. 82 more highly safeguarded in light of the establishment of several different redress possibilities415. The obligations which companies undertake, concerning the protection of European personal data, are generally more strict compared to those in place under the Safe Harbor agreement: among them, detailed notice obligations, data retention limits, prescriptive access rights, tightened conditions for onward transfers, tighter liability regime, more stringent data integrity and purpose limitation principles, and strengthened security requirements416. Furthermore, conditions and safeguards were set with regard to access to data by U.S. public authorities for national security purposes and other public interests417: these activities are now governed by Presidential Policy Directive 28 (PPD28)418, which sets precise procedural requirements concerning the collection, retention and dissemination of personal information on non-US citizens. A new independent redress mechanisms was also introduced in the area of national security: the Privacy Shield Ombudsperson, in charge of addressing complaints against U.S. public authorities. One of the main features of the Privacy Shield is thus the existence of a higher commitment to data protection by US governmental authorities, alongside private corporations' selfcertifications. As further proof of the binding nature of the Agreement, the entire Privacy Shield Package has also been delivered to the Federal Register for publication 419. Despite the improvements, some aspects of the package have been criticized. It has been noticed 420 that the Annexes to the Privacy Shield Package, in particular Annex VI, fail to completely rule out the possibility of bulk collection of data by US intelligence agencies, which will therefore still be possible albeit under specific and narrow circumstances and “tailored as feasible”. While the Art.29 Working Party has consistently held that any form of bulk collection of data, regardless of its specificity, should still be considered massive and thus prohibited421, it will be up to the CJEU to definitively settle the issue in an upcoming 415 416 417 418 419 420 421 EU citizens may lodge complaints, in particular: to the company itself, who must provide a response within 45 days of the receipt of the complaint; through independent recourse mechanisms such as ADRs or European Data Protection Supervisors; to the Department of Commerce, through national DPAs; directly to the FTC. WEISS and ARCHICK, US-EU Data Privacy, p. 10. See, in particular, Annex VI of the Privacy Shield Package. CRESPI, La nuova proposta, para. 2. PPD-28 was issued on 17 January 2014. See infra, Chapter III, para. 3.3. Privacy Shield Package, Annex I, Letter from U.S. Secretary of Commerce Penny Prtizker, p. 3. SALUZZO, Tutela dei dati personali. Article 29 Working Party, Opinion 1/2016 on the EU-US Privacy Shield draft adequacy decision, 13 April 2016, para. 3.3.3. 83 judgment422 where the Court is called to decide on the validity of national general surveillance programs. Surprisingly, Advocate General Saugmandsgaard Øe, in his opinion delivered on 19 July 2016, held that a general surveillance program – thus involving bulk retention of data – may nonetheless be permitted at a national level, provided that certain safeguards are set in place423. Ultimately, it will be possible to evaluate whether the safeguards established by the Privacy Shield are to be considered effective only upon their consistent implementation. 2.4.2. Information exchange in law enforcement. The 2016 Umbrella Agreement. The Safe Harbor and the subsequent Privacy Shield agreements both regulate transatlantic data flows which occur for commercial purposes; they are not therefore meant to apply to transfers of personal data which take place for law enforcement purposes. This gap was recently filled by the adoption of an Agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences, commonly referred to as the “Umbrella Agreement”. Negotiations started on 29 March 2011424 and culminated with the signing of the Agreement on 2 June 2016425. The Umbrella Agreement is not in itself designed as a legal instrument allowing for any transfer of personal information to the US; rather, it supplements – where necessary – data protection safeguards in existing and future data transfer agreements or national provisions authorizing such transfers, and thus functions as an overarching legal framework426. One of the most prominent features of the Umbrella Agreement is the leveling of EU and US citizens before US courts. Prior to its signing, in fact, one of the conditions for the Agreement's approval by the EU was the enactment of the Judicial Redress Act, a U.S. bill which authorizes the Department of Justice to designate foreign countries whose natural citizens may bring civil actions under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, 422 423 424 425 426 Joined cases C-203/15, Tele2 Sverige AB v Post-och telestyrelsen, and C-698/15, Secretary of State for the Home Department v. Watson, Brice, and Lewis. Opinion of Advocate General Saugmandsgaard Øe, 19 July 2016, para. 263. MEMO/11/203. Council Press Release 305/16, 2 June 2016. See Privacy & Information Security Law Blog, EU and US sign Umbrella Agreement, available at https://www.huntonprivacyblog.com/2016/06/03/eu-and-u-s-sign-umbrella-agreement/ 84 amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States to prevent, investigate, detect, or prosecute criminal offenses 427. In other words, this newly enacted legislation allows European citizens to effectively seek judicial redress before American courts, in the event of unlawful processing of their personal data by US public authorities. The bill was approved on 24 February 2016, thus paving the way for the signing of the Agreement. Differently from the Privacy Shield, the Umbrella Agreement is an actual treaty of international law and the appropriate procedures ex art. 218 TFEU were therefore followed; as the Parliament, however, is yet to give its consent to the adoption of the Agreement, its provisions are not yet legally binding to the contracting Parties. 3. The use of telecommunication data in counter-terrorism: Directive 2006/24/EC. After having provided a brief overview of the evolution of data protection legislation in the EU, the following paragraphs will now focus on the most important counter-terrorism measures which rely on the use of personal data. Measures involving three types of personal data will be taken into consideration: telecommunication data, to which this paragraph is dedicated entirely, financial data, and travel data, which will be the object of the next paragraph. One common feature these counter-terrorism instruments share is that they all function through the cooperation of the private sector: in particular, commercial activities such as telecommunication service providers, air carriers, and financial services providers428. 3.1 From protection to retention. Directive 2006/24/EC The terrorist attacks on Madrid (2004) and London (2005) modified the perception surrounding the importance of data protection. Telecommunication data in particular, i.e. data concerning phone calls and internet use, ceased to be considered exclusively as something which needed protection and started to be looked at as a useful tool in the fight against terrorism – even more so after investigations concerning the Madrid bombings 427 428 Judicial Redress Act of 2015, P.L. 114-126 MITSILEGAS, EU Criminal Law, p. 272. 85 uncovered the important role communication played in the planning of the attack 429. The general conviction, therefore, shifted towards the necessity of keeping data rather than destroying them430; legislation was however needed in order “to reverse the presumption in favor of information destruction”431. Directive 2006/24/EC, on the retention of traffic and location data, can thus be considered as a product of the political and social eagerness to adopt surveillance mechanisms as counter-terrorism measures432. It has been written433 that the Data Retention Directive can be considered as a dividing line in EU policy, separating a tendency of firm defense of personal data, even in the face of terrorist threats, from one which balanced the scale much more in favor of security rather than personal liberty. Discussions concerning a measure aimed at retaining communication data started as early as April 2004, shortly after the Madrid attacks. Four Member States (the UK, France, Ireland, Sweden) proposed the adoption of a Framework Decision, thus falling under the third pillar, concerning telecommunication data retention for law enforcement purposes; it also provided for the use, access, and exchange of such data. The proposal spurred opposition on the part of the Parliament, which rejected it on different legal grounds (the choice of legal basis and legislative measure, and human rights implications including the violation of the right to privacy434), as well as on the part of the Commission 435. Moreover, according to the Legal Services of the Council and the Commission the proposed Framework Decision was “partly illegal” because it addressed issues, such as telecommunications, for which first-pillar measures would have instead been more 429 430 431 432 433 434 435 NINO, Terrorismo Internazionale, p. 314. It is worth reminding that pursuant to art.6(1) of Directive 2002/58/EC, “traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed [...]”. BIGNAMI, Privacy and Law Enforcement in the European Union: The Data Retention Directive, Chicago Journal of International Law, Vol. 8, No. 1, Summer 2007, p. 237. GRANGER and IRION , “The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection” European Law Review, Vol. 39, No. 4, 2014, pp. 835-850. NINO, Terrorismo Internazionale, p. 319. European Parliament legislative resolution on the initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom for a Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism (8958/2004 — C60198/2004 — 2004/0813(CNS)), 21 September 2006, O.J. C 227 E. MURPHY, EU Counter-terrorism Law, p. 168. 86 appropriate436. In other words, given that the provisions of the proposed Framework Decision would undeniably affect the telecommunication market – which falls under EU law – first-pillar law-making should have been followed. This would obviously entail significant differences from the original design: a proposal needed to come from the Commission, and a qualified majority would have sufficed for the measure to pass. This original proposal was thus initially abandoned, only to be reinstated the following year, after the attacks on London, with a new proposal for a Directive stemming from the Commission in September 2005 which was thus meant to be a first-pillar measure. Although its declared legal basis was art. 95 of the post-Amsterdam TEC (currently art. 114 TFEU), on the harmonization of provisions concerning the internal market, the first proposal of the Directive, however, was rather explicit in linking traffic and location data retention to law enforcement purposes “such as the prevention, investigation, detection and prosecution of serious crime, such as terrorism and organised crime” 437. Criticism towards the Commission's proposal arose from several institutional voices 438. According to the European Data Protection Supervisor, the proposal went well beyond granting access to precise and localized data, thus impinging on fundamental freedoms. Similarly, the Article 29 Working Party believed the proposal to allow for an unwarranted restriction of the right to privacy and even advanced suggestions aimed at amending the Directive in order to enhance its compliance with basic data protection principles. The European Economic and Social Committee questioned whether the principles of subsidiarity and proportionality had been respected. Regardless, the Commission's proposal swiftly passed through Parliament and Council scrutiny and was finally adopted in March 2006. 3.2 Content of the Data Retention directive The Data Retention directive essentially compelled communication service and network providers, and thus private companies, to retain certain type of data and provide them 436 437 438 “EU: Data Retention proposal partly illegal, say Council and Commission lawyers” Statewatch news online, April 2005, available at http://www.statewatch.org/news/2005/apr/02eu-data-retention.htm See Explanatory Memorandum, point 1; recitals (7) and (8); and art. 1(1) of the Commission's proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC, 21 September 2005, COM(2005) 438 final. NINO, Terrorismo Internazionale, p. 317, note 45. 87 “upon request and without undue delay”439 to competent national authorities “in order to ensure that the data are available for the purpose of the investigation, detection, and prosecution of serious crime”440. From this point of view, the directive was “a direct reversal of the requirements of the e-Privacy Directive”441, the only prior instrument addressing telecommunication data, pursuant to which traffic and location data were to be deleted after they were no longer needed for billing purposes. According to Murphy, the Data Retention Directive “is the cornerstone of the EU's surveillance architecture” 442, and was probably the most controversial of the EU's data surveillance counter-terrorism measures. The reason why it spurred so much opposition lay in the fact that it indiscriminately affected suspected terrorists as well as ordinary citizens, unlike other more delimited measures such as PNR retention and TFTP: the Directive was meant to apply to “legal entities and natural persons”, without any further specification 443. The core of the Directive consisted in an ample list of categories of data which providers were mandated to retain444: namely, data necessary to trace and identify the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of communication; the users' communication equipment or what purports to be their equipment; and the location of mobile communication equipment. From a practical viewpoint, this included data such as calling and called telephone numbers, name and address of the subscriber or user, user IDs, date and time of the start and end of the communication, the telephone and internet service used, as well as data pertaining to unsuccessful call attempts445. Although at first glance the list may seem impressively detailed, a closer and more technically-aware look at it reveals that it did in fact present at least some degree of limitation. To begin with, only traffic or location data pertaining to five specific means of communication had to be stored: fixed network telephony, mobile telephony, internet access, internet e-mail, and internet telephony. The latter two in particular are but a small part of the means of communication available on the 439 440 441 442 443 444 445 Art. 8 Data Retention Directive. Art. 1(1) Data Retention Directive. Directive 2002/58/EC. MURPHY, EU Counter-terrorism Law, p. 172. MURPHY, EU Counter-terrorism Law, p. 174. Art 1(2) Data Retention Directive. Art. 5(1)(a)-(f) Data Retention Directive. Art. 3(2) Data Retention Directive 88 internet; moreover, the expression “internet access” should not be construed as a residual container for all the others. This entails that some widely used means of online communication did not fall under the scope of art. 5: blogs, message boards, video platforms (such as YouTube), social networking platforms (such as Facebook), instant messaging, peer-to-peer services446. Data relating to web-browsing was also excluded from the Directive; furthermore, the obligation referred to data “generated or processed” by providers, which clarified that providers were in no obligation to generate new data447. Lastly, pursuant to art. 5(2) “no data revealing the content of the communication may be retained pursuant to this directive”. This provision was, however, rather unfortunate in its wording as it failed to consider that in some occasions knowledge of the content of a communication is not necessary in order to apprehend its object448. Access to the data thus retained was only granted to “competent national authorities in specific cases and in accordance with national law”449. No clue was provided, though, as to who could have been deemed “competent national authority”. Murphy reports that bodies that were allowed access to data in different Member States included national police forces, prosecutors, military services, security and intelligence services, and even tax, custom and border authorities450; Nino points out that, since the Directive did not explicitly exclude it, the providers themselves could have also been granted access to those data under certain conditions451. A key provision of the Directive was art.6, concerning “periods of retention”. Pursuant to 446 447 448 449 450 451 For a detailed analysis of the data listed in art. 5, see FEILER, The legality of the Data Retention Directive in light of the fundamental rights to privacy and data protection, European Journal of Law and Technology, Vol. 1, Issue 3, 2010, para. 4.2. FEILER underlines the difference between services provided over the Internet and services providing access to the Internet, arguing that only the latter fit the definition of 'providers of publicly available electronic communication services'. FEILER, The legality of the Data Retention Directive, para. 4.1. Examples are numerous and well-explanatory: recurring calls to a cardiologist during office hours may hint that the subject might suffer from a heart condition; if two people who communicate regularly with each other change their location simultaneously, this might suggest they are on vacation together; a drastic increase of calls placed by Pentagon employees to Domino's pizza may suggest hostilities are imminent. See FEILER, The legality of the Data Retention Directive, para. 7.3.4.; NINO, Terrorismo Internazionale, p. 322 at note 60, who recalls KOSTA and VALCKE in The EU Data Retention Directive. Retaining the Data Retention Directive, Computer Law & Security Review, Vol. 22, Issue 5, 2006, p. 375, where they state that “[t]he distinction between traffic data and content data is, however, not always as clear as the European institutions would like to believe especially when it comes to the Internet”. Art. 4 Data Retention Directive MURPHY, EU Counter-terrorism Law, p. 170. NINO, Terrorismo Internazionale, p. 324; although art. 4 is clear in stating that “data […] are provided only to competent national authorities”. 89 it, “Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication”. This time frame was the result of a political compromise between the position of the Council and that of the Parliament: while the former supported a broader length of retention – from one to three years – the latter, along with the oversight bodies, was more concerned with safeguarding individual rights and thus argued against the Council's position and in favor, instead, of a considerably shorter period of retention 452. While a middle position eventually prevailed, an overwhelming majority of scholars nonetheless maintained that the resulting time frame was still too broad and thus in patent violation of European data protection principles453. Moreover, art. 12 allowed Member States to take the necessary measures “when facing particular circumstances that warrant an extension for a limited period of the maximum retention period referred to in Article 6”. Finally, all data that had not been accessed and preserved at the end of the retention period were to be destroyed: placed under the heading “data protection and data security”, this provision constituted one of the measures arranged by the European legislator against potential abuses of the data retained pursuant to the Directive454. 3.3 Assessment of the legality of the Data Retention Directive The evaluation of the Directive's lawfulness passes through two levels of analysis. First of all, it must be ascertained whether the provisions of the Directive interfere with the rights to privacy and data protection. Secondly, it must be considered whether the possible interference constitutes a violation of those principles, or is instead justified. The first part of the test is a rather easy assessment – the Directive undoubtedly impinges on the personal rights of privacy and, especially, data protection, as enshrined in artt. 7 and 452 453 454 BIGNAMI, Privacy and Law Enforcement in the European Union, pp. 247-248. NINO, Terrorismo Interazionale, p. 326; MURPHY, EU Counter-terrorism Law, p. 170; MITSILEGAS, EU Criminal law, p. 268; FEILER, The legality of the Data Retention Directive, para. 8. Art. 7(d) Data Retention Directive. Member States were also required to respect the following data protection principles as well: the retained data had to be (a) of the same quality and subject to the same security and protection as those data on the network; (b) subject to appropriate technical and organisational measures to protect it against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure; (c) subject to appropriate technical and organisational measures to ensure that they could be accessed by specially authorised personnel only. 90 8 of the EU Charter of Fundamental Rights, art. 8 of the ECHR, and Convention 108 455. Case-law by the EctHR on the matter is particularly vast 456 and consistent in holding that the storing and processing of data surely amounts to an interference with privacy. However, both art. 52(1) of the EU Charter of Fundamental Rights and art. 8(2) ECHR permit restrictions of privacy and data protection provided that certain conditions are met457. These are: that the restrictive measure be provided by law that is precise and accessible to the public; that it serves a public and legitimate purpose 458; and, most importantly, that it respects the principle of proportionality. Directive 2006/24/EC complied with the first two prongs. To begin with, the normative measure chosen to apply the data retention scheme – a first-pillar directive, as opposed to a third-pillar framework decision – entailed a more democratic law-making process, given the use of the codecision procedure which grants the Parliament full participation. Moreover, the Directive was very specific in indicating the means of communication “under control” and the type of data to be retained: users could have thus foreseen with sufficient precision which data would have been kept by providers. Secondly, it was unambiguous and immediately clear that the purpose of the Directive was “the investigation, detection and prosecution of serious crime”. The final wording was actually much narrower than previous versions, as early drafts also referred to the “prevention” of criminal activity, which was thus expunged, and did not limit the scope of the directive only to “serious” crimes but encompassed all sorts of crimes; furthermore, the private entities mandated to retain the data could not use it for commercial purposes. Whether the Directive respected the principle of proportionality was a more debated issue. In general, actions of EU institutions which infringe on fundamental rights comply with the proportionality principle if they are suitable (i.e. capable of reaching the purported objective) and necessary (i.e. the same objective can not be achieved with less restrictive means) to the purpose they are enacted for. On top of this, one must also consider whether 455 456 457 458 See supra, para. 1.1. In particular: Klass et al. v. Germany, 6.9.1978, app. no. 5029/71; Malone v. UK, 2.8.1984, app. no. 8691/79; Rotaru v. Romania, 4.5.2000, app. no. 28341/95; Copland v. UK, 3.4.2007, app. no. 62617/00; S. and Marper v. UK, 4.12.2008, combined applications 30562/04 and 30566/04. The following analysis reflects the point of view of BIGNAMI and FEILER. FEILER subsumes the 'legitimate purpose' requirement in the proportionality test. FEILER, The legality of the Data Retention Directive, para. 7.3. 91 the adopted measure is proportional stricto sensu, or, in other words, if the balance struck between it and the sacrificed right holds, or tilts too far from the latter. With regard to the first point, that is if data retention can indeed be considered a crime-fighting tool, notwithstanding skepticism stemming from institutional data-protection authorities such as Article 29 Working Party and the European Data Protection Supervisor 459, studies show that “when properly indexed, large amounts of retained data can be searched very efficiently and within adequate time frames” 460. The fact that the content of such data is excluded from the Directive is also irrelevant to this matter, as it has been shown that traffic and location data can prove almost as revealing as content itself. It is debatable, however, whether the Directive constituted the least restrictive means of reaching the legitimate public purpose. While some authors461 and institutional players argue that less invasive measures were indeed feasible, such as the “quick freeze procedure” - whereby law enforcement authorities may ask for previously retained data pertaining to an individual who is suspected of having committed a crime, if not enough evidence exists for a warrant to be issued – Feiler points out 462 that among the purposes of the Directive listed in art. 1(1) there is also that of “detecting” crime: an objective which assumes that criminal activities are being conducted by persons who are yet to be identified. Quick freeze procedures and other measures which posit the existence of one or more individuals in particular, such as surveillance of a specific subject's telecommunication, are therefore not real alternatives for the achievement of the purposes as defined in art.1(1). Moreover, traffic analysis per se is much less invasive than other techniques such as social network analysis (SNA)463 and data mining464. Rather than the data retention method itself, 459 460 461 462 463 464 BIGNAMI, Privacy and Law Enforcement in the European Union, p. 247. FEILER, The legality of the Data Retention Directive, para. 7.3.2. NINO, Terrorismo Internazionale, at p. 330, recalling the position of Article 29 Working Group. FEILER, The legality of the Data Retention Directive, para. 7.3.3. SNA is defined as “a collection of mainly statistical methods to support the study of communication relations in groups, kinship relations, or the structure of behavior”, which “assumes that the ways members of a group can communicate affect some important properties of the group”. SVENSON et al., Social network analysis and information fusion for anti-terrorism, in Proceedings of the Conference on Civil and Military Readiness, Sweden, 2006. Data mining is “the process of discovering interesting patterns and knowledge from large amounts of data”. See HAN, KAMBER, PEI, “Data mining. Concepts and techniques”, Morgan Kaufmann Publishers, Waltham, 2012, p.8. According to another definition “data mining is the process of posing queries and extracting useful patterns or trends often previously unknown from large amounts of data using various techniques such as those from pattern recognition and machine learning”. THURAISINGHAM, Data mining for counter-terrorism, in: KARGUPTA, JOSHI, SIVAKUMAR, YESHA (Eds), Data Mining Next Generation 92 therefore, the assessment of the legality of the Directive passed through its key features: namely, length of retention and amount of data retained. However, although data protection watchdogs, as recalled above, were quick in calling out both features for being excessively broad, and setting aside those authors who instead argue in favor of the reasonableness tout court of the time- and content-frame set by the Directive 465, no empirical study demonstrating what period of retention or content can be deemed right or necessary for the purposes of art.1(1) had (or has) been conducted, thus “clearly show[ing] that the question of how long the data can be retained while not violating art.7 and art.8 of the Charter is rather a question of proportionality stricto sensu than necessity”466. More simply: does the importance of the public purpose achieved warrant such a restriction of the rights in question, i.e. data protection and privacy? This problem requires that two separate elements be taken into consideration: how important is the public purpose de facto achieved, that is the effectiveness of the Directive to reach its objectives, and how severe is the compression of the right to privacy and data protection. According to Feiler, in the case of the Data Retention Directive the trade-off is negative 467. Not only, however, because of the gravity of the compression of the fundamental rights, accrued by a number of other factors such as the heightened retention period left to the discretion of Member States, and the possible chilling effect the Directive could have carried on social behavior, but also because of the limited effectiveness of the Directive itself. If compared to its declared purpose, that is to investigate, detect, and prosecute serious crime, the Directive was actually an overall inadequate measure due to its inherent limitations, concerning the means of communication and type of data to be retained, and – especially – the vast number of ways available to users to bypass its provisions and thus prevent data retention468. One further point to be highlighted, in the cost/gain analysis of the Directive, is also the cost that it imposed on the private companies who were directly affected by the 465 466 467 468 Challenge and Future Directions, AAAI Press, 2004, p.191. According to BIGNAMI, Privacy and Law Enforcement in the European Union, p. 250, “[a] maximum retention period of two years appears reasonable. It takes time to plan certain types of crimes, and it is not unthinkable that, even two years before the event, the conspiracy might have begun to take shape and leave communication traces […]. [T]he amount of personal data to be retained also appears reasonable”. FEILER, The legality of the Data Retention Directive, para. 7.3.3. FEILER, The legality of the Data Retention Directive, para. 7.3.4. Among the techniques listed by FEILER are encryption technologies, the use of web-mail as a drop-box, or, more easily, the use of pre-paid sim cards of public telephone booths. 93 mandate to retain data. Blakeney, for example, points out that merely compelling providers to keep data on unanswered calls would yield costs in the range of millions of euros 469. Moreover, the Directive did not contain an explicit provision on the compensation for the costs suffered by providers, leaving it instead to the discretion of each Member State, with the effect of determining different levels of compensations throughout the Union 470. An argument could therefore be made that the Directive did indeed impose an undue burden on individuals, and thus violated the rights to privacy and data protection – as was eventually found by the CJEU – but only when compared to its actual gain or effectiveness, and not in abstracto. If the potential gain had been higher, then the burden might have been proportional. This consideration allows to shift the spotlight of the discussion from the right that is being sacrificed, to the importance of the purpose or the objective achieved, and may therefore lead to the conclusion that amending the Directive, rather than striking it down tout court, would have bee a more appropriate solution. 3.4 The Directive before the Courts. Because of its highly controversial nature, it was easy to predict that the Directive would have been, not before long, under judicial flak. The first suit against Directive 2006/24/EC was brought by the Irish Government in the same year it was passed. What was being contested, however, was not the Directive's compliance with fundamental rights but rather the legal basis it had been adopted on. The challenge proved unsuccessful nonetheless, and the Directive survived (rectius, was kept alive) for eight more years until April 2014, when the CJEU definitely declared it void ab initio for violation of art. 7 and art. 8 of the EU Charter of Fundamental Rights. Between these rulings, National Courts of several Member States were also called upon to assess the legality of their respective national implementing legislation, with a significant predominance of negative opinions. 3.4.1 The first ruling by the CJEU. The first occasion for the CJEU to rule on the Data Retention Directive presented itself 469 470 BLAKENEY, The Data Retention Directive: Combating Terrorism or Invading Privacy?, Computer and Telecommunications Law Review, Vol. 13, No. 5 2007, p. 153. In certain States, for example Germany, providers were not entitled to any compensation at all. See Murphy, pp. 171-172. 94 almost immediately after its adoption. With the support of Slovakia, Ireland – who had been one of the proponents of the original third-pillar Framework Decision in the wake of the Madrid attacks – lodged an action for annulment of the Directive on the grounds that it had been adopted on an erroneous legal basis. The Irish government claimed that the real “center of gravity” of the Directive was not the harmonization of the telecommunications market, but rather its law enforcement purposes (namely, the declared objective of investigating, detecting, and prosecuting serious crime). Because of this, it argued, the legal basis upon which the Directive had been established (art. 114 TFEU, formerly art. 95 TEC) was inappropriate, and therefore reason for annulment of the Directive. The action was dismissed by the CJEU in February 2009 471 on essentially three grounds472. Firstly, evidence was submitted in the case at hand that the divergence between national statutes concerning data retention were significant enough to cause competition distortion and thus negatively impact the internal market. Secondly, the Data Retention Directive had amended the e-privacy Directive473, also adopted on the first-pillar legal basis: this would have not been possible with a third-pillar measure. Thirdly, the Court pointed out that the provisions of the Directive only concerned activities of service providers, and not the access to or use of data by police or judicial authorities, since they did not contain rules governing the activities of such authorities474. It is worth noting that, given the limited scope of the action brought forward by Ireland, limited to the Directive's legal basis, the Court entirely omitted to consider whether the Directive might have been in violation of the rights to privacy and data protection. 3.4.2 The revolt of national courts Notwithstanding the CJEU's initial stance in favor of the legality of the Directive, various Supreme Courts of Member States addressed the implementing national legislation in a very critical manner, to the extent that Guild and Carrera speak of a “revolt of national 471 472 473 474 Case C-301/06, Ireland v. Parliament and Council. See NINO, Terrorismo Internazionale, p. 329; HIJMANS and SCIROCCO, Shortcomings in EU data protection, p. 1505. Directive 2002/58/EC. For this reason, the CJEU did not recall PNR case law. See infra, para. 4.1.2. 95 courts”475. Between 2008 and 2011, justices in Bulgaria 476, Romania477, Germany478, Czech Republic479 and Cyprus480 all struck down domestic legislation implementing the Directive. It is, however, extremely significant that all of the above, except for the Romanian court, avoided tackling the Directive directly but instead focused exclusively on the relevant national statues, thus displaying deference to the supremacy of EU law by choosing to address the issue of the legality of the Directive only indirectly 481. According to Murphy, the decision by the Bundesverfassungsgericht in particular constituted, at the time it was drafted, “the most detailed judicial treatment yet of not just the Data Retention Directive, but of counter-terrorism mass surveillance in general” 482. Originated from a public petition signed by almost 34000 people, it owes its importance not only to the massive participation it spurred from, but also to the quality of the legal reasoning in light of the advanced evolution of data protection principles which characterize the German legal system483. The BverfG, in that occasion, furthered the Solange doctrine484, by which 'as long as' (the English translation of “solange”) the European Communities and, in particular, the Court of Justice will guarantee a level of protection of fundamental rights which is comparable to that offered by the Grundgesetz and the BverfG, the BverfG will refrain from assessing the compatibility of EU acts with the Grundgesetz485.The BverfG did not therefore assess the legality of the Data Retention Directive against the Grundgesetz, but rather analyzed the single provisions of the indicted statutes (namely, art.113a 475 476 477 478 479 480 481 482 483 484 485 and 113b of the Telekommunikationgesetz and art. 100g of the GUILD and CARRERA, The political and judicial life of metadata: Digital Rights Ireland and the Trail of the Data Retention Directive, CEPS Paper in Liberty and Security in Europe, No. 65, May 2014, p.5. Bulgarian Supreme Administrative Court, decision no. 13627, 11 December 2008. Romanian Constitutional Court, decision no. 1258, 8 October 2009. Bundesverfassungsghericht, 1 BvR 256/08, 1 BvR 586/08, 1 BvR 263/08, 2 March 2010. Czech Constitutional Court, Pl. ÚS 24/10, 22 March 2011. Cyprus Supreme Court, app. no. 15/2010, decision of 1 February 2011. LYNSKEY, The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland, 51 Common Market Law Review 2014, p. 1800. NINO, at p. 335, adopts a more critical position of this technique. MURPHY, EU Counter-terrorism, p. 174. “German jurisprudence has a well-developed system of data protection—and one which is based on a theoretically informed conception of privacy. German data protection is based on the right to informational self-determination. German law requires the protection of three personal spheres: the individual, the private and the intimate. The right to manage one's affairs so as to keep separate these different aspects of one's life is a key facet of German data protection.” MURPHY, EU Counter-terrorism, p. 174. Solange II, 22 October 1986, BVerfGE, 73, 339. Among others, DANIELE, Diritto dell'Unione Europea, p. 175. 96 Strafprozessordnung) following the prongs developed in ECtHR case law: quality of the legislation, legitimate purpose, and proportionality486. Although this can be considered as an exercise of a form of judicial restraint and was as such welcomed by scholars 487, the effect of the German Supreme Court holding was nonetheless to question the validity of the Directive at least implicitly488. While courts in Bulgaria, Cyprus and the Czech Republic handed down similar rulings, the critique by the Romanian Supreme Court was even more aggressive and straightforward. It was directed not only to the national implementing legislation, which was deemed unconstitutional on multiple accounts 489, but also to the data retention scheme in general. Moreover, the Directive was not mentioned throughout the ruling, if not at the very beginning. Combined with the fact that the Court relied heavily on ECtHR jurisprudence490, the picture emerging from this decision is that of a Court who “cannot be said to have yet accepted the principle of supremacy” 491. The Romanian Court was in fact the first to criticize the entire data retention system as a whole, unlimited to the single provisions of the implementing legislation, and thus indirectly the Directive itself. Commentators have therefore noted492 that the implications of this decision went far beyond the Directive alone, as the ruling constituted a challenge to the supremacy of EU law. 3.4.3. The second decision by the CJEU: Digital Rights Ireland. The CJEU's second take at the Data Retention Directive 493 proved to be decisive not only for the Directive in itself, but for European Union Law in general. The Directive was in 486 487 488 489 490 491 492 493 A detailed analysis of each of the above can be found in NINO, Terrorismo Internazionale, pp. 340-342. KOSTA writes: “[i]n short, if the German Court had deviated from its Solange doctrine and had questioned the compatibility of the Data Retention Directive with fundamental rights protected by the European legal order, it could have initiated a 'supranational legal crisis' with severe impact on the relationship between European and national legislation”. KOSTA, The Way to Luxemburg: National Court Decisions on the Compatibility of the Data Retention Directive with the Rights to Privacy and Data Protection, (2013) 10:3 SCRIPTed 339 http://script-ed.org/?p=1163 NINO, Terrorismo Internazionale, p. 342. For a detailed analysis of the decision see MURPHY, Romanian Constitutional Court, Decision No. 1258 of 8 October 2009, 47 Common Market Law Review 2010, pp. 933-941. In particular, the cases of Klass v. Germany, Sunday Times v. UK, and Airey v. Ireland. MURPHY, Romanian Constitutional Court, p. 941. MURPHY; NINO; LYNSKEY. Joint cases C-293/12, Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General and C-594/12, Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and Others 97 fact struck down because of its incompatibility with articles 7, 8, and 52(1) of the EU Charter of Fundamental Rights, and declared void ab initio – as if it had never come into existence. As this represents the first case where a source of EU primary legislation was declared invalid on the basis of the Charter 494, Digital Rights Ireland “further develops the parameters of constitutional review when fundamental rights are at stake” and is therefore “set to become a landmark case” in CJEU jurisprudence 495. The origin of the case lies in requests for a preliminary ruling coming from the High Court of Ireland and the Verfassungsgerichtshof, the Austrian Constitutional Court, both concerning the compatibility of the Data Retention Directive with various provisions of the EU Charter of Fundamental Rights; the two cases were thus treated jointly. Compared to Ireland v. Parliament and Council, there were however two novel aspects that the Court could not overlook496. First of all, with the Lisbon Treaty the EU Charter had, by the end of 2009, acquired the same legal status as the Treaties and was thus to be considered binding EU Law. The importance of this epochal change can not be overestimated. Secondly, it is important to point out, although mention of this is not made anywhere in the decision, that the ruling was handed down less than a year after the Snowden revelations that exposed the USA's worldwide mass surveillance program497. An argument could therefore be made that, through this decision, the Court sought to take a resolved stance in favor of human rights in general, and privacy and data protection in particular. The question which the Court was called upon to answer was whether the Directive was compatible with articles 7, 8 and 11 of the EU Charter 498; given its conclusions with respect to articles 7 and 8, however, the Court, found that there was no need to examine the validity of the Directive in light of art. 11499. Compared to the importance of the matter, the 494 495 496 497 498 499 The two other times EU Charter rights were used as grounds for invalidation (C-92/09 & C-93/09, 9.11.10, Volker und Markus Schecke and Hartmut Eifert; C-236/09, 01.03.11, Association Belge des Consommateurs Test-Achats and Others), concerned secondary legislation. LYNSKEY, The Data Retention Directive, p. 1798. GRANGER and IRION, The Court of Justice and the Data Retention Directive in Digital Rights Ireland, p. 844 GRANGER and IRION, The Court of Justice and the Data Retention Directive in Digital Rights Ireland, p. 845. See the interactive page by UK newspaper The Guardian: http://www.theguardian.com/world/interactive/ 2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1 Para. 21. Art. 7 of the EU Charter concerns the right to privacy; article 8, the right to data protection; art. 11, freedom of expression and information. Para. 70. 98 ruling of the Court is rather concise: “Directive 2006/24/EC on the retention of data […] is invalid”. The reasoning of the Court lies on two distinct levels. On the first, the Court considers whether the provisions of the Directive constitute an interference with the rights to privacy and data protection. It held that, while the retention of and access to personal data constituted an interference with the right to privacy 500, the processing of such data constituted instead an interference with the right to data protection 501. Although the Court makes a distinction between privacy and data protection, it stresses that in both occasions the interference is “wide-ranging” and “particularly serious”502. Assuming thus that such an interference exists, the Court moves on to analyze whether it is justified pursuant to art. 52(1) of the Charter in its various elements503. To begin with, it omits to consider whether the interference is “provided by law” and briefly addresses the question of whether “it respects the essence” of the rights to privacy and data protection, which it resolves positively504. Next, it considers whether “the interference satisfies an objective of general interest”. It is noteworthy how the Court made a distinction between the “aim” of the Directive and its “material objective”, the former being the harmonization of Member State's legislation on data retention for internal market purposes, while the latter being ensuring that the data are available for law enforcement purposes, and chose to pursue its evaluation of the legality of the Directive having in mind the material objective, and not the aim: a striking revirement compared to the position adopted in Ireland v. Parliament and Council, where the Court had saved the Directive because it had considered it a lawful first-pillar measure505. In Digital Rights Ireland, instead, the Court acknowledged the essentially third-pillar nature of the Directive, and on that assumption assessed its 500 501 502 503 504 505 Para. 34-35. Para. 36. Para. 37. EU Charter, art. 52(1): “Any limitation on the […] rights and freedoms recognized by this Charter must be provided for by law, and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest […] or the need to protect the rights and freedoms of others”. With regard to the right to privacy, because the Directive does not allow the retention of the content of the communications; with regard to data protection, because of the safeguards established in art. 7 of the Directive. Paras. 39-40. LYNSKEY recalls Advocate General Cruz Villalón concluding that “the Directive's 'saving grace' in Ireland v Parliament and Council – its internal market vocation – would be responsible for its downfall in the case under consideration”, as its first-pillar nature would have rendered the interference unwarranted. LYNSKEY, The Data Retention Directive, p. 1802. 99 compliance with the legitimate purpose prong: “the material objective of that directive is […] to contribute to the fight against terrorism and serious crime and thus, ultimately, to public security. It is apparent from the case-law of the Court that the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest”506. Although the Court's choice to assess the proportionality of the Directive's interference with the fundamental rights to privacy and data protection enshrined in the Charter by reference to the third-pillar “material objective” might appear in line with a design to save the Directive, given that security purposes undeniably warrant a higher level of rights infringement than internal market purposes, according to Granger and Irion the Court's framing of the Directive as a security measure served the purpose of “situat[ing] the case in the line of the Kadi jurisprudence”, thus enabling the Court “to develop a strong precedential basis for stricter human rights scrutiny of security policies”507. In fact, despite finding that the Directive's third-pillar purpose “genuinely satisfies an objective of general interest”508, the Court however ruled that it was unable to satisfy the subsequent proportionality requirement. Here, the Court applied a novel strict scrutiny test509. While interpreting the elements of art. 52(1), in fact, it acknowledged that “[w]ith regard to judicial review of compliance with those conditions, where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference” 510. The Court essentially decided that when fundamental rights, such as the right to privacy and to data protection, are at stake, the discretion of the EU legislator is severely reduced – and, consequently, room for judicial review increases proportionally. While acknowledging that data retention is “appropriate for attaining the objectives pursed by [the] directive” 511, the Court points out that “such an objective of general interest, however fundamental it may 506 507 508 509 510 511 Paras. 41-42. GRANGER and IRION, The Court of Justice and the Data Retention Directive in Digital Rights Ireland, p. 847. Para. 44 GRANGER and IRION, The Court of Justice and the Data Retention Directive in Digital Rights Ireland, p. 845. Para. 47. Italics added. Para. 49. 100 be, does not, in itself, justify a retention measure such as that established by Directive 2006/24”512. Three main reasons lead the Court to believe that the interference in question was not limited to what was strictly necessary, or, in other words, constituted the least restrictive means: first, the general and undiscriminating character of the data retention scheme (the so-called “blanket approach”) 513; second, the lack of any criterion or condition relating to the access and use of the data retained 514; third, the extent of the period of retention515. Given these premises, combined with final considerations concerning the risk of possible commercial uses of the data, and the possibility of transferring them to third countries, the Court concluded that “the EU legislature ha[d] exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter”516. The Directive was thus declared void ab initio, as the Court decided not to make use of its power, pursuant to art. 264 TFEU, to limit the effects of its judgment. While the constitutional significance of this decision, as well as its importance for national legal orders, is undisputed517, some scholars pointed out that the Court failed to settle with unequivocal certainty the issue of the appropriateness of data retention as a counterterrorism measure518. One explanation offered is that the Court might be “reluctant to tread on the toes of the Member States regarding a matter which is deemed to relate closely to national security”519. Another, however, is that, absent any accurate study proving the complete uselessness of data retention for terrorism-fighting purposes, and given the enthusiasm of law enforcement authorities on the subject 520, the Court was unwilling to shut the door entirely to a potentially important counter-terrorism measure and would thus 512 513 514 515 516 517 518 519 520 Para. 51. Paras. 56-59. Paras. 60-62. Paras. 63-64. Para. 69 The Directive was, in fact, invalidated for substantive and not procedural reasons. MARIN, The fate of the Data Retention Directive: about mass surveillance and fundamental rights in the EU legal order, in MITSILEGAS, BERGSTRÖM and KONSTADINIDES, Research Handbook on EU Criminal Law, Edward Elgar publishing, 2016, Cheltenham, p. 221. For GRANGER and IRION, “[t]his ruling contributes to the transformation of the relationship between the Court of Justice and the EU legislator, from one of reciprocal deference into one of mutual control.” The Court of Justice and the Data Retention Directive in Digital Rights Ireland, p. 850. LYNSKEY, The Data Retention Directive, p. 1809. LYNSKEY, The Data Retention Directive, p. 1809. See, for example, the numbers crunched by Commissioner Malmström in her speech in Brussels of 3 December 2010. MALMSTRÖM, “Taking on the Data Retention Directive”, European Commission conference in Brussels, Brussels, 3 December 2010, SPEECH/10/723. 101 be open to a data retention scheme which balances security and privacy concerns in a more appropriate manner. 4. Other measures involving use of personal data While the use of telecommunication data may perhaps be the most immediately comprehensible use of personal data as a counter-terrorism tool, there are other, less obvious types of data which provide useful information to law enforcement authorities in the fight against terrorist activities. These are data relating to air travel, and data relating to financial activities. 4.1 Air travel data: API and PNR. Unbeknownst to passengers, traveling by air leaves behind a significant trail of personal information, some of which may even be of a sensitive nature. There are at least two sets of data relating to airplane travelers: Advanced Passenger Information (API), and Passenger Name Records (PNR). API encompasses all the data that can be found in the machine-readable zone of the passport, such as name, nationality, date and place of birth, gender, passport number and expiry date521. PNR, on the other hand, is an internal document created by the air carrier which links information provided by the client/passenger at the moment of the purchase of the ticket to an alphanumeric code thus creating, precisely, a record of such person522. In addition to the data relating to API, PNR also includes (yet is not limited to) information such as the person's address and contact information, all forms of payment information, frequent flyer information, travel agency and agent, seat number, and special meal requirements. The exact amount and type of information ultimately depends on the passenger itself, as not all the fields to be completed in the reservation process are mandatory523. PNR thus implies a much more detailed set of 521 522 523 WILSON, Gone with the wind? The inherent conflict between API/PNR and Privacy Rights in an increasingly security-conscious world, Air & Space Law, Vol. 41, No.3, 2016, p. 230. Pursuant to art.2 of the 2011 US-EU PNR Agreement (see infra), “PNR […] shall mean the record created by air carriers or their authorized agents for each journey booked by or on behalf of any passenger and contained in carriers' reservation systems, departure control systems, or equivalent systems providing similar functionality”. PAPAKONSTANTINOU and DE HERT, The PNR Agreement and Transatlantic anti-terrorism co-operation: no firm human rights framework on either side of the Atlantic, 46 Common Market Law Review 2009, p. 102 information compared to API. Moreover, while the purpose of API is to identify individuals already wanted for, or suspected of, being terrorists, by using watch lists and alert systems which simply compare the known information to that being fed to the checkin machine, by using PNR instead “authorities can identify behavioral patterns and make associations between known and unknown individuals” 524. The argument furthered by law enforcement authorities is therefore that this type of data may be helpful in revealing individuals who are not yet under the “terrorist-radar”, but might be involved in transnational terrorist activities, based on a risk assessment of the data obtained through PNR processing schemes525. PNR processing is thus an eminently preemptive counterterrorism measure. The European Union has concluded separate international agreements concerning PNR processing with the United States, Canada, and Australia, and a European PNR Directive which had been in the making since at least 2003 was finally adopted in April 2016. 4.1.1. First US-EU PNR Agreement (2004). Records on passengers were held by air carriers even before 9/11, and for no counterterrorism purposes at all. However, such information was generally requested only to finalize ticket reservations, and were not stored away after the booking was complete 526. It was only after 9/11, through the enactment of the ATSA (Aviation and Transportation Security Act) that the USA started demanding from airline carriers of any given nationality traveling to or from the USA to transfer over to law enforcement authorities, namely to the Bureau of Customs and Border Protection (CBP)527, the data collected throughout the 524 525 526 527 886 WILSON, Gone with the wind?, p. 232. A recent communication by the Commission, concerning PNR data, carried this explanation: “the uses of PNR are mainly the following: (i) risk assessment of passengers and identification of “unknown” persons, i.e. persons that might be of interest to law enforcement authorities and who were so far unsuspected, (ii) earlier availability than API data, and provision of an advantage to law enforcement authorities in allowing more time for its processing, analysis and any follow-up action, (iii) identification to which persons specific addresses, credit cards, etc. that are connected to criminal offences belong, and (iv) matching of PNR against other PNR for the identification of associates of suspects, for example by finding who travels together”. COM(2010)492 final, 21.9.2010, p. 4. Before 9/11, reservations could allegedly be made with the person's initials. PAPAKONSTANTINOU and DE HERT, The PNR Agreement, p. 898. The CBP is a child agency of the Department of Homeland Security, itself established in 2001 as a response to 9/11, whose objective is to “safeguard America's borders thereby protecting the public from dangerous people and materials while enhancing the Nation's global economic competitiveness by 103 reservation process. Penalties for non compliance included the stripping of landing and transit rights, and thus essentially the loss of the entire American market 528. These policies, however, placed European carriers in a particularly unfortunate bind. As of 2001, in fact, the transferring of personal data (therein including data relating to air travel) from European entities to any third country-entity was governed by art. 25 of the Data Protection Directive529, which required that the third country in question ensure an adequate level of protection. The USA, though, were among those countries that did not ensure such a level of protection530: pursuant to the Data Protection Directive, the carriers therefore had an obligation not to transfer those data over to the competent authorities in the USA. This obligation, as well, was to be enforced through the adoption of fines for the non compliant airlines. European carriers could thus either comply with American legislation, and face fines in the EU; or comply with the Data Protection Directive, and face even worse fines in the USA. The Commission intervened in June 2002 partially easing the deadlock by negotiating with the CBP an extension of the compliance deadline until March 2003, while at the same time seeking to table discussions with its transatlantic counterpart concerning the protection of European passengers' data 531. It was the Commission, and not the Council, that was leading the negotiations with the CBP because the transfer of PNR data from commercial airlines was considered, at the time, as an internal market – and thus first-pillar – issue. Moreover, it was more convenient to pursue the discussions in a context where the EU could rely on a piece of organic legislation in the background (the Data Protection Directive): it is worth reminding that the Data Protection Framework Decision, the first semi-comprehensive third-pillar measure on data protection, was only adopted in 2008532. The negotiations thus took place pursuant to art.25(5) of the Data Protection Directive. The outcome of these negotiations was threefold. First, the CBP issued a document on 11 May 2004, which is referred to as “the Undertakings”, in which it 528 529 530 531 532 enabling legitimate trade and travel”. Official website of the Department of Homeland Security, https://www.cbp.gov/about. MENDES DE LEON, The Fight Against Terrorism trough Aviation: Data Protection versus Data Production, Air & Space Law, Vol. 31, Nos.4-5, 2006, p. 322. Directive 1995/46/EC. See supra, para. 2.1.1. The reason lies in the fundamental difference between the European and American notion of privacy. See infra, Chapter III, para. 2.1. TERRASI, Trasmissione dei dati personali e tutela della riservatezza: l'accordo tra Unione Europea e Stati Uniti del 2007, Rivista di Diritto Internazionale, Vol. 2, 2008, p. 380. PAPAKONSTANTINOU and DE HERT, The PNR Agreement, p.901. 104 essentially laid down a series of rules concerning European PNR data processing it undertook (hence the name) to abide by. Consequently, the Commission adopted a decision, known as “adequacy decision” 533, in which it recognized that the CBP, because of its undertakings, was able to ensure “an adequate level of protection” pursuant to art.25(6) of the Data Retention Directive. Lastly, based on the Commission's Decision, the Council, acting on the first-pillar legal basis of art. 95 TEC, adopted a Decision of its own concerning the conclusion of the Agreement between the USA and the EU 534. Said Agreement was signed in Washington on 28 May 2004, entering into force immediately. Terrasi points out that the adoption of an international agreement following an adequacy decision ex art.25(6) Data Retention Directive constituted an absolute novelty535. If the First PNR Agreement was ideally meant to offer a solution to the European air carrier's conundrum of which legislation to comply with, it settled the matter quite definitely in one sense rather than seeking a compromise position. The agreement, in fact, mustered criticism from institutional players, such as the European Parliament and the Article 29 Working Party, and also from humanitarian association and legal scholars 536, who all deemed the provisions of the Agreement as unsatisfactory with respect to the European data protection standards enshrined in Directive 1995/46/EC. The CBP would in fact use PNR data for purposes of preventing and combating “terrorism and related crimes”, as well as “other serious crimes […] that are transnational in nature” 537. Under the Data Protection Directive, however, data must be collected for specified purposes538, a requirement which the vague notion of “serious crime” did not meet. Moreover, the CBP would be able to access the PNR data directly from the air carriers' reservation system through a “pull” system539, and store the data thus obtained for a maximum total of eleven 533 534 535 536 537 538 539 Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States' Bureau of Customs and Border Protection. O.J. L235/11, 6.7.2004. Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection. O.J. L 183/83, 20.5.2004. TERRASI, Trasmissione dei dati personali, p.380. See NINO, Terrorismo Internazionale, p. 189, at note 35. CBP Undertakings, para.3. Art. 6(1)(b), Directive 1995/46/EC. CBP Undertakings, para. 13. The system whereby the data is passed on to the competent authorities by the air carriers is instead called a “push” system, as data is, as the name suggests, pushed from the air 105 and a half (11.5) years540. Furthermore, an Attachment to the Undertakings provided a list of the PNR data elements required by CBP from air carriers: a total of thirty-four entries ranging from seat information, to bag tag numbers, to “general remarks”. 4.1.2 The 2006 PNR judgment by the CJEU. Because of the aforementioned shortcomings the First PNR Agreement presented when compared to standing European data protections standards, the European Parliament, supported by the European Data Protection Supervisor, lodged two actions for annulment of the Decisions by the Council541 and the Commission542 which were thus joined. Although the Parliament advanced multiple pleas for annulment in each case (six against the Council and four against the Commission 543) on both procedural and substantial grounds, the Court limited itself to the analysis of the appropriateness of the Decisions' legal basis (the first limb of both of the Parliament's pleas), and thus their formal validity, completely omitting to consider whether there had been a breach of the rights to privacy and data-protection, which was instead the most relevant of the pleas advanced by the Parliament. For reasons that will soon be explained, the Court found that both Decisions had been based on erroneous legal grounds and thus annulled them. The cases in question were not exploited to their full constitutional potential and are therefore to be placed within the context of the Court's case law on legal basis, rather than on fundamental rights544. The Court's judgment was rather brief. First, it analyzed the scope of the “exclusion clause” in art.3(2) of the Directive, in order to evaluate whether the Directive could apply to the Commission's adequacy decision. Because “the decision on adequacy concerns only PNR data transferred to CBP”545, which, based on the agreement, “constitutes processing operations concerning public security and the activities of the State in areas of criminal 540 541 542 543 544 545 carriers to the law enforcement authorities. CBP Undertakings, para.15. All data could be retained for a default time of 3.5 years, after which the data that had not been manually accessed would have to be deleted, while the other would be transferred to a “deleted record file” and retained for an extra 8 years. Case C-317/04, European Parliament v Council. Case C-318/04, European Parliament v. Commission. Judgment of the Grand Chamber in Joined Cases C-317/04 and C-318/04, 30 May 2006, paras. 50 and 62. GILMORE and RIJPMA, Case law. Joined Cases C-317/04 and C-318/04, European Parliament v. Council and Commission, Judgment of the Grand Chamber of 30 May 2006, [2006] ECR I-4721, 44 Common Market Law Review 2007, p. 1081. Judgment of the Grand Chamber in Joined Cases C-317/04 and C-318/04, 30 May 2006, para. 55. 106 law”546, the Court found that “the data processing which is taken into account in the decision on adequacy is […] quite different in nature” 547 from the internal-market one to which Directive 95/46 applies. The mere fact that “the PNR data have been collected by private operators for commercial purposes” and that “it is they who arrange for their transfer to a third country”548 does not necessarily imply that the transfer in question is not covered by art.3(2). Quite the opposite: according to the Court, the transfer in question was to be considered as falling under art.3(2), and thus outside the Data Retention Directive. The Commission's adequacy decision ex art. 25(6) was, therefore, annulled, because its subject matter fell outside the material scope of the Data Protection Directive 549. The Court then turned to the Council's decision and, with an extremely concise wording, simply concluded that, given that the Commission's adequacy decision concerned data that fell outside the scope of the Directive, and that the Council's decision related to the same data, “Decision 2004/496 cannot have been validly adopted on the basis of art. 95 EC” 550 and “the decision must therefore be annulled”551. At the heart of this decision, known as “the PNR judgment”, lay a restrictive interpretation of Directive 1995/46/EC, which came as “unexpected” to some scholars 552 given the preceding case law where the Court had instead opted for a broad interpretation of the Directive, such as in Österreichischer Rundfunk553 and in Lindqvist554, which was even recalled in the case at hand, where the Court had circumscribed the cases which fell outside the scope of Directive, by holding that only “activities of the State or of State authorities and unrelated to the fields of activities of individuals […] expressly listed [in art. 3(2)] or which can be classified in the ejusdem generis”555 were to be excluded from it. In the present case, on the opposite, the Court held that even activities carried out by private actors may fall under art.3(2) and thus outside the scope of the Directive, meaning that “the test ratione materiae is no longer limited ratione personae to activities carried out 546 547 548 549 550 551 552 553 554 555 Ibid., para. 56 Ibid., para. 57. Ibid., para. 58. GILMORE and RIJPMA, Case law, p. 1086 Judgment of the Grand Chamber in Joined Cases C-317/04 and C-318/04, 30 May 2006, para. 69. Ibid., para. 70. HIJMANS and SCIROCCO, Shortcomings in EU Data Protection, p. 1503. Case C-465/00, Rechnungshof v. Österreichischer Rundfunk, 20 May 2003. Case C-101/01, Bodil Lindqvist, 6 November 2003. Judgment of the Court in case C-101/01, paras. 43-44. 107 by public authorities, but is expanded in order to include activities of private and commercial entities”556. Surprisingly enough, the PNR judgment was itself not recalled in Ireland v. Parliament and Council557, where the Court was called upon to decide, again, on the appropriateness of a first-pillar legal basis for a counter-terrorism measure. In that occasion, as noted above, the Court found that the Data Retention Directive to be a valid first-pillar measure, notwithstanding its self-declared security purposes; only to change its mind, yet again, in Digital Rights Ireland, but for another reason entirely. Counterterrorism measures which are partly founded on first-pillar grounds, such as those involving the use of personal data, do not therefore receive a uniform judicial treatment but are rather assessed on a case-by-case basis depending on a number of factors such as the type of measure adopted, the contextual political climate, and the degree to which individual rights are infringed upon. Turning back to the PNR judgment, one last point to be underline is that, given the procedural nature of the decision it handed down, the Court abstained from analyzing whether the PNR Agreement violated the rights to privacy and data protection as guaranteed by Convention 108, the ECHR, and the ECFR. This was a missed opportunity for the Court which heavily reverberated in the adoption of the following PNR Agreements. By holding, on one hand, that the Data Protection Directive was inapplicable to the PNR Agreement, and, on the other, not providing guidance as to which data protection principles should in fact apply at all, the Court essentially left the Institutions in charge of concluding the new Agreement in a condition where they were legibus solutae558, not yet existing a comprehensive third-pillar data protection framework, still two years in the making. For these reasons the Parliament's victory was thus deemed a Phyrric victory559, as the ensuing PNR Agreements, in the absence of a substantive evaluation of the First, were not more concerned with privacy and data protection issues – quite the contrary, in fact – while the Parliament itself was left with an even more marginal role in the negotiations, since the discussions had shifted from a first-pillar to a third-pillar 556 557 558 559 HIJMANS and SCIROCCO, Shortcomings in EU Data Protection, p. 1503. See supra, para. 3.4.1. TERRASI, Lotta al terrorismo e flussi trasnfrontalieri di dati personali, in GARGIULO and VITUCCI, La tutela dei diritti umani nella lotta e nella guerra al terrorismo, Editoriale Scientifica, Napoli, 2009, p. 431. GILMORE and RIJPMA, Case law, p. 1081. 108 approach. 4.1.3 Interim (2006), Second (2007) and Third (2011) EU-US PNR Agreements. As the annulment of the First Agreement had created a situation of legal uncertainty the toll of which weighed mainly on European airlines, negotiations for a new PNR Agreement with US authorities started shortly after the Court's ruling. In accordance with the Court's decision, this time they were led by the Presidency of the Council pursuant to articles 24 and 38 of the TEU. Article 24, in fact, governed the procedures to be followed when concluding agreements with third States or international agreements in CFSP matters; art. 38 simply held that agreements referred to in Article 24 may cover matters falling under Title VI concerning the AFSJ. The desire to reach a decision quickly led to the adoption of an Interim Agreement in October of 2006560, designed to expire in July 2007, which was almost identical to the First Agreement – as it relied on the same 2004 Undertakings – with only few differences561: first, that access to PNR data was granted to additional DHS agencies, other than CBP562; and second, that the 2004 Undertakings could be interpreted “in light of subsequent events”563, such as changes in US law. However, the DHS also issued a document, knows as the “side-letter”564, which although being intended to “set fourth [US] understandings with regard to a number of provisions of the PNR Undertakings issued on 11 May 2004” in reality amended those Undertakings in a way by including provisions which could have “permitted dangerous abuses and facilitated violations of the fundamental freedoms of individuals”565. 560 561 562 563 564 565 Council Decision 2006/729/CFSP/JHA of 16 October 2006 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of PNR data by air carriers to the United States DHS, O.J. L298/27, 27.10.2006. PAPAKONSTANTINOU and DE HERT, The PNR Agreement, p. 906. Interim Agreement, Preamble. Interim Agreement, para. 1. Council doc. no. 13738/06 of 11 October 2006, Letter to the Council Presidency and the Commission from the DHS of the USA, concerning the interpretation of certain provisions of the Undertakings issued by DHS on 11 May 2004 in connection with the transfer by air carriers of PNR data, NINO, The Protection of personal data in the fight against terrorism. New perspectives of PNR European Union instruments in the light of the Treaty of Lisbon, Utrecht Law Review, Vol. 6, Issue 1, January 2010, p. 75. The differences involved the number of American agencies (all those who undertook counter-terrorism functions ins some way) who could have access to PNR data; the possibility of requesting more data than those falling under the 34 categories of the Undertakings; longer storage periods; lack of judicial or administrative control. See PAPAKONSTANTINOU and DE HERT, The PNR Agreement, p. 906. 109 Notwithstanding the complexity of the situation the Council was facing, with the American side pressing for more access to PNR data while the Parliament striving for the exact opposite, by the expiration date of the Interim Agreement a new Agreement was drafted and signed by the two parties in July 2007 566. This Agreement, known as the Second PNR Agreement, was adopted on the same legal basis used for the Interim Agreement, and thus articles 24 and 38 TEU, in accordance with the PNR judgment by the CJEU. The final version comprised of three separate documents: the Agreement itself; yet another letter from the US to the EU; and a response letter from the EU to the US. The reaction of legal scholars to the Second PNR Agreement was, again, not positive. In the absence of hard evidence by law enforcement authorities proving the effectiveness of PNR data retention as a counter-terrorism measure, the discussions around the PNR Agreement remained limited to the assessment of its compliance with European data protection principles: namely, Convention 108 and art. 8 ECHR567. Given the fundamental differences between the American and European data protection framework, however, it is highly doubtful that any PNR Agreement between the two Unions would have ever met the data protection threshold set by European scholars. The Agreement was in fact criticized from various viewpoints. First of all, doubts were raised concerning the law-making process, and the juridical nature of the agreement and the obligations therein. Moreover, its substantive content was deemed unsatisfactory if compared to European data protection standards. Lastly, assuming that the Agreement was in violation of said standards, issues were raised concerning the nature of the responsibility ensuing from the infringement of fundamental rights the Agreement implied. The law-making process behind the Agreement was, arguably, quite original. The body of the Agreement was in fact comprised on an exchange of letters, unlike the two previous agreements where only one side (the USA) had provided a letter, by which the EU informed the DHS that the “assurances” (it is noteworthy that the word “obligation” is not used) explained in the DHS's letter allowed the EU to deem that the DHS ensured an 566 567 Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the EU, of an Agreement between the EU and the USA on the processing and transfer of PNR data by air carriers to the United States DHS, O.J. L 204/16, 4.8.2007. Neither had Framework Decision 2008/977/JHA been passed yet, nor was the ECFR – and thus its artt. 7 and 8 – binding 110 adequate level of protection. However, “the choice to conclude international agreements whose substantial clauses are set in accompanying letters [...] threatened to further diminish the level of protection afforded by the previous PNR agreements” 568. Moreover, not only is the Agreement's wording vague on this matter, as it does not specify to which DHS letter it is referring to when recalling “DHS's letter” 569, but it does not even recall the EU adequacy letter when considering that “for the application of this Agreement, DHS is deemed to ensure an adequate level of protection for PNR data transferred from the EU”570. According to Papakonstantinou and De Hert, the consequence of these inaccuracies was the de facto establishment of a simplified amendment process571. Moreover, pursuant to art. 3 of the 2007 Agreement, “DHS shall process PNR data […] in accordance with applicable U.S. law, constitutional requirements, and without any unlawful discrimination”: the DHS letter is not mentioned as a source of obligations for the USA. A systematic interpretation of the preceding articles of the Agreement, and the circumstance that the US letter to the EU was “intended to explain how the DHS handles the collection, use and storage of PNR” and “provide[d] the assurance and reflecte[d] the policies which DHS applies to PNR data” may bring to the conclusion that the Agreement did not, in fact, create binding obligations for the United States572. With regard to the issue of the compliance of the Agreement with data protection principles, a comparison between the provisions of the 2007 Agreement and those of the two previous agreements show that, despite a slight improvement in certain matters, the Agreement was overall not satisfactory for European data protection standards 573. The only three improvements, from that point of view, were the following. First, the data categories to be retained decreased from thirty-four to seventeen; this reduction was, however, of mere formal value as the new categories, despite being fewer in number, actually had a broader scope574. Second, DHS undertook to transition to a “push” method of data 568 569 570 571 572 573 574 PAPAKONSTANTINOU and DE HERT, The PNR Agreement, p. 909. See 2007 PNR Agreement, art. 1: “On the basis of the assurances in DHS's letter explaining its safeguarding of PNR [...]” 2007 PNR Agreement, art. 6. PAPAKONSTANTINOU and DE HERT,, The PNR Agreement, p. 910. TERRASI, Trasmissione dei dati personali, pp. 400-403. See NINO, Terrosimo internazionale, pp. 200-205. US letter to EU, art III. Category number 17, in particular, required collection of “general remarks including OSI, SSI and SSR information”, i.e. Other Service-related Information, Special Services Information and Special Service Requests, from which sensitive data could be inferred (for example, a 111 transferring, instead of the invasive “pull” method; provided, that is, that the air carriers had autonomously implemented such a “push” system, while the lack thereof meant that the old pull system would still apply 575. Third, concerning access and redress, certain Privacy Act protections were extended to non-citizens and non-residents, thus increasing (in fact, creating) a plethora of measures for the safeguard of the individual's rights 576. However, the circumstances that the extension was the result of a policy decision by DHS, that it involved only administrative protections, and that pursuant to paragraph 9 of the Agreement “[the] agreement does not create or confer any right or benefit on any other person or entity, private or public” all lead to the suspicion that the effectiveness of said rights (principally access and rectification) was highly doubtful 577. All the other provisions of the 2007 Agreement did not part from the 2004 version of the Undertakings; when they did, it was mostly in a pejorative fashion. The scope of the 2007 Agreement was wider than that the previous ones, replicating them with nearly the same wording but with the addition that “PNR may be used where necessary for the protection of the vital interests of the data subjects or other persons, or in any criminal judicial proceedings, or as otherwise required by the law”578. Moreover, the basic retention period was doubled from 3.5 to 7 years579, and the safeguards in place in the event of a data transfer from the CBP to other agencies were reduced (“at [the CBP'S] discretion”) while the number of said agencies, on the opposite, grew (including all “other domestic government authorities with law enforcement, public security, or counter-terrorism functions”)580. From the preceding consideration, it is of immediate perception that the PNR Agreement of 2007, although unbound from Directive 95/46/EC, did not meet the standards set forth either by Convention 108, either by article 8 of the ECHR and its relating case-law. 575 576 577 578 579 580 meal preference might reveal one's religion). PAGALLO, La tutela della privacy negli Stati Uniti d'America e in Europa. Modelli giuridici a confronto, Giuffrè, Milano, 2008, p.191 at note 55. US letter to EU, art VII. US letter to EU, art IV. TERRASI, Trasmissione dei dati personali, p. 384. PAPAKONSTANTINOU and DE HERT, also point out that since “until the Second PNR Agreement was concluded, the American side maintained that rights to access and amendment already existed, through other administrative routes. It therefore seems that Europeans are triumphant over the simplification of already existing procedures, rather than the granting of new rights”. The PNR Agreement, p. 913. US letter to EU, art I. After which the date may be stored in “dormant status” for additional 8 years, thus making the total retention period of 15 years. US letter to EU, art VII. US letter to EU, art. II. 112 Yet another EU-US agreement was concluded between 2011 and 2012 (Third PNR Agreement), and replaced the 2007 Agreement. The time frame between the two agreements, as already noted, was of great significance for the European data protection framework: the DPFD was adopted in 2008, providing for a comprehensive third pillar data protection framework; and, most importantly, the Lisbon Treaty entered into force on 1 December 2009, with art.16 TFEU and art. 6 TEU acquiring paramount importance in the field of data protection. Also, the Lisbon Treaty assigned the European Parliament an active role in the conclusion of international agreements pursuant to art.218 TFEU. Against this background, in 2010 the Commission issued a “Communication on the global approach to transfers of PNR data to third countries” 581 where it stressed the importance of the exchange of PNR data, defined as “a necessary tool in the fight against terrorism and serious crime” as well as “unique in their nature and their use”. Three possible uses of PNR data are envisioned in the Commission's communication: a re-active use, in response to a crime that has already been committed, and for which identified suspects already exist; a real time use, to prevent already planned or ongoing crimes where the perpetrator is unknown; a pro-active use, which consists in creating travel and behavioral patterns of people who have not yet committed or even planned crimes, but may do so in the future 582. The Commission then laid down a long list of data protection principles which ideally represent the pillars of a new “EU global approach on PNR” and should thus be used as minimum standards when negotiation with third countries. In spite of the criticism it has mustered from legal scholars worldwide, the use of PNR data as a counter-terrorism tool is in fact an increasing trend in law enforcement583. Against this backdrop, the EU concluded the Third PNR Agreement with the USA. At a first glance, it appears that the issues relating to the nature of the Agreement have been positively addressed. The Agreement is in fact much more formally structured, as the 2007 “letter-exchange” formula was replaced by a single, well-organized text with chapter divisions and proper article headings. Moreover, expressions such as “explanations” and “assurances” have been replaced by 581 582 583 COM(2010)492 final. COM(2010)492 final, p. 4. WILSON states that as of 2016 “there are currently more than sixty States with [PNR] data exchange provisions in effect”, such as Argentina, Brazil, Indonesia, Malaysia, Mexico, Russia. WILSON, Gone with the wind?, p. 255. 113 wording implying an actual legal bind on the USA, such as “responsibility” 584. Minor changes in the Preamble also carry some significance as to the context of the new Agreement: the use of PNR data was upgraded from an “important” to a “necessary” tool in the fight against terrorism and “serious” transnational crime (this adjective did not appear in the 2007 version of the Preamble); a recital summarizing the entire spectrum of European data protection law was also inserted. Among the improvements in the content of the new PNR Agreement, the following can be listed. To begin with, the Agreement provides a clear definition of “PNR data” 585 and an explanation of what constitutes a “terrorist offence” and “related crimes”586. For that purpose, however, the parties preferred not to refer to standing EU or US legislation but rather attempted an autonomous definition of terrorism and related activities. Although this approach has been criticized for its resulting in an excessively broad definition 587, a comparison with Framework Decision 2002/475/JHA reveals that it is actually in line with the definition of terrorism therein 588 (and arguably less broad). The complexity of accurately defining the terrorist phenomenon – an issue certainly preceding the PNR Agreements – is such that the hope that an international agreement on PNR processing would have settled the matter is probably illplaced. Rather, it is worth pointing out that pursuant to art.4(1)(a) of the PNR Agreement, activities warranting the use of PNR will only be those which already fall under the notion of “terrorism” provided elsewhere589, or at least satisfy a double objective and subjective criterion590. Art. 4(1)(b) is perhaps more objectionable as it defines “serious transnational crimes” by referring to a custodial sentencing time threshold (three years): the obvious objection here is that the same conduct might be punished differently in the American and European legal systems591. A solution would have been the adoption of a list of specific 584 585 586 587 588 589 590 591 See, e.g., art. 1(2) 2012 PNR Agreement. Art. 2(1). Art. 4. NINO, Terrorismo internazionale, p. 236. Art. 1, FDCT. That is the case for point (ii), which recalls international covenants and protocols; points (iv), (v), (vii), that are inchoate offenses already criminalized by art. 4 FDCT; and points (iii) and (vi), which are actually more stringent compared to their equivalent in the FDCT (art.3), as they all require verification of a subjective element as well, omitted by the FDCT when criminalizing the “direction” of a terrorist group. Point (i). NINO, Terrorismo internazionale, p. 236; HORNUNG and BOEHM, Comparative study on the 2011 draft Agreement between the USA and the EU on the use and transfer of PNR to the USA DHS, 114 offenses592, or at least the provision that the three-year minimum sentence requirement must be met in both criminal systems. Another (and probably the most significant) improvement concerns the rights granted to European data subjects: full rights of access, correction, rectification, erasure, blocking, and redress 593, coupled with independent review and oversight by “Department Privacy Officers”: a sensible improvement compared to the prior “administrative protections”. Transfer of data from the DHS to other domestic agencies or third countries594 is also more strictly regulated, no longer “discretionary” but subject to “careful assessment” of a list of safeguards. Other relevant provisions were not, however, modified: most notably, the persistent nineteen categories of PNR data, whose wording remained identical, and the coexistence of push and pull systems for data transfer from air carriers to DHS595. One final difference to be underscored between the prior agreements and the 2011 version concerns the different allocation of the data retention period: while DHS is still authorized to keep data for a total of 15 years, PNR data can be stored in the active database for 5 years (down from 7) and in the dormant database for 10 years (up from 8). 4.1.4 An EU PNR framework. Recent developments. Until recently, the EU did not have a harmonized approach to PNR data 596, meaning a system by which air carriers traveling to and from the EU are compelled to transfer PNR data to competent European authorities for counter-terrorism purposes. The EU had instead adopted an API Directive as early as 2004, shortly after the Madrid attacks 597. The purpose and scope of the API Directive, however, was extremely narrow. On one hand, there was no mention of terrorism as the self-declared objective of the Directive was to combat illegal immigration598; on the other, the amount of data to be transferred was indeed very 592 593 594 595 596 597 598 Passau/Luxembourg, 14 March 2012, p. 9. See, for example, annex II of Directive 2016/681. Artt. 11-14. Artt. 16-17. Although the pull system is not mentioned expressis verbis, air carriers who have not yet implemented a push method of data transfer are required to “otherwise provide access”. Art. 15(5). WILSON, Gone with the wind?, p. 247. Council Directive 2004/82/EC of 29 April 2004 on the obligations of carriers to communicate passenger data. OJ L 261/24, 6.8.2004. Art. 1. 115 limited and could hardly serve for intelligence purposes 599. For these reasons, and in light of the PNR Agreements that had meanwhile been concluded with the USA and Canada, by 2007 the API Directive was already considered unfit as a counter-terrorism measure and the Commission thus tabled a proposal for a PNR Framework Directive 600. Because of its content, very similar and in some occasions identical to the Second US-EU PNR Agreement, the proposal attracted widespread criticism601. The inability to agree upon a final version of the act among Member States and between institutional players 602 caused the proposal to become obsolete after the entry into force of the Lisbon Treaty. The Commission thus advanced a new proposal for a Directive in 2011 603. After spending more than five years in the Council and in the Parliament, the Directive was finally passed in April 2016, on the legal bases of Art.82(1) and Art.87(2)(a) TFEU. In its final version, the Directive only applies to extra-EU flights (i.e. flights between the EU and a third country), while its application to intra-EU flights as well will be left to the Member State's discretion. Consistently with the PNR Agreements with the US, the data collected may be processed only “for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime”604. While “terrorist offences” are defined by reference to the FDCT605, “serious crime” is defined as “the offences listed in Annex II that are punishable by a custodial sentence or a detention order for a maximum period of at least three years under the national law of a Member State” 606. Relying on the detention period of each national criminal system, however, somewhat frustrates the harmonizing intent of the Directive as the maximum period might not be of at least three years for all of the crimes listed in Annex II in each Member State. The core of the new European PNR system lies in article 4, which holds that Member States shall establish a “Passenger Information Unit” (PIU) among its authorities who are competent for the prevention, 599 600 601 602 603 604 605 606 Art. 2. Proposal for a Council Framework Decision on the use of PNR for law enforcement purposes, COM(2007)654 final, 6.11.2007. MURPHY, EU Counter-terrorism law, p. 167; MITSILEGAS, EU Criminal law, p. 271; DE HERT and PAPAKONSTANTINOU, The EU PNR framework decision proposal: towards completion of the PNR processing scene in Europe, Computer law and security review, Vol. 26, 2010, p. 374; NINO, Terrorismo Internazionale, pp. 220-221. See e.g. Council doc. 5618/2/09, 29.6.2009. COM(2011)32 final, 2.2.2011. Art. 1(2). Framework Decision 2002/475/JHA. Art.3(8) and (9). 116 detection, investigation or prosecution of terrorist offences and of serious crime 607. “PIUs” and “competent authorities” are thus the two key players in the new PNR Directive; the lack of a more specific definition of “PIU” and the broad discretion granted to Member States in identifying such competent authorities608 does however invite for questions of a practical nature. PIUs shall be in charge of collecting the data from the air carriers, storing them in their databases, and then transferring them over to other “competent national authorities”, or also exchanging them with PIUs from other Member States and Europol. PIUs are thus meant to create an intra-European decentralized system of data collection; two or more Member States may however choose to share a PIU. Annex I to the Directive carries the list of data which carriers are obliged to retain, and transfer over to PIUs (by using the less invasive “push” method” 609): its wording is nearly identical to that attached to the latest US-EU PNR Agreements (and thus the nineteen-category version), although the order is not exactly the same. It thus maintains categories which had already been subject to criticism for their breadth, such as the “general remarks” category. Such data shall be processed by the PIUs only for the purposes listed in art.6 of the Directive: carrying out assessments of passengers in order to identify persons who require further examination by the competent authorities, in view of the fact that such persons may be involved in a terrorist offence or serious crime; responding to requests from competent authorities to provide access to PNR data for the reasons listed in article 1. “Carrying out assessments of passengers” is a particularly vague expression which the Directive further explains by providing that, while doing so, PIUs may “compare PNR data against databases and “process PNR data against pre-determined criteria”. Article 9 explains how the exchange of information thus retained may take place between Member States. Again, the role of the PIUs is paramount. PIUs must in fact transfer data resulting from the aforementioned assessment to the corresponding PIUs of other Member States, who shall in turn transmit them to the “competent authorities”. Unless in cases of emergency, PIUs shall also act as mediators where a competent authority of one Member State is seeking data stored in another Member State's PIU and may also issue request 607 608 609 PIUs may also a branch of such an authority. Art. 4. Pursuant to art.7 “each Member State shall adopt a list of competent authorities entitled to request or receive PNR data”. Art. 8. 117 directly to PIUs of other Member States. Although the PNR Directive often refers to Framework Decision 2008/977/JHA, such references must be interpreted as being made to its “sibling” act, Directive 2016/680 on data protection in law enforcement 610 which, despite being adopted on the same day, is not mentioned in the PNR Directive. An example can be seen in article 11(1)(a), concerning transfer of PNR data to third countries: among the conditions to be satisfied stands compliance with “the conditions laid down in Article 13 of Framework Decision 2008/977/JHA”, currently article 39 of Directive 2016/680. Other three conditions must however be met for Member States to lawfully transfer PNR data over to third countries611: said transfer must essentially have counter-terrorism (or at least serious crime) purposes; the request must be duly reasoned; and a hypothetical transfer to a “fourth” country must be based on the same purposes, and take place with the express authorization of the Member State in question. Lastly, PIUs may store the data for a maximum period of 5 years, after which the data are to be deleted permanently: a significant reduction compared to the 2007 proposal by the Commission (15 years) and the subsequent position of the Council (10 years). A similar time frame had even been deemed “not objectionable” in the context of the EU agreements with Canada and Australia 612. The EU PNR Directive is thus to salute with an overall positive judgment, in light of its effort to acknowledge, and even comply with, European data protection principles 613; one must also keep in mind that, among the purposes of the Directive, there is also that of detecting and preventing crime, two activities which by definition imply a certain intrusion in the personal sphere of the individual as they essentially invert the logic behind an investigation by attempting to link an identified individual to an unidentified crime rather than an identified crime to an unidentified individual. Granted that the underlying assumption warranting this inversion (the existence of unidentified terrorism-related crime) may not be questionable anymore, achieving that objective while at the same time safeguarding the individual's right to data protection to the highest extent is, arguably, an impossible task. The EU's PNR approach, in seeking “to enhance security in the EU, while limiting the impact on the protection of personal data to the minimum and keeping costs at an 610 611 612 613 See also recital 27. Art. 11(1). MURPHY, EU Counter-terrorism, p. 159. DI FRANCESCO MAESA, Balance between security and fundamental rights protection, para. 4. 118 acceptable level”614 can thus be considered an acceptable policy option, also in light of the worldwide increasing demand for PNR data615. 4.2 Financial messaging data Yet another set of personal data which carries potential as a useful counter-terrorism tool, from a preemptive as well as from a reactive viewpoint, is information relating to bank accounts and financial operations. The underlying assumption is that not all of terrorists' financing activities take place in a covert or untraceable manner. The tracking of terrorist financing may thus lead to the uncovering of previously unknown relations between suspected terrorists and other individuals. The development of a system of financial messaging surveillance followed the same pattern observed with PNR data: following 9/11, the United States initiated a government program, called Terrorist Finance Tracking Program (hereinafter “TFTP”), by which a private company with ties to both Europe and America (in this instance, SWIFT) was compelled to transfer to the US Department of Treasury data concerning financial operations. The hammer-and-anvil predicament (the violation of either the Data Protection Directive, or US-issued administrative subpoenas) thus repeated itself, and again the private actor in question chose to comply with US regulations. Differently from the PNR case, however, this system of data transfer was kept confidential until 2006, only to be revealed by the press 616. Negotiations between the US and the EU thus followed, resulting in an international agreement (US-EU TFTP Agreement) which, to some commentators, did little more than “légalise[r] une situation de fait”617. Against this backdrop, shortly after the signing of said Agreement discussions for the establishment of an autonomous EU system of financial data retention began taking place: the original idea of a system parallel to that set up by the USA was eventually replaced by the current project of a complementary instrument monitoring data excluded from the US TFTP. 614 615 616 617 COM (2011) 32 final, p.11. WILSON, Gone with the wind?, pp.259-264. LICTBLAU and RISEN, Bank data is sifted by U.S. in secret to block terror, New York Times, 23 June 2006. PAYE, Les transactions fiancières internationales sous contrôle américain, Diritti Umani e Diritto Internazionale, Vol. 3, 2008, p. 587. 119 4.2.1 Origins of the TFTP. The SWIFT program. SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a Belgian provider of financial messaging services that was created in 1973 by a consortium of financial institutions in order to facilitate cross-border payments. SWIFT is neither a bank, nor directly handles money in any other way: its services mainly consist in the secure transmission of financial messages between financial institutions through a platform known as SWIFTNet. Because of the high number of institutions that rely on SWIFTNet (more than 11.000, in over 200 countries618), the amount of data handled daily by SWIFT is, likewise, enormous: approximately 6.1 billion messages were transferred in 2015 619. While its headquarters are in La Hulpe, Belgium, at the time of the 9/11 attacks the data processed by SWIFT were kept in its database in Zoeterwoude, in the Netherlands. The data thus stored, which were meant to remain in SWIFT's archives for 124 days, included information such as name, Bank Identifier Code (BIC) and location of both sending and receiving institutions, as well as date and time of the message; and also more specific information, provided by the sending institution, concerning the amount to be transferred, currency and value, and the identity of the parties to the transaction 620. The processing activity carried out by SWIFT for its commercial purposes easily fell under the scope of Directive 1995/46/EC621. The company, however, also had a mirror database in Virginia, USA, to which all the data stored in the European database were transferred for security purposes, and thus essentially doubled. This second database, being under the control of SWIFT's American division (SWIFT Inc.), was therefore entirely subject to American Law as well. On 23 September 2001, following the 9/11 attacks, President Bush issued Executive Order 13224622 mandating the Department of Treasury to prevent the financing of terrorist activities. On these grounds, starting from October 2001, the Department of 618 619 620 621 622 https://www.swift.com/about-us/discover-swift/messaging-standards#Financialmessagingservices WESSELING, An EU Terrorist Finance Tracking System, Royal United Services Institute for Defence and Security Studies, Occasional Paper, September 2016, p.4. SANTOLLI, The Terrorist Finance Tracking Program: Illuminating the shortcomings of the European Union's antiquated data privacy directive, 40 George Washington International Law Review 2008, p.560. The former set of information is referred to as the “envelope” of the message (or metadata), while the latter as the “letter” – the difference lying in the encrypted nature of the “letter” part of the message. In this sense, NINO, Terrorismo Internazionale, p.258; TERRASI, SWIFT Program e tutela della riservatezza: ancora sul trasferimento di dati dall'Unione Europea agli Stati Uniti, Diritti Umani e Diritto Internazionale, Vol. 3, 2008, pp. 605-608. The legal basis for the adoption of Executive Order 13224 was the International Emergency Economic Powers Act (IEEPA) of 1977. 120 Treasury established the Terrorist Finance Tracking Program (TFTP) and began issuing administrative subpoenas623 compelling SWIFT Inc. to hand over large amounts of the information stored in the Virginia database to the Office of Foreign Assets Control (OFAC), a subdivision of the Department of Treasury in charge of administering and enforcing economic and trade sanctions against individuals or organizations perceived as a threat to the national security, economy, or foreign policy624. Although the information sought was not of a sensitive nature 625 and the scope of the SWIFT program was not unlimited626, the transfers requested by OFAC, by enabling a system of generalized surveillance on unaware individuals, nonetheless constituted an obvious violation of the strict privacy requirements set by the Data Privacy Directive. The same scenario which had occurred following the enactment of the ATSA therefore arose: a private actor (SWIFT) was forced to choose whether to comply with European legislation, and face American sanctions, or comply with American legislation, and face European sanctions. As did air carriers in the PNR case, SWIFT chose the latter option. 4.2.1.1. SWIFT and PNR cases compared. Despite presenting common features, the SWIFT and the PNR cases share less than can be expected at a first glimpse. Both cases, in fact, involve a private actor being compelled to transfer to a foreign authority, for law enforcement purposes, a certain amount of data collected instead for commercial purposes. There are, however, fundamental differences between the two situations. To begin with, the nature of the data involved varies. As shown above, PNR data carries the potential of revealing sensitive data. Financial data, on the 623 624 625 626 An administrative subpoena differs from a court-issued warrant in that “it does not require prior judicial authorization and only needs to meet a reasonableness standard instead of the typical probable-cause standard required for criminal subpoenas”, SANTOLLI, The Terrorist Finance Tracking Program, p. 562. The legality of administrative subpoenas is debated among American constitutionalists. See SHERWOOD, The enforcement of administrative subpoenas, Columbia Law Review, Vol. 44 No. 4, July 1944, pp. 531547. https://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-AssetsControl.aspx NINO, Terrorismo Internazionale, p. 252. CONNORTON, Tracking Terrorist Financing through SWIFT: When U.S. subpoenas and foreign privacy law collide, Fordham Law Review, Vol. 76, 2007, p. 289. In Executive Order 13224, terrorism is defined as “an activity that (i) involves a violent act or an act dangerous to human life, property, or infrastructure; and (ii) appears to be intended (a) to intimidate or coerce a civilian population; (b) to influence the policy of a government by intimidation or coercion; or (c) to affect the conduct of a government by mass destruction, assassination, kidnapping, or hostage-taking.” 121 other hand, is not as sensitive, since there is no chance of obtaining information concerning one's racial or ethnic origin, political opinion, religious belief, trade-union membership and health or sex life by analyzing one's financial transactions. Secondly, while the transfer of PNR data was governed from the very beginning by a legal framework (the US-EU PNR Agreements), the transfer of SWIFT's financial data took place unbeknownst to the public (and to the EU as well). Thirdly, while under the original PNR framework the DHS could “pull” data directly from air carriers' servers, under the TFTP the data requested through the subpoenas were sent by SWIFT to a “black box” set up by the Department of Treasury, which was then searched by the Department by means of a software program capable of identifying suspicious transactions or participants in financial transactions who were suspected of being terrorists627. Lastly, the PNR framework entailed direct data transfers from air carriers to the DHS; under the TFTP, however, the data was first transferred to SWIFT Inc., by means of the mirroring process, and then from SWIFT Inc. to OFAC under administrative subpoenas. In the former case, the nexus between the European private companies and the American Agency was direct, while in the latter it was indirect and passed through an American legal entity. This element is essential for a correct assessment of the legality of the data transfers from SWIFT to OFAC. Some preliminary considerations are, however, necessary. As anticipated above, the operations carried out by SWIFT are governed by the Data Privacy Directive because of their inherently commercial nature. The fact that those data were subsequently processed for counter-terrorism purposes is irrelevant to that matter and does not undermine the applicability of Directive 1995/46/EC. Moreover, SWIFT is to be considered a controller pursuant to art. 2(d) of the Directive, and not a processor pursuant to art.2(e) 628. This means that the nature of SWIFT's liability is to be evaluated against the obligations in place for, precisely, controllers of personal data, which are notably higher than those established for processors. Third, the transfer of data from SWIFT's base in Europe to OFAC was structured as a twostep process: the data was first mirrored from SWIFT to SWIFT Inc., who was thereafter subject to administrative subpoenas issued by OFAC. The data were thus transferred twice: between a private European and American company, first, and from an American company 627 628 SANTOLLI, The Terrorist Finance Tracking Program, p. 564. NINO, Terrorismo Internazionale, pp. 258-261. 122 to an American Federal Agency, after. Under these assumptions, legal commentators disagree as to which transfer needs to be considered for the purpose of an assessment of the compatibility of the data transfer with European data protection principles. One side 629 argues that both transfers (from SWIFT to SWIFT Inc., and from SWIFT Inc. to OFAC) must be taken into consideration; another630, instead, argues that only the first transfer (from SWIFT to SWIFT Inc.) can be assessed in light of the Data Protection Directive, as the second transfer takes place entirely in American soil. The latter interpretation is perhaps more convincing, as it is doubtful why the relation between and American company, as is SWIFT Inc., and an American Federal Agency should be assessed pursuant to a European Directive631. The PNR jurisprudence is therefore inapplicable to the present case, because of the differences between the two circumstances and because the transfer to be assessed involves two private companies (SWIFT, and SWIFT Inc.) and not public institutions. The relevant provisions of Directive 1995/46/EC violated by SWIFT therefore included article 6, which prohibited “further processing” of personal data; articles 10 and 11, concerning the information to be given to data subject in the event of data processing (while the entire TFTP took place essentially in secret); and, especially, article 25 concerning the transfer of data to third countries, given that neither did the USA ensure an “adequate level of protection”, nor did SWIFT Inc., at the time, adhere to the Safe Harbor principles. 4.2.2 Reactions to the SWIFT exposure. The existence of the SWIFT program was disclosed to the larger public (therein including the European Union) following articles on major American newspapers 632 on 23 June 2006. For contextualization purposes, it is worth reminding that less the two months prior to the SWIFT revelations the CJEU (upon actions lodged by the Parliament) had annulled the first PNR agreement between the US and the EU by holding that the measure in question fell outside the purview of the Data Retention Directive and was instead supposed to be 629 630 631 632 NINO, Terrorismo Internazionale, p. 262. TERRASI, SWIFT Program, pp. 609-610. The legality of the SWIFT program under U.S. law is a separate issue; according to CONNORTON, “the best evidence of the SWIFT program's legality [under U.S. law] is SWIFT's decision not to challenge the program's subpoenas in a U.S. Court”, Tracking Terrorist Financing through SWIFT, p. 291. New York Times, Washington Post, The Wall Street Journal, Los Angeles Times. 123 considered a third-pillar measure. Data protection was thus, at the time of the disclosure, a reason of friction between the US and the EU. Moreover, the fact that over two years had already passed since the Madrid bombings had inevitably lead to a re-balancing of the “security-privacy” scale in favor of the former. The political climate thus explains the strong stances taken by European Institutions against the TFTP. After carrying out an inquiry into the legality of the data processing by SWIFT, the Belgian Data Protection Authority held that SWIFT had made a “hidden, systematic, massive and long-term violation of the fundamental European principles as regards data protection” 633. The Article 29 Working Party issued an opinion 634 essentially reaching the same conclusions and thus condemning the TFTP, while at the same time inviting SWIFT to cease the infringements and return to lawful data processing. The EDPS also adopted an opinion, analyzing in particular whether the European Central Bank shared some degree of responsibility635. The Bush administration, on the other hand, defended the program by stressing the important role it played in the war on terror and also recalled how the TFTP had lead to the successful capture of two wanted terrorists 636. In the midst of such heated political debate, two courses of action were taken (by, respectively, the US Government and by SWIFT) in order to attempt to drag the TFTP under a legal framework compliant with European data protection standards. First of all, the Department of Treasury sent a letter to the Commission and to the Council containing its “representations” concerning the TFTP637 and containing reassurances that the data obtained from Europe had been processed in a lawful manner and, in particular, that “the program contains multiple, overlapping layers of governmental and independent controls to ensure that the data, which are limited in nature, are searched only for counter-terrorism purposes and that all data are maintained in a secure environment and are properly handled”. One of the core undertakings of the “representations” consisted in the possibility, offered to the Commission, of nominating an “eminent European person” to verify that the TFTP would 633 634 635 636 637 Belgian Privacy Protection Commission, Decision of 27 September 2006. Opinion 10/2006 on the processing of personal data by SWIFT, 22 November 2006. EDPS Opinion on the role of the ECB in the SWIFT case, 1 February 2007. Hambali, the mastermind behind the 2002 Bali bombings, and Brooklyn resident Uzair Pachara. CONNORTON, Tracking Terrorist Financing, p. 290. Letter from United States Department of the Treasury regarding SWIFT/Terrorist Finance Tracking Program of June 28 2007. O.J. C 166/17-25, 20.7.2007. 124 be implemented consistently with the representations. Counter-terrorism judge Jean-Louise Bruguière was nominated for the position. A reply by the EU also followed, welcoming the representations by the Department of Treasury, although stressing their unilateral nature 638. This remark, however, combined with the fact that material changes to the provision of the letter were to be communicated to the EU, rather than negotiated with it, leads to the conclusion that this exchange of letters – differently to that concerning PNR data – did not constitute a binding international agreement nor, in fact, was binding in any other way to the United States639. Secondly, SWIFT purported to adhere to the Safe Harbor principles. While the purpose of the letter containing the Department of Treasury's representations served the purpose of regulating the transfer of data from SWIFT Inc. to OFAC, SWIFT's adhesion to the Safe Harbor principles was instead meant to render the transfer of data from SWIFT to SWIFT Inc. compliant with European Data Protection principles 640, and in no way affects the processing of data by a U.S. Federal Agency (as is OFAC) which depended solely on the “representations” issued by the Department of Treasury. Although the representations fell short of a full protection of personal data as guaranteed by the Data Protection Directive, the non-sensitive nature of the data involved and the limitation of the program's scope to ongoing terrorist investigations are sufficient in concluding that, even for European standards, the SWIFT program “did not constitute a particularly relevant threat to the privacy of the data subjects in question” 641. Reactions to the TFTP following its disclosure were thus extremely diverse. Once again, the stark difference between the American and the European approach to the relation between privacy and counterterrorism measures emerged: while the former remained consistently skeptical of the European inclusion of privacy and data protection among the “fundamental rights” category, the latter again stigmatized the American lack of appropriate safeguards in the matter. In the TFTP case, however, the EU institutions' satisfaction following the letterexchange, which did little more than, in fact, explaining how the data had been handled all along, points to the fact that the TFTP had raised more political than legal concern on the 638 639 640 641 Reply from European Union to United States Treasury Department – SWIFT/Terrorist Finance Tracking Program. O.J. C 122/26, 20.7.2007. TERRASI, SWIFT Program, p. 614. TERRASI, SWIFT Program, p. 612. TERRASI, SWIFT Program, p. 620. 125 EU's side. Judge Bruguière, the eminent European person appointed to evaluate the TFTP, stated in his reports that the TFTP could be considered “a vital counter-terrorism tool” and that “the safeguards and mechanisms surrounding the TFTP and addressing data privacy issues [were] of an exceptionally high standard” 642, and also provided historical examples where data obtained through the TFTP had been of use in the investigations following a terrorist attack643. After the 2006 disclosure, SWIFT underwent a significant operational change consisting in a rearrangement of its databases: starting from 1 January 2010, European financial data would no longer be conserved in the USA, but only in two European operational centers. While this change was positively saluted by the EDPS, it however entailed that a formal agreement between the EU and the US was necessary to ensure the continuity of the TFTP, as SWIFT was no longer under US jurisdiction and could thus not be subject to administrative subpoenas by the Department of Treasury. 4.2.3 US-EU TFTP Agreements. Two separate agreements were concluded between the EU and the US concerning SWIFT data. The first (TFTP I) was concluded on 30 November 2009, merely one day before the entry into force of the Lisbon Treaty. It was, however, abandoned following its rejection by the European Parliament in February 2010. New negotiations thereafter lead to the conclusion of a second agreement (TFTP II), still in force today. 4.2.3.1. TFTP I. As previously mentioned, the impetus for the adoption of an international agreement concerning financial messaging data came from the US, as the changes in SWIFT's operational architecture had had the effect of completely eliminating US jurisdiction over it after 1 January 2010. Although the Lisbon Treaty was merely months away from entering into force, negotiations followed the Nice framework and thus took place without 642 643 BRUGUIÈRE, Second Report on the processing of EU-originating personal data by the United States Treasury Department for counter-terrorism purposes, January 2010. In chronological order: the 2002 Bali Bombings; the 2004 Madrid bombings; the 2005 London bombings; the 2006 Transatlantic liquid bomb plot; the 2007 JFK airport plot and German IJU arrests; the 2008 Barcelona arrests and Mumbai attack. 126 participation from the Parliament, who nonetheless manifested its position in a Resolution adopted on 17 September 2009 and containing a list of minimum data protection standards which, to the Parliament's view, should have been included in the Agreement 644. The Council did not heed the Parliament's requests and decided to conclude the Agreement before the entry into force of the Lisbon Treaty: it did so with just one day to spare, and abstentions from Greece, Germany, Austria and Hungary and opt-outs from Ireland and Denmark. Mindful of the 2006 PNR judgment, the Agreement was adopted on the same legal basis as the Second and Third PNR Agreement (articles 24 and 38 TEU). According to some scholars, TFTP I had in common with the first PNR Agreements an essential lack of reciprocity645. However, it should be pointed out that while the first PNR Agreements did non provide the EU with any gain whatsoever, article 1 of TFTP I stated the purpose of the agreement was the making available of a) financial payment messaging and related data to the U.S. Treasury Department, as well as b) relevant information obtained through the TFTP to counter-terrorism authorities of Member States, Europol and Eurojust. The disparity lied in the different requirements the EU and the US were called to meet: while the EU could request a search for relevant information where “there [was] reason to believe that a person or entity has a nexus to terrorism as defined in articles 1 to 4 of Council Framework Decision 2002/475/JHA”, a different – and somewhat less stringent – definition of terrorism was drafted as the grounds for a request from the US 646. In other word, the US could more easily request data from the EU, than the EU could request “relevant information” (and not data) from the US. Furthermore, while the TFTP I purported to set up a complex system for requesting the financial data in a manner as specific as possible647, a margin for bulk transmission was nonetheless left in place if the Designated Provider were not able to identify and produce the specific data. These and other data-protection concerns648 lead the Parliament, on 11 February 2010, to reject TFTP I despite its provisional nature. Although the Agreement had been adopted 644 645 646 647 648 European Parliament document P7_TA(2009)0016. NINO, Terrorismo Internazionale, p. 272. Art. 2, TFTP I. The request was to be issued by the Department of Treasury; transmitted by the Department of Justice to the central authority of the Member State where the Designated Provider was based, or where the data were stored; verified by such authority, then transmitted to the national authority competent for the execution of the request; and finally transferred to the Designated Provider. Art. 4, TFTP I. NINO, Terrorismo Internazionale, pp. 269-274. 127 pursuant to the pre-Lisbon framework, the Parliament's approval pursuant to the new Art.218(6) TFEU was nonetheless required for its definitive (yet temporary) entry into force. According to Monar649, the rejection of the TFTP I can be considered one of the first manifestations of the new balance between EU institutions following the adoption of the Lisbon Treaty, and shows the heightened role the Parliament thus acquired in EU external relations. Concerning the use of personal data in counter-terrorism cooperation, in particular, a stronger and more self-confident Parliament meant that an enhanced scrutiny of the principles of necessity and proportionality were to be expected from that point and onwards. 4.2.3.2 TFTP II. A second US-EU TFTP agreement (TFTP II) was signed on 28 June 2010, and after approval by the Parliament on 8 July 2010, was formally adopted on 13 July 2010 650. Although data protection advocates were still not fully satisfied with the final result 651, TFTP II is a significant improvement compared to TFTP I 652. It was adopted on the basis of articles 87(2) and 88(2) TFEU, concerning police cooperation in the AFSJ, as well as 218 TFEU, which requires the Parliament's consent for international agreements. While the purpose of the second agreement653 is nearly the same as that of the first, its scope of application is now even broader – with the addition of the conduct of providing or collecting funds for terrorist purposes among the list of conducts pertaining to terrorism or terrorist financing654. Although TFTP II appears to have a more cooperative nature, the disparity between the requirements that requests from the EU and the US, respectively, must comply with still persists: while US requests may be based on the definition of terrorism as set out in Article 2, EU requests must instead still be based on the definition 649 650 651 652 653 654 MONAR, The rejection of the EU-US SWIFT Interim Agreement by the European Parliament: a historic vote and its implications, European Foreign Affairs Review, Vol. 15, 2010, pp. 143-151. Council Decision 2010/412/EU of 13 July 2010 on the conclusion of an Agreement between the EU and the USA on the processing and transfer of Financial Messaging Data from the EU to the USA for the purposes of the TFTP, O.J. L 195/1-14, 27.07.2010. Opinion of the EDPS of 22 June 2010. PFISTERER, The Second SWIFT Agreement between the EU and the USA - An overview, German Law Journal, Vol. 11, No. 10, 2010, p. 1187. Art. 2, TFTP II. Art. 2, TFTP II. 128 provided in the FDCT. The process to request data from Designated Providers 655 is radically different, and more time-efficient. Requests from the Treasury Department 656 must in fact be issued directly to the Designated Provider, while a copy must be sent to Europol who must verify that the request is compliant with the requirements set in article 4(2); if the assessment is positive, “the request shall have binding legal effect as provided under U.S. law”. Two aspects of this process are troublesome. First, the assignment of an oversight power to Europol, rather than a judicial authority, raises questions concerning its capacity of actual independence considering that, at the same time, Europol may issue requests of its own to the Treasury Department657. At one point, Europol was even accused of rubber-stamping requests as no rejection had been registered in the year following the adoption of the Agreement658. Second, the fact that after Europol's approval “the request shall have binding legal effect as provided under U.S. law within the European Union”659 is revealing of a persistent “dominance of U.S. law”660. The request, however, may not include data relating to the Single Euro Payment Area (SEPA). In other words, payments denominated in euros made through the SWIFT system may not be accessed by US authorities661. As will be explained further, this provision may be of relevance for the development of an EU Terrorist Finance Tracking System. Safeguards applicable to the processing of the data provided have also been enhanced. While the core provisions concerning data security and integrity, and on the necessary and proportionate processing of data are essentially the same as TFTP I, albeit slightly rearranged662, rules on the retention and deletion of data and the conditions under which onward transfers of data are allowed have been given autonomous relevance 663. The rules 655 656 657 658 659 660 661 662 663 It is worth pointing out that the Annex to TFTP II containing the list of Designated Providers to which requests can be issued is currently comprised solely of SWIFT. Pursuant to art. 4(2) TFTP II, the request shall: a) identify as clearly as possible the data, including the specific categories of data requested, that are necessary for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing; b) clearly substantiate the necessity of the data; c) be tailored as narrowly as possible in order to minimize the amount of data requested, taking due account of past and current terrorism risk analyzes focused on message types and geography. Art. 10 TFTP II. See NINO, Terrorismo Internazionale, pp. 282-284. WESSELING, An EU Terrorist Finance Tracking System, p. 8. Art. 4(5) TFTP II. PFISTERER, The Second SWIFT Agreement between the EU and the USA, p.1187. WESSELING, An EU Terrorist Finance Tracking System, p. 14. Art. 5 TFTP II. Art. 6 and 7 TFTP II, respectively. 129 concerning the retention of data remained however essentially unchanged: non-extracted data must be deleted five years after receipt, whereas extracted data can be kept “for no longer than necessary for specific investigations or prosecutions for which they are used”. This is one of the most criticized provisions of the TFTP 664, notwithstanding the fact that the retention period agreed upon for financial data is considerably lower than that established for telecommunication data or PNR data. Onward transfers of data to third countries, instead, are allowed under stringent conditions: only information extracted as result of an individualized search may be shared, and only for “lead purposes”; where the information involves a citizen of a Member State, consent of such Member State must be sought unless that data is essential “for the prevention of an immediate and serious threat to public security”. Furthermore, data subjects are granted the rights of information, access, rectification, erasure, and blocking, and redress 665. While this is undeniably a sensible improvement compared to the TFTP I, scholars have pointed out how it is unclear whether these rights will be fully enforceable in an American courtroom 666: not only does American legislation generally deny non-citizens the right to seek judicial redress before American judges, but pursuant to article 20 the Agreement “shall not create or confer any right or benefit on any person or entity, private or public”667. Lastly, article 13 provides that joint reviews of the safeguards, controls and reciprocity provisions must be undertaken by the Parties “at any event after six months from the date of entry into force” and thereafter “on a regular basis […] scheduled as necessary”. So far, three reviews have been undertaken and published by the Commission (in February 2011, in October 2012, and in August 2014), each underscoring the growing importance of the TFTP as a counter-terrorism tool. In particular, the Commission has noted how requests for data from the EU or Member States have steadily increased, from 15 between August 2010 and January 2011, to 94 between February 2011 and September 2012, and 70 between October 2012 and February 2014668; the number of leads produced have likewise grown 669. 664 665 666 667 668 669 EDPS Opinion of 22 June 2010, paras. 21-22. Artt. 14 through 18 TFTP II. PFISTERER, The Second SWIFT Agreement between the EU and the USA, p.1188; NINO, Terrorismo Internazionale, pp. 294-295. Art. 20(1) TFTP II. The Judicial Redress Act of 2015 has, however, partially extended the right to bring civil actions against governmental agencies to European citizens as well. Commission staff working document COM(2014)513 final, 11.8.2014, p.7. During the 17 month period between October 2012 and February 2014 there were 3.929 leads contained 130 The main criticism the TFTP has faced, similarly to the other counter-terrorism measures involving the use of personal data, is that while there is no denying its usefulness, in order for the infringement of privacy rights of individuals to be truly warranted what needs to be proven is its necessity – or, in other words, an unambiguous establishment that it provides an “added value” to the fight against terror 670. Such necessity, it is argued, must be proven by demonstrating that certain leads, extracted from TFTP data, have lead to prosecutions or even convictions of terrorists that would have not been identified otherwise. While the Department of Treasury is hesitant in disclosing such information, as it could hinder the very purpose of financial surveillance itself – as terrorist would thus avoid producing financial messaging data in the indicated regions – the Commission has nonetheless consistently provided examples of the value of the TFTP, which it deems a “vital” counterterrorism tool, by citing historical occasions where individuals were apprehended even prior to the commission of any terrorist offense because of the analysis of their financial messaging trail671. 4.2.4. Recent developments. An EU Terrorist Finance Tracking system. The EU has not yet adopted a purely European framework concerning financial messaging data, differently than has happened with PNR data. Pursuant to art. 11(1) of the TFTP II, however, “during the course of this agreement, the European Commission will carry out a study into the possible introduction of an equivalent EU system allowing for a more targeted transfer of data”672. The Council set a one year deadline starting from the entry into force of the TFTP II for the presentation, on the Commission's part, of a “legal and technical framework for the extraction of data on EU territory” 673. It is worth reminding, in fact, that the TFTP II does not allow for the extraction of data directly by the EU; rather, the EU can issue requests to the US Department of Treasury, but not autonomously obtain data concerning intra-EU financial transactions. The first stage of the Commission's response to the Council's invitation consisted in a Communication, issued on 13 July 2011, 670 671 672 673 in 41 responses provided to Member States and Europol; during the 20 month period between February 2011 and September 2012, there were 606 leads contained in 57 responses. EDPS Opinion of 22 June 2010, paras.15-16. COM (2014) 513 final, 11.8.2014, pp. 41-43. Art. 11(1) TFTP II. Council Decision of 13 July 2010, O.J. L 195, 27.7.2010, p.3. 131 on the available options for the creation of a European terrorist finance tracking system 674. The Commission underlined two main purposes for the establishment of an EU TFTS: providing an effective contribution to the fight against terrorism and its financing within the EU, and limiting the amount of personal data transferred to third countries. Through the TFTP II, the EU is in fact essentially outsourcing a part of its security functions. The Commission thus envisioned three possible options for an EU TFTS, all of which featuring a mixture of national and European involvement 675: the EU TFTS coordination and analytical service; the EU TFTS extraction service; the Financial Intelligence Unite (FIU)676 coordination service. While the first two have in common the need for the establishment of an “EU Central TFTS Unit” in charge of preparing and issuing the data requests to the Designated Providers 677, the latter would instead entail the setting up of an “upgraded FIU platform”, a non-permanent body comprised of national FIU representatives. The three options further differed with regard to the allocation of specific tasks at the national or European level678. Based on such preparatory work, the Commission promised an Impact Assessment of each of the three options. The result, however, was that the Commission, after careful analysis679, deemed all three options “not feasible”, and that “in light of the information gathered, the case to present at this stage a proposal for an EU TFTS is not clearly demonstrated” 680. It is noteworthy, however, that among the main reasons for the Commission's dismissal of an EU TFTS, paramount importance was given to the cost-effectiveness of possible systems, rather than the violation of the fundamental right to data protection. The Commission, that is, while 674 675 676 677 678 679 680 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, COM(2011) 429 final, 13.7.2011. For this reason they are referred to as the “hybrid options”; the “purely national” and “purely European” approaches were in fact quickly discarded by the Commission in its analysis, the former because of the potential proliferation of unequal data extraction and protection systems while the latter because of the lack of a sound legal basis. Financial Intelligence Units are national centers dedicated to the receipt and analysis of suspicious transaction reports and other information relevant to money laundering and the financing of terrorism. See http://www.egmontgroup.org/about/financial-intelligence-units-fius While acknowledging that SWIFT is the only provider data is currently requested from under the TFTP II, in its 2011 communication the Commission considered extending the system to other providers of international financial messaging services (essentially, SWIFT's competitors). See COM(2011) 429 final, Annex, p. 13. Commission Staff Working Document, Impact Assessment, SWD(2013) 488 final, 27.11.2013. Communication from the Commission to the European Parliament and the Council: A European terrorist finance tracking system, COM (2013) 842 final, 27.11.2013. 132 acknowledging that an EU TFTS would significantly infringe on the right to data protection as it is guaranteed by the relevant European provisions, nonetheless recognized that “these rights can be subject to limitations” and that “sufficient safeguards could be incorporated in [an EU TFTS] and be properly implemented thus ensuring its proportionality”681; at the same time, it stressed how such a system would “entail significant cost for the EU, Member States and the Designated Provider”682. Following the rejection of an EU TFTS as envisioned by the Commission, which was essentially meant to be a system parallel to the TFTP as it would have been based on the same type of data, discussions surrounding a European TFTS started to contemplate whether a system complementary to that established by the US could be set up683. As the system is currently operating, in fact, large amounts of information are excluded from the scope of the program: notably, information concerning payments through systems different than SWIFT (such as those operated by, for example, SWIFT's competitors, e-money businesses such as Pay Pal, and money transfer businesses such as Western Union and MoneyGram) and data relating to SEPA 684. The existence of this possibly relevant information gap combined with the increasing number of terrorist attacks on European soil have thus revived the Commission's interest in the establishment of an EU-based system, to the extent that it has currently undertaken to conclude a new assessment of an EU system complementary to the TFTP by the 4th quarter of 2016685. 681 682 683 684 685 SWD(2013) 488 final, p. 16. COM (2013) 842 final, p. 13. WESSELING, An EU Terrorist Finance Tracking System, p. 14. Pursuant to art. 4(1)(d) TFTP II. Communication from the Commission to the European Parliament and the Council on an Action Plan for strengthening the fight against terrorist financing, COM (2016) 50 final, 2.2.2016. 133 Chapter III PERSONAL DATA IN AMERICAN COUNTER-TERRORISM SUMMARY: 1. An overview of US counter-terrorism – 2. Data surveillance legislation. – 3. Bulk collection of data. – 4. American and European approaches compared. 1. An overview of post-9/11 US counter-terrorism. Unlike European countries such as Italy, Spain, and the UK, counter-terrorism in the US, for historical reasons, does not have deep roots in domestic legislation. Prior to 9/11, in fact, terrorism was perceived by the United States as mainly an external threat, concerning servicemen and diplomats overseas, and was thus essentially considered a foreign policy issue686. The realization that terrorism could strike within American borders as well arrived only in the early nineties, after the first World Trade Center bombing, in 1993, and the Oklahoma City Bombing, in 1995. The fact that this latter episode took place less than one month after the Tokyo Subway attacks687 lead the US to rethink its counter-terrorism 686 687 REES, US-EU 'Homeland Security' Cooperation, in EDER and SENN, Europe and Transnational Terrorism: Assessing threats and countermeasures, Nomos, 2009, p. 133. The concept of a “war on terrorism” was first evoked under the Reagan administration. See e.g. President's Reagan speech on the fight against terrorism, 14 April 1986. The Omnibus Diplomatic Security and Anti-Terrorism Act was also adopted I 1986, followed by the Anti-Terrorism Act of 1987. In March 1995, members of a domestic Japanese terrorist organization – the cult movement Aum Shinrikyo – released an extremely toxic liquid called Sarin in the Tokyo metro during morning rush hour, causing the death of twelve people. 134 policy, as its national security apparatus was unprepared to face threats coming from nonstate actors, both domestic (in the case of the Oklahoma City Bombing) and international (in the case of the World Trade Center bombing)688. The firs step taken in this direction was the issuance of Presidential Decision Directive No.39 (PDD-39) by President Clinton on 21 June 1995. PDD-39 meant to establish the United States' overall counter-terrorism policy by addressing four main topics: reduction of vulnerabilities, at home and abroad; the deterrence of terrorism; the rapid and decisive response to terrorism “with all appropriate instruments”; the detection, prevention and defeat of weapons of mass destruction used by terrorists. Moreover, in April 1996 the Antiterrorism and Effective Death Penalty Act 689 (AEDPA) was signed into law. Despite the title, its main accomplishment was the reform – in a restrictive sense – of habeas corpus rights of prisoners; however, it also included specific counter-terrorism provisions, such as modifications to terrorism-related criminal law provisions, bans on weapons of mass destruction, redress provisions for victims of terrorism, and prohibitions on assistance to terrorist States. These efforts were however insufficient to prevent the shocking attacks occurred in New York and Washington on September 11th, 2001, which, besides constituting a watershed for modern history in general, also represents the fundamental divide in US counter-terrorism. 1.1 The US response to 9/11. From Bush to Obama. In response to 9/11, the Bush administration enacted a series of controversial internal measures, as well as foreign policies. The main feature of the reaction to the New York and Washington attacks was the extent of the powers claimed by the executive under the justification of the existence of a threat to national security, and the curtailment of civil liberties which derived from the subsequent enactment of special legislation 690. President 688 689 690 See WHITE, Counter terrorism: weighing the price of liberty, J Socialomics, vol. 5, issue 1, 2015. P.L.104-132. According to VERVAELE, The anti-terrorist legislation in the US: inter arma silent leges?, European Journal of Crime, Criminal Law and Criminal Justice, Vol. 13, 2005, pp. 208-210, the sidelining of civil liberties in times of emergency through the enactment of special legislation is a recurring feature in US history and has occurred several times in the past: during major conflicts, such as the Civil War, World War I, and World War II; after military attacks of great proportions, such as the attack on Pearl Harbor; and during the Cold War, under the influence of McCarthyism. For a parallel between McCarthyism and the war on terror see COLE, The new McCarthyism: repeating history in the war on terrorism, Harvard Civil Rights-Civil Liberties Law Review, Vol.38, 2003, pp. 1-30. See also, however, JACOBSON, The west at war. US and European Counter-terrorism efforts, post-September 11, The Washington Institute for Near East Policy, Washington, 2006, who at p.55 claims that “the widespread perception” that “the 135 Bush, in fact, declared declared the so-called “war on terrorism” 691. By resorting to this expression, the administration was essentially choosing to consider the 9/11 attacks not as criminal offenses but as an act of war, thus inscribing its response, rather than in criminal law, in the realm of international law 692; in doing so, however, it voluntarily departed from the ordinary framework of jus ad bellum and jus in bello and established an unprecedented unilateral power, essentially creating what the administration itself referred to as “a new legal regime” for the war on terror 693. On 18 September, Congress approved a resolution authorizing the President “to use all necessary and appropriate force against those nations, organizations, or persons he determined planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001” 694. As is well known, President Bush subsequently carried out the invasion and occupation of Iraq and Afghanistan. The focus of US counter-terrorism was, in general, switched from reactive to preventive. This was achieved trough means such as: the prioritization of counter-terrorism within security and justice policy; the centralization of counter-terrorism efforts through the creation of an entire new department for domestic security (i.e., the Department of Homeland Security); more aggressive law enforcement; and, especially, improved information sharing between intelligence and law enforcement agencies, as responsibility for the success of the attack was also ascribed to lack of communication (“being able to connect the dots”) between the FBI and the CIA695. With respect to domestic legislation, Vervaele cites four fronts on which the Bush administration elaborated its anti-terrorism policy696: first, the Patriot Act, and the related implementing guidelines issued by the Attorney General; next, Presidential exceptional legal changes in the United States after September 11, particularly those in the Patriot Act, are more dramatic than corresponding changes in other democracies” is “only partly accurate, and caused by misperceptions of the Patriot Act”. 691 President George W. Bush, Statement by the President in His Address to the Nation in Light of the Terrorist Attacks of September 11, 11 September 2001, available at https://georgewbushwhitehouse.archives.gov/news/releases/2001/09/20010911-16.html 692 One the inappropriateness of this choice, see CONFORTI, Diritto Internazionale, Editoriale Scientifica, Napoli, 2010, p. 386. 693 FABBRINI, Lotta al terrorismo: da Bush a Obama, passando per la Corte Suprema, Quaderni Costituzionali, Anno XXXI, No.1, March 2011, p. 91. 694 Authorization for Use of Military Force (AUMF), P.L. 107-40, 18 September 2001. 695 See JACOBSON, The west at war, pp. 27-76. 696 VERVAELE, The Anti-terrorist legislation in the US: Criminal law for the enemies?, European Journal of Law Reform, Vol. 8, No.1, 2007, pp. 140-141. 136 law; and finally, Presidential secret orders. The Patriot Act is a “widespread measure”, meant to apply to all citizens. The Presidential initiatives, on the other hand, introduced “targeted measures”, which applied only to certain individuals – those deemed “unlawful enemy combatants” – and created a criminal law of the enemy, as well as an ad hoc criminal procedure in which the substantive and procedural rights of those involved were significantly curtailed697. The “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act”698, commonly known by its acronym – the Patriot Act – is yet another example of how terrorism provides the occasion for the adoption of legislation which, for various reasons, had been stalled or had otherwise suffered (mostly congressional) setbacks in the past. While in the European Union counter-terrorism has been used as a tool for closer integration 699, in the United States counter-terrorism legislation – in the context of the “war on terror” – had the effect of strengthening the executive by, to some extent, curtailing certain civil rights and liberties. The Patriot Act was approved by Congress in an expedited procedure, and signed into law by President Bush on 26 October 2001; it is a comprehensive and complex piece of legislation spanning close to 350 pages which amended 15 federal laws. It is divided into ten titles, which are dedicated to: enhancing domestic security against terrorism; enhanced surveillance procedures; international money-laundering abatement; protection of the border, therein including provisions on immigration; removing obstacles to investigating terrorism; redress provisions for victims of terrorism and their families; increased information sharing for critical infrastructure protection; the strengthening of criminal laws against terrorism; and, finally, improved intelligence700. The most important, notorious and contested provisions of the Patriot Act, and also the most relevant for the purposes of this discussion, are those contained in Title II, which modified the framework of US 697 698 699 700 This categorization is taken by MIRAGLIA, La tutela processuale dei diritti dopo l'11 Settembre negli Stati Uniti, in CAVINO, LOSANO, TRIPODINA, Lotta al terrorismo e tutela dei dirtti costituzionali, Giappichelli Editore, Torino, 2009, p.45. P.L. 107-56. See supra, Chapter I, para. 2.3. For an analysis of some of the main provision of the Patriot Act, see WHITEHEAD and ADEN, Forfeiting “Enduring Freedom” for “Homeland Security”: a constitutional analysis of the USA Patriot Act and the justice department's anti-terrorism initiatives, American University Law Review, Vol. 51, 2002, pp. 1083-1133; VERVAELE, The anti-terrorist legislation in the US, pp. 213-230. 137 surveillance law; these will be discussed more in depth later in this chapter 701. One particular feature of the Patriot Act, which contributed to its swift adoption despite the presence of numerous provisions of questionable compliance with constitutional standards702, was the fact that many of these controversial provisions contained a “sunset clause” – in essence, an expiration date – by which the effects of the provisions would cease on 31 December 2005. All of the provisions in question are located, precisely, in Title II. However, following the adoption of Reauthorization Acts in 2005 703 and 2006704, 14 out of a total of 16 provisions carrying a sunset clause were made permanent 705; a new sunset clause, itself periodically reauthorized, was instead added to the two remaining “temporary” provisions706. The last extension expired on 1 June 2015707. The aspects of post-9/11 US counter-terrorism policy, however, which raised more concerns from a human rights perspective were those directly stemming from presidential orders and issued with no participation by Congress, or even – at least initially – control by the judiciary, therefore creating what has been referred to as “a new normality completely dominated by the executive”708. On 13 November 2001 President Bush issued a Military Order, entitled “Detention, treatment, and trial of certain non-citizens in the war against terrorism”709, by which a framework was created for the detention of certain individuals – mostly, members of Al Qaeda or Talibans captured overseas – in special facilities, and their subsequent trial by military commissions. The wording of the military order made it quite explicit that the trials were a mere possibility, and not the natural outcome of the imprisonment; thus essentially allowing detention to be prolonged indefinitely 710; moreover, trials – if held – were to take place before specially constituted military 701 See infra, para. 2.2.4. According to WHITEHEAD and ADEN, provisions of the Patriot Act violated the I, IV, V, and VI Amendments to the Constitution. 703 USA PATRIOT Act Improvement and Reauthorization Act of 2005, P.L. 109-177, 9 March 2006. 704 USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006, P.L. 109-178, 9 March 2006. 705 These are: § 201; § 202; § 203(b); § 203(d); § 204; § 207; § 209; § 212; § 214; § 217; § 218; § 220; § 223; § 225. 706 § 206 and § 215, for which, extensively, see infra, para. 3.1.1. 707 See Sunset of Section 215 of the USA PATRIOT Act 2001, Congressional Research Service Memorandum, CRS 7-5700, 19 May 2015. See also infra, para. 3.3. 708 MIRAGLIA, La tutela processuale dei diritti, p.53. 709 66 Fed.Reg. 57.833, published 16 November 2001. 710 Military Order of 13 November 2001, § 4(a): “[a]ny individual subject to this order shall, when tried, be tried by military commission [...]”. 702 138 commissions, and not regular civil tribunals or courts-martial. The rights of indictment, trial by jury, appellate relief, and habeas corpus were thus suspended for non-citizens accused of aiding or abetting terrorists 711. Furthermore, in a subsequent Directive issued on 7 February 2002, the President affirmed that the Geneva conventions tout court did not apply to the conflict with Al Qaeda, as the latter could not be considered a “High Contracting Party” – in other words, a nation State; while instead acknowledging that the provisions of the Geneva conventions did, in theory, apply to the conflict with the Taliban – as they represented the government of a contracting party to the Conventions, Afghanistan – the Bush administration nonetheless decided that the Taliban detainees were to be considered “unlawful combatants” as well and thus did not qualify as prisoners of war712. This “new thinking in the law of war” lead to the establishment of special facilities to sort and detain prisoners in notorious locations such as Guantanamo, Abu Ghraib, and Bagram; and to the use of extraordinary (“enhanced”) measures in the interrogation of “high value” prisoners, which ultimately amounted to torture713. In addition to the imprisonment of unlawful enemy combatants in American-controlled facilities, such as Guantanamo, the existence of a secret program carried out jointly by the Bush Administration and the CIA, by the name of “extraordinary rendition”, was revealed in 2006. Extraordinary rendition is the act of extraditing, returning or sending a prisoner to a State (such as Egypt, Tunisia, Jordan, Morocco) where torture is regularly used as an interrogation method. For this reason, scholars have referred to this practice as “outsourcing torture”714. The advent of the Obama administration brought significant changes in the US approach to 711 712 713 714 WHITEHEAD and ADEN, Forfeiting “Enduring Freedom” for “Homeland Security”,p. 1118. The requirements by which an individual fallen into the power of the enemy is to be considered a “prisoner of war” are listed in art. 4 of the third Geneva Convention. For an assessment of such techniques see MCDONNELL, The United States, International Law, and the struggle against terrorism, Routledge research in terrorism and the law, 2009, pp. 45-90. See also BASSIOUNI, Torture and the war on terror. The institutionalization of torture under the Bush administration, Case Western Reserve Journal of International Law, Vol. 37, 2006, pp. 389-425. Much has been said and written on the issue of whether the use of torture is appropriate in extraordinary circumstances, and it is not the intention of this dissertation to further that discussion. However, it is noteworthy that prominent US legal scholars have taken positions in favor of forms of “legalized torture” in what is known as the “ticking-time bomb scenario”: most notably, see POSNER, Not a suicide pact: the Constitution in a time of national emergency, Oxford University Press, 2006, pp. 77-104, and DERSHOWITZ, Tortured Reasoning, in: LEVINSON, Torture: a collection, Oxford University Press, 2004, pp. 257-280. VERVAELE, The Anti-terrorist legislation in the US, p.159. 139 counter-terrorism. While some features of the Bush administration counter-terrorism policy were left in place715, an essentially different strategy was adopted in the fight against terrorism – a “paradigm change”, according to Fabbrini716 – determined by a manifested willingness to contrast terrorism in a manner more respectful of the rule of law, and a renewed dialogue between the executive and the legislative branches of government. In one of his first acts in office, on 22 January 2009, President Obama issued three executive orders focused on ensuring lawful interrogation on persons in custody 717, reviewing detention policy options718, and calling for the closure of the detention facilities in Guantanamo719. From a foreign policy perspective, Obama committed to the removal of US troops from Iraq, while at the same time increasing American involvement in Afghanistan and Pakistan – in the President's view, the “central front in [the] war against Al Qaeda”720. The flagship achievement of the Obama administration, however, was perhaps the killing of Osama bin Laden on 2 May 2011. Three policies in particular have been indicated as key pillars of the Obama administration's counter-terrorism strategy 721: the increased use of drone warfare; the reliance on local governments to supply ground force; and the establishment of surveillance techniques to acquire foreign intelligence. Although Obama's approach to counter-terrorism is generally considered more respectful of human rights, the use of drones and vast surveillance techniques, in particular, raise significant moral and legal issues. While analysis of the former exceeds the scope of this dissertation, the latter will be addressed in detail later in this Chapter722. 715 716 717 718 719 720 721 722 See, e.g., JACKSON, Culture, identity and hegemony: continuity and (the lack of) change in US counterterrorism policy from Bush to Obama, International Politics, Vol. 48, No.2/3, pp. 390-411, who claims that the Obama administration, rather than substantially changing the “war on terror” discourse, merely opted for a “strategic realignment” substantiated by the increased reliance on soft power, rather than hard power tools typical of the Bush administration: “[i]n short, it can be argued that all of the main policy planks of the war on terror put into place by the Bush administration are being continued in the new administration”, at p. 405. In this sense, see also MCCRISKEN, Ten years on: Obama's war on terrorism in rhetoric and practice, International Affairs, Vol. 87, Issue 4, pp. 781-801. FABBRINI, Lotta al terrorismo, p. 98. Similarly, STERN, Obama and Terrorism: like it or not, the war goes on, Foreign Affairs, November-December 2015, pp. 62-70. Executive Order 13491, 22 January 2009. Executive Order 13493, 22 January 2009. Executive Order 13492, 22 January 2009. It is necessary to point out that despite a significant reduction in the total number of detainees, the facility has not yet been shut down. OBAMA, Renewing American leadership, Foreign Affairs, July-August 2007, pp. 2-32. STERN, Obama and Terrorism, pp.4-5. See infra, paras. 2 and 3. 140 1.2 Counter-terrorism and the Supreme Court. As it is commonly known, the United States' legal order is comprised of a system of checks and balances, meaning that each branch of government imposes limits on the activities of the others. It has been argued that one of the effects spurred by 9/11 was the conferment of excessive leeway to the executive in shaping the US response to terrorism, with little or no control by the judiciary and the legislative branches 723. Concerning the Supreme Court's role in US counter-terrorism, three distinct phases, characterized by a growing concern for human rights and a progressively less deferential attitude towards the executive, can be outlined in its reaction to the measures enacted by the Bush administration724. The first opportunity the Court had to pronounce itself on the counter-terrorism measures set up by the Bush administration involved not one, but three cases, all decided on the same day: Rasul v. Bush725, Hamdi v. Rumsfeld726, and Rumsfeld v. Padilla727. The Rasul case involved a petition for habeas corpus filed before the federal district court in Washington D.C. by Kuwaiti and Australian citizens who were being detained at Guantanamo. Under federal rules, however, tribunals may grant writs of habeas corpus “within their respective jurisdiction”728. The federal district court in Washington, and, on appeal, the U.S. Court of Appeals for the District of Columbia Circuit both held that they lacked jurisdiction to hear the case as neither were the petitioners US citizens, nor were they being held on US sovereign territory729, thus essentially denying the plaintiffs the right to a fair trial on the grounds of their lack of “status or situs” 730. The Supreme Court, with a 723 724 725 726 727 728 729 730 See ABRAMS, Developments in US anti-terrorism law. Checks and balances undermined, Journal of International Criminal Justice, Vol.4, 2006, pp. 1117-1136. FABBRINI argues that the three distinct phases can be classified in the following manner: an initial phase of constitutional self-restraint; an intermediate phase; and a final phase of constitutional self-confidence. FABBRINI, The role of the judiciary in times of emergency: judicial review of counter-terrorism measures in the United States Supreme Court and the European Court of Justice, Yearbook of European Law, Vol. 28, 2010, pp. 664-697. 542 U.S. 466 (2004). 542 U.S. 507 (2004). 542 U.S. 426 (2004). 28 U.S.C. § 2241(a). The US occupation of Guantanamo rests on a lease stipulated in 1903 by the American and Cuban governments, according to which the United States recognizes the continuance of “ultimate sovereignty” of the Republic of Cuba over the facility, while the Republic of Cuba consents to the exercise of “complete jurisdiction and control over and within it”. See RYAN, the 9/11 Terror Cases. Constitutional challenges in the war against Al Qaeda, University Press of Kansas, 2015, p. 14. In order to support this decision, both courts cited a 1950 precedent, Johnson v. Eisentrager, 339 U.S. 141 six-justice majority, reversed the lower courts' decisions holding that as long as detainees were being kept under constant and effective federal authority, their nationality or geographical location alone did not bar them from seeking habeas corpus relief in federal courtrooms731. The Court, however, while providing an answer to the procedural issue at stake, cautiously avoided to take a position on the underlying substantive issues, that is whether the detention was lawful, whether the detainees had a right to be released, and what burden of proof needed to be met in order to secure such right732. In Hamdi, the case involved a US citizen, Yaser Hamdi, who had been captured in Afghanistan and subsequently transferred to Guantanamo, only to be moved in a detention location in South Carolina upon discovery of his American citizenship – as Guantanamo was only meant for non-US citizens (“aliens”). There, he filed a petition for habeas corpus before a federal district court claiming that he had been detained unlawfully. The district court acknowledged that little and unconvincing proof had been brought forth by the government to support Hamdi's incarceration, and ordered the government to submit more evidence. The Justice Department thus produced an affidavit, drafted and signed by one Michael Mobbs, in which the reasons for Hamdi's detention were stated but, again, with no hard evidence in support of the allegations. Unimpressed by the memorandum provided by the government, the district court judge raised two issues: first of all, no determination had been made by a competent tribunal concerning Hamdi's status of prisoner of war, pursuant to art. 5 of the third Geneva Convention733; secondly, the evidence produced by the government was insufficient for a correct balancing of the government's asserted interest to national security against Hamdi's liberty rights as an American citizen, and thus ordered the government to provide more, and more detailed, information. On appeal, the Fourth Circuit Court reversed the district court's decision, which had been favorable to Hamdi. 731 732 733 763 (1950), in which the Supreme Court had drawn a distinction between foreigners detained within the United States, and those kept prisoners outside the United States, holding that only the former were granted the protection of US court, while the latter “were beyond the territorial jurisdiction of any court in the United States”: Justice Scalia, dissenting, referred to this construction of habeas corpus as “a monstrous scheme in time of war”. RYAN, the 9/11 Terror Cases, p. 67. Art. 5 of the third Geneva Convention holds that “[s]hould any doubt arise as to whether persons, having committed a belligerent act and having fallen into the hands of the enemy, belong to any of the categories enumerated in Art. 4” – which lays down the requirements by which combatants may be considered prisoners of war – “such person shall enjoy the protection of the present Convention until such time as their status has been determined by a competent tribunal”. 142 First of all, it held that the Geneva Conventions were not self-executing and thus, absent enactment through a Congressional statute, they conferred no rights upon individuals; moreover, the order issued by the President on 7 February 2002 had removed any doubt as to the possibility of deeming the individuals apprehended in Afghanistan as prisoners of war. Art. 5 of the Geneva Conventions, the court argued, applied only when the status of a prisoner was uncertain; the President's order had removed such uncertainty. The judiciary could thus not provide the plaintiff with a decision concerning his prisoner of war status. Secondly, the appellate court found that the request for more information made by the lower court had been excessively broad, and thus unduly encroaching upon the powers of the President. Disclosing the information relating to Hamdi's capture and detention would deeply affect the efficiency of the military operations, and ultimately “unsettle the constitutional balance”734. The case was thus brought before the Supreme Court, which was called upon to decide whether the executive had the power to indefinitely detain a US citizen as an enemy combatant, and what process is due to a US citizen who contests such status. Once again, the Supreme Court – in reversing the Circuit Court's decision – sided with the plaintiff, but was nonetheless careful in doing so. To begin with, despite the seemingly overwhelming majority – the Court voted 8-1 in favor of Hamdi –, the ruling was adopted with only a plurality of four justices 735, with the remaining four justices drafting two separate concurring opinions736. According to the dominant plurality opinion, an ongoing state of war does not amount to the assignment, to the executive, of a blank check with respect to the rights of American citizens. The government can not therefore lawfully engage in the indefinite detentions of citizens without respecting their rights to due process. However, the Court argued, in order for due process rights of detained citizens to be respected, a trial with standards equivalent to those of criminal hearings need not be necessarily met, as the due process rights of individuals must be balanced with the government's interest of maintaining the security of the nation. The Court thus stated which requirements, in its view, were sufficiently respectful of such balance: a citizen seeking to challenge his classification of enemy combatant must receive notice of the factual basis for his classification, and a fair opportunity to rebut the Government's 734 735 736 See RYAN, the 9/11 Terror Cases, pp.15-24. O'Connor, Kennedy, Breyer, and Rehnquist. Ginsberg and Souter on one side, and Stevens and Scalia on the other. 143 assertions before a neutral decisionmaker. Moreover, such a decisionmaker need not be a federal judge applying formal rules of evidence; in the eyes of the Court, a properly constituted military tribunal, following less formal proceedings, would be sufficient 737. Thus, while on hand the Court seemed to rein in the power that the executive had been, up to then, exercising unrestricted, on the other it appeared to strike a rather compromising balance with the position of the administration. Lastly, it is worth mentioning the Court's decision in Padilla. The case concerned a US citizen as well, but differed from Hamdi in a substantial way: the individual in question, José Padilla, upon returning to the US after four years spent in Afghanistan, was arrested on American soil on ordinary criminal charges738, and thus put in a regular holding cell in New York. Shortly thereafter, however, Padilla was designed as an enemy combatant by Presidential Order and taken to a military facility in South Carolina for indefinite detention and interrogation. The striking feature of the case in question was that, under Presidential authority, an individual who was an American citizen – and thus fully entitled to due process rights –, and was apprehended on American soil, was being held in custody absent formal charges and without access to an attorney. A petition for habeas corpus was filed on Padilla's behalf before the district court of New York; Secretary of Defense Donald Rumsfeld was cited as defendant. The district court found that, while the President' authority to order the detention of unlawful enemy combatants could not be restricted on citizenship grounds, Padilla was nonetheless entitled to present evidence to counter the government's assertions, and to legal counsel. However, the Court also pointed out that the government was not required to prove Padilla's unlawful enemy status pursuant to evidence thresholds of criminal or even civil proceedings, such as proof beyond any reasonable doubt, or based on the preponderance of the evidence; a lower standard, such as “presence of some evidence”, would suffice739. The decision was overall more favorable to the government; nevertheless, the administration appealed the decision in order to prevent Padilla from consulting with his attorney. On appeal, the Second Circuit Court decidedly 737 738 739 See RYAN, the 9/11 Terror Cases, pp. 69-76; FABBRINI, The role of the judiciary in times of emergency, pp. 674-676. Padilla was arrested on a material witness warrant, meaning that according to FBI he had valuable information relevant in the federal investigations on the 9/11 attacks. See RYAN, the 9/11 Terror Cases, pp. 24-33. 144 ruled in favor of Padilla. First of all, in considering the issue whether the President had the inherent constitutional authority to order the detention of American citizens, it held that he did not – albeit limiting the scope of the analysis to domestic arrests, and not to those carried out overseas. Secondly, it considered whether Congress had vested the President with such power under the 2001 Authorization for the Use of Military Force (AUMF) 740. It concluded that it did not, as the AUMF was not sufficient to override the 1971 NonDetention Act741, by which “no citizen shall be imprisoned or otherwise detained by the United States except pursuant to an Act of Congress”. The Court thus ordered the government to either try Padilla for criminal charges, or hold him under the material witness warrant, with full application of his due process rights; or, otherwise, release him within thirty days. Of the three cases mentioned so far, this was the only instance where a Circuit Court landed a decision in favor of the detainee. By contrast, the Supreme Court ruled 5-4 against Padilla; the decision was based on purely procedural grounds. In fact, the petition for habeas corpus had been filed before a district court in New York; Padilla, however, was detained in South Carolina. The former therefore lacked jurisdiction to hear the case, as this depended not on the individual who had ordered the detention – Secretary of Defense Donald Rumsfeld – but on the immediate custodian of the detainee – in Padilla's case, the commander of the brig in South Carolina where he was held. The Court thus refrained from analyzing the substantive issues of the case, essentially deferring its decision until the filing of the petition within the correct jurisdiction742. Despite not having upheld the authority which the administration had asserted for itself in its counter-terrorism efforts, these first three decisions by the Supreme Court were marked by a certain indulgence towards the executive 743, which some scholars view as part of the general tendency manifested by the judiciary and the legislative branches of government of initially avoiding or deferring decisions on the most relevant legal issues arising from the Bush administration's first response to 9/11 744. Following the Supreme Court's 2004 740 741 742 743 744 See supra, para. 1.1, at note 695. P.L. 92-128, introducing 18 U.S.C. § 4001(a). See RYAN, the 9/11 Terror Cases, pp. 67-96. In this sense, see also DWORKIN, Corte Suprema e garanzie nel trattamento dei terroristi, Quaderni costituzionali, Anno XXV, No. 4, December 2005, pp. 905-920. Under this construction, the addition of sunset clauses to controversial legislation, as seen supra, was also a means of deferring the assessment of the legal issues they raised. See, in particular, ABRAMS, Developments in US anti-terrorism law, pp. 1130-1132. 145 decisions, which all involved petitions for habeas corpus filed by detainees, Congress enacted the Detainee Treatment Act (DTA) of 2005, which, while on side prohibited the use of torture – “cruel, inhumane, or degrading treatment” – on individuals under the physical custody of the United States, on the other provided that all federal courts – with the exception of the Court of Appeals for the District of Columbia – would no longer have jurisdiction to review habeas corpus writs, or any other judicial action, filed by aliens detained at Guantanamo745. In what can be considered the Court's second phase of review of counter-terrorism measures, Hamdan v. Rumsfeld746, the focus was on the lawfulness of the military commissions established by the November 2001 Presidential order. These commissions were characterized by rules of procedure, illustrated in subsequent regulations issued by the Department of Defense, which contained significant restrictions compared to the procedures regularly followed before military tribunals 747. The Hamdan case involved the first subject to be tried by a military commission – Salim Ahmed Hamdan, a Yemeni citizen believed to be bin Laden's chauffeur – under the charges of conspiracy to attack civilians, conspiracy to murder, and terrorism. Hamdan successfully sought a petition for habeas corpus before the District Court in Washington D.C., where the Court essentially struck down the entire structure of the military commissions with a twofold argument. Firstly, the President had no authority to establish such tribunals, as he had never asked Congress for such authority; the Court, in this instance, did not mention the AUMF, the President's quasi-blank check. Secondly, the Geneva Conventions required that, absent a determination by a competent tribunal, a detainee be treated as a prisoner of war; as no such determination had been made for Hamdi, he was thus to be treated as a prisoner of war pursuant to the third Geneva Convention, according to which, in order for a prisoner of war to be validly sentenced, the sentence must be pronounced “by the same courts according to the same procedure as in the case of members of the armed forces of the 745 746 747 On the DTA, see ABRAMS, Developments in US anti-terrorism law, pp.1123-1126. 548 U.S. 557 (2006). Most notably, the accused could be excluded from the proceedings, in which case the defense attorney was prohibited from disclosing to the accused information revealed during closed sessions, and the rules of evidence were much more relaxed, allowing the commissions to consider evidence “anything they believed to have probative value to a reasonable person”. RYAN, the 9/11 Terror Cases, pp. 90-92. 146 detaining power”748 – and therefore by a court-martial, under the procedures established by the Uniform Code of Military Justice (UCMJ). The district court's decision, however, was reversed by the Court of Appeals for the District of Columbia Circuit. The Circuit court found that, contrary to the district court's determination, Congress had indeed provided the President with the authorization to establish the military commission – precisely through the 2001 AUMF. Moreover, with respect to the Geneva Conventions, the Court relied on the same rationale used by the Fourth Circuit in the Hamdi proceedings: as no statute implementing the rule established by the Geneva Conventions existed, no right was conferred upon, and thus could be invoked by, the detainees. The case was thus brought before the Supreme Court. The Supreme Court, in turn, reversed the Circuit court's decision and ruled in favor of Hamdi 749. This time, the Court did not limit itself to procedural arguments or compromise positions, but struck down the military commission structure in its essence, as well as in its form. With respect to the former, the Court held that the President had established such commissions absent any express authorization by Congress, and thus in violation of specific statutory requirements 750; moreover, Hamdan was being tried for offenses which did not specifically constitute a crime under the law of war, nor had been identified as a war crime by Congress751. Concerning the procedure governing the trials by military commissions, the Court stated that these were in violation of American law752, as well as of the Geneva Conventions, in relation to two attributes in particular: the possibility of excluding an individual from his own trial, and the very relaxed rules on evidence admissibility. Despite the constitutional importance of the decision – the Court had unequivocally stated that even unlawful enemy combatants were entitled to minimal due process rights –, its strength was hindered by the fact that the entire ruling relied on the lack of an express statutory authorization by the legislature to establish the military commission structure. 748 749 750 751 752 Art. 102, third Geneva Convention. The Court ruled with a 5-3 majority; Chief Justice Roberts did not take part to the decision, as he had already taken part in the decision landed by the Fourth Circuit, where he had been in favor of the government. In fact, he was appointed Chief Justice of the Supreme Court four days after that decision was adopted. RYAN, the 9/11 Terror Cases, p. 96. Under 10 U.S.C. § 821, offenses can be tried by military commissions only “by statute or by the law of war”. The Court is specifically referring to the conspiracy offenses. ABRAMS, Developments in US antiterrorism law, p. 1133; FABBRINI, The role of the judiciary in times of emergency, p. 681, at note 106. In particular, of the Uniform Military Code of Justice (UMCJ). 147 The Court even explicitly stated that nothing in the decision would prevent the President from seeking such authorization from Congress, and establish military commissions on lawful premises. Therefore, while on one hand the Court, unlike its prior three decisions, explicitly stood up against the executive in defense of due process, on the other it provided the executive with the means to pursue its objectives nonetheless. Shortly thereafter, in fact, and in direct response to Hamdan, Congress adopted the Military Commissions Act (MCA) of 2006753, which provided a statutory framework for military commissions. While in part addressing the concerns raised in Hamdan, most provisions of the MCA constituted a severe restriction of due process rights for unlawful enemy combatants, including an express suspensions of habeas corpus relief. Parts of the MCA, however, were struck down by the Supreme Court in Boumedine v Bush754, the most forceful – and, to this date, the last – ruling handed down by the Court in relation to counter-terrorism measures. It straightforwardly addressed the issue whether the provisions of the MCA, which had stripped federal courts of their jurisdiction over habeas corpus petitions filed by unlawful enemy combatants, were constitutional. In Hamdi, the Court had settled that US citizens could not be deprived of habeas corpus relief; Hamdan, however, had not determined whether the same applied for foreigners 755, and Rasul had been much too limited in scope for it to be a strong affirmation of habeas corpus rights of alien detainees. In Boumedine, instead, the Court ruled that the MCA, by depriving unlawful enemy combatants held at Guantanamo of the possibility of seeking habeas review before federal courts, and by not establishing an adequate substitute procedure, had violated the Suspension Clause of the Constitution, pursuant to which “the privilege of the writ of Habeas Corpus shall not be suspended, unless, when in cases of rebellion or invasion, the public safety may require it”756. This decision thus represented the first instance in which the Court, albeit by a small majority757, openly opposed the measures enacted by the executive by subjecting them to a 753 754 755 756 757 P.L. 109-366. 553 U.S. 723 (2008). FABBRINI, The role of the judiciary in times of emergency, p. 685, at note 146. U.S. Constitution, Art. I, § 9, cl. 2. Furthermore, the Court also addressed the issue of whether the Constitution applied in Guantanamo, reaching the conclusion that although Cuba maintained de jure sovereignty over Guantanmo, the US nonetheless exercised sovereignty de facto; the Constitution should therefore apply to Guantanamo detainees as well. In Boumedine the Court ruled 5-4. Justices Ginsburg, Souter, Stevens, Breyer, and Kennedy sided with the detainees, while Alito, Thomas, Scalia and Chief Justice Roberts voted in favor of the government. 148 strict and full review, without resorting to any form of deferral or avoidance, and thus reaffirming the necessity for the respect of the fundamental right of due process. Even in this case, however, it seems that the Court's defense of the fundamental right of due process is more incidental to a correct and full application of the American constitution, rather than an expression of a right that is internationally recognized as being inherently fundamental – irrespective of the constitutional traditions of nation States. In this sense, whereas a comparison with the activity of the Court of Justice of the European Union can surely be made in light of the growing weight both courts have reserved, in subsequent decisions, to the protection of fundamental rights 758, the Court of Justice of the European Union appears, in general, keener on the protection of human rights – not only in compliance with international statutes, but even, as in Kadi II759, where international provisions do not afford sufficient safeguards760. 1.3 EU – US cooperation in counter-terrorism One final point to be addressed in this brief overview of US counter-terrorism is the extent to which counter-terrorism efforts provided the opportunity for heightened cooperation between the United States and the European Union. Some authors claim that this relation was of particular importance for the EU, as it granted the EU international recognition in a sensitive policy area and thus promoted its presence in global politics – the essential condition for global actorhood 761. However, the fact that key counter-terrorism areas fall under the competence of the EU, combined with the explicit recognition by the Lisbon Treaty of the Union's power to enter into binding international agreements, have often made the EU, and not single member States, the United States' preferred counterpart for counter-terrorism cooperation 762. There have been 758 759 760 761 762 FABBRINI observes that, in relation to the level of review exercised by the court, each of the foregoing rulings of the Supreme Court can be coupled to a CJEU decision on counter-terrorism measures: Hamdi with Kadi I; Hamdan with OMPI; and, finally, Boumedine with Kadi II. FABBRINI, The role of the judiciary in times of emergency, pp. 674-689. See supra, para. 3.3. In this sense, BIANCHI claims that the Supreme Court is “the only exception in the development of a transnational judiciary ontology” concerning the protection of fundamental rights. BIANCHI, La dimensione giuridica della paura: controterrorismo e diritti umani, in GARGIULO e VITUCCI, La tutela dei diritti umani nella lotta e nella guerra al terrorismo, Editoriale Scientifica, Napoli, 2009, p.50. KAUNERTS and ZWOLSKI, The EU as a global security actor: a comprehensive analysis beyond CFSP and JHA, Palgrave Studies in European Union Politics, 2013, p. 108. ARCHICK, US-EU Cooperation against terrorism, Congressional Research Service Report, RS22030, 2 149 four major areas of EU-US cooperation in counter-terrorism 763: intelligence and information sharing; law enforcement and police; judicial cooperation; and the suppression of terrorism financing. With respect to intelligence cooperation, the main examples are the PNR and the TFTP agreements discussed above764, through which travel data of passengers flying into the US, as well as certain types of financial data, may be acquired by US governmental authorities; the US, in turn, provides the EU investigative leads generated by such information. Cooperation in police and law enforcement has been one of the first forms of counterterrorism collaboration between the US and the EU. In the wake of the September 11 th attacks, the US concluded two separate agreements with Europol: the first 765 concerning the exchange of “strategic and technical information” in order to “prevent, detect, suppress, and investigate serious forms of international crime” 766; the second767, a supplemental agreement governing the transmission of personal data. This latter accord was the first international agreement where US authorities agreed to apply specific data protection provisions768. Moreover, two new agreements were signed in February 2015 between Europol and US Customs and Border Protection: the Focal Point Checkpoint agreement, aimed at combating illegal immigration, and the Focal Point Travelers' agreement, adopted for the purpose of countering foreign fighters, in particular by collecting, analyzing and sharing information related to their recruitment and travel769. Willingness to enhance cooperation with the US in criminal justice matters following 9/11 was expressed by the Justice and Home Affairs council as early as on 20 September 2001770. Negotiations initiated shortly thereafter lead to the conclusion of two agreement 763 764 765 766 767 768 769 770 March 2016. KAUNERTS and ZWOLSKI, The EU as a global security actor, pp. 59-61. See supra, Chapter II, para. 4. Agreement between the United States of America and the European Police Office, Brussels, 6 December 2001. Art. 1 Supplemental Agreement between the United States of America and the European Police Office on the exchange of personal data and related information, Copenhagen, 20 December 2002. KAUNERTS and ZWOLSKI, The EU as a global security actor, p. 103. See CÎRLIG, EU-US cooperation in Justice and Home Affairs – an overview, European Parliament Research Service Briefing, PE 580.892, April 2016, p. 6. Conclusions adopted by the Council (Justice and Home Affairs), Brussels, 20 September 2001, SN 3926/6/01 REV 6. 150 on extradition771 and on mutual legal assistance772; despite being adopted in 2003, they only entered into force in February 2010773. The agreements are not designed to substitute existing bilateral arrangements between the US and Member States, but rather to supplement and harmonize them; moreover, although cooperation in counter-terrorism constituted the main driver for their adoption, the scope of the agreements extends to crimes other than terrorism774. Besides establishing a common framework for all member States, the extradition agreement also provides for the streamlining of information exchange and document transmissions775, and sets rules to determine priority in the event of competing extradition requests776. The most heated debate surrounding the adoption of the extradition agreement concerned the death penalty: the US eventually agreed to the inclusion of a provision by which, when the crime for which an individual is sought is punishable with the death penalty under American criminal law, EU Member States may grant extradition only on the condition that that the death penalty will not be imposed, or, if imposed, not carried out777. The mutual legal assistance agreement, instead, increases cooperation in investigations and evidence gathering. It allows requests for bank or other financial information related to individuals charged with criminal offenses 778, and enables the establishment of joint investigative teams for cross-border criminal investigations or prosecutions779 and the use of modern technology, such as video conferencing, for the purposes of taking testimony in criminal proceedings 780. A third agreement on judicial cooperation was signed between the United States and Eurojust in 2006, concerning the 771 772 773 774 775 776 777 778 779 780 Agreement on extradition between the European Union and the United States of America, 25 June 2003, O.J. L 181/27, 19.7.2003. Agreement on mutual legal assistance between the European Union and the United States of America, 25 June 2003, O.J. L 181/34, 19.7.2003. Council Decision 2009/820/CFSP of 23 October 2009, O.J. L 291/40, 7.11.2009. For an analysis of the two agreements see MITSILEGAS, The New EU-USA cooperation on Extradition, Mutual Legal Assistance and the Exchange of Police Data, European Foreign Affairs Review, Vol. 8, 2003, pp. 523-533. Artt. 5, 7, and 8. Art. 10(2), in particular, sets requests made by the US on equal footing with requests made by a Member State pursuant to a EAW; the requested Member State, in cases such as the foregoing, must not therefore immediately comply with the EAW but instead assess which request should receive priority based on their respective merits. See Council doc. 8024/11 of 25 March 2011, Annex: Handbook on the practical applications of the EU-US Mutual Legal Assistance and Extradition Agreements, Part III(h), pp. 15-17. Art. 13. Art. 4. Art. 5. Art. 6. 151 establishment of liaison prosecutors and the exchange of personal data in order to counter “serious forms of transnational crime, including terrorism”781. Finally, combined EU-US efforts exist with the purpose of tracking and suppressing the finance of terrorism782, and also increasing border control and aviation and maritime security783. At times, the differences in the perception of and in the strategies adopted in the fight against terrorism have had negative repercussions on EU-US counter-terrorism relations 784; cooperation in this field, however, remains largely positive. Periodic frictions have arisen with respect to issues such as the criteria used for the designation of terrorist lists 785, and the detainee policies furthered by the US in sites such as Guantanamo. Among the main bones of contention present in current transatlantic counter-terrorism relations, discussions relating to privacy and data protection – arising from the essentially different conception the EU and the US traditionally have concerning these rights – are, perhaps, the most prominent. These have been exacerbated by the Snowden revelations of 2013, which disclosed the existence of covert data collection programs operated by the American government, thus triggering strong opposition among European institutions, deeply concerned with the legal and political implications of such “mass surveillance” activities. The following paragraphs will now turn to the analysis of the American legal framework for the collection and use of personal data for counter-terrorism purposes. As will be explained at the end of this Chapter, despite European criticism of American surveillance programs – which is perhaps equaled by American criticism of European data protection legislation – recent events signal that the two sides of the Atlantic seem to be converging, or are at least moving in this direction, towards a mutually acceptable regulation of data collection and use in the context of counter-terrorism efforts. 781 782 783 784 785 Agreement between Eurojust and the United States of America, 6 November 2006, art. 2. See ARCHICK, US-EU Cooperation against terrorism, pp. 10-13. The main challenge presented by these latter measures is the attempt to balance the improvement of border safety and the continuance of transatlantic travel and commerce. See ARCHICK, US-EU Cooperation against terrorism, pp. 23-28. REES, US-EU 'Homeland Security' Cooperation, p. 134; see also REES and ALDRICH, Contending cultures of counterterrorism: transatlantic divergence or convergence?, International Affairs, Vol. 81, No.5, 2005, pp. 905-923. The US has strongly pushed for the EU to add charities related to Hamas and Hezbollah to its list of terrorist organizations. 152 2. Data surveillance legislation. From an American perspective, the use of personal data for counter-terrorism purposes resides within the well-established framework of surveillance activities. Activities involving forms of surveillance, in fact, have deep roots in American intelligence history. This is mainly due to the nature of the United States, and its need to gather intelligence – mostly foreign – because of its role as major world superpower of the XX century. Scholars use the expression “surveillance law” to summarize the bulk of legislation and rules concerning the requirements and lawfulness of such surveillance activities. Surveillance law in general is comprised of two branches: law enforcement surveillance, and national security surveillance. The former consists in traditional law enforcement activities which are furthered in the course of criminal investigations, such as wiretaps, enacted when a person is suspected of having committed a crime or where it is likely that a crime may be committed in the future. The latter, on the other hand, involves surveillance activities that are conducted for national security purposes. As the use of personal data for counter-terrorism purposes falls in this category, national security surveillance will therefore be the exclusive focus of this dissertation. In particular, the object of this analysis will be those surveillance systems which are not tailored towards specific individuals deemed of relevance for national security purposes, but rather affect the general population or, at least, a significant portion of it. 2.1 Privacy and data protection in the US legal system. Before engaging in the legal analysis of the national security surveillance systems enacted by the United States, it seems appropriate to lay down the basic elements of the American privacy framework. The American Constitution does not explicitly safeguard the right to privacy. Rather, the right to privacy is one of those rights which according to legal doctrine are found in what is known as the “penumbra” of the Constitution. In the American legal system, there are two main sources whence the right to privacy derives: from a Constitutional standpoint, the IV Amendment; from a statutory standpoint, the Privacy Act of 1974. Both, however, have significantly evolved from their original content. As anticipated, in the American Constitution there is no explicit mention of privacy; the 153 development of a right to privacy has thus heavily relied on the jurisprudence of the Supreme Court. The first instance where the Court recognized and articulated the existence of a right to privacy was in Griswold v. Connecticut786, where a majority of justices – for the first time – agreed upon the existence of a Constitutional right to privacy, yet not on its origin: in that case alone, three different legal theories were set forward, involving a total of six different Amendments, as possible bases for the establishment of a right to privacy within the Constitution787. Griswold, however, together with following seminal decisions such as Roe788 and Lawrence789, belongs to a branch of Supreme Court holdings which identify the right to privacy primarily as reproductive or sexual freedom 790. In Griswold, the Court held that a couple's decision to access birth control was protected by a right to privacy, and could therefore not be subject to State limitations; in Roe, abortion was legalized on the grounds that the right to privacy “is broad enough to encompass a woman's decision whether or not to terminate a pregnancy”; in Lawrence, the Court decided that the right to privacy, as a liberty interest, prohibits States from regulating (in that case, punishing) adult consensual sexual intimacy in the home. This line of cases demonstrates that the notion of privacy, as it developed in the American legal system, is not entirely corresponding to that which is recognized in European constitutional traditions791; the two notions surely overlap, but do not completely coincide. One facet of the right to privacy closer to the European perception – and more relevant for the purposes of this dissertation – is that enshrined in the IV Amendment, pursuant to which “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures shall not be violated” 792. Reasonableness is 786 787 788 789 790 791 792 Griswold v. Connecticut, 381 U.S. 479 (1965). For justices Douglas and Clark, privacy rests on the combined reading of the I, III, IV, V, and IX Amendments; for justices Goldberg, Brennan, and Warren, on the IX Amendment; for justices Harlan and White, on the due process clause of the XIV Amendment. Justices Black and Stewart, dissenting, maintained that they found “no such general right of privacy in the Bill of Rights, in any other part of the Constitution, or in any case ever decided by [the Supreme] Court”. Roe v. Wade, 410 U.S. 113 (1973) Lawrence v. Texas, 259 U.S. 558 (2003). See EPSTEIN and WALKER, Constitutional Law for a changing America, CQ Press, 2015, p. 543. According to WHITMAN, European and American legal tradition reflect two different “cultures of privacy”: while the American conception of privacy is oriented towards the protection of individual liberty against the State, in Europe privacy tends to protect the right to respect and personal dignity. See WHITMAN, The two western cultures of privacy: dignity versus liberty, The Yale Law Journal, Vol.113, No.6, 2004, pp. 1151-1221. Compare to art. 8(1) ECHR, by which “everyone has the right to respect for his private and family life, 154 established when the search or seizure takes place pursuant to a valid warrant issued by a court which, in turn, must be based on “probable cause” that unlawful activity has been, is being, or will be conducted. The IV Amendments was included in the Bill of Rights as a protection against governmental physical surveillance, and is more similar to the European conception of privacy in the sense that, more than providing the grounds for a positive assertion of one's freedoms – for example, the freedom to dispose of one's body as one sees fit793 –, it constitutes a bulwark against external intrusions in one's private sphere. In other words, it implies that something private must be protected from possible intrusions by someone or something else. Two points must however be stressed here. Firstly, when the Constitution was drafted – in the late eighteenth century –, physical surveillance merely amounted to following people, eavesdropping on them, or examining their property; that is why the IV Amendment requires “searches” and “seizures” to be reasonable794. The protection of an individual's privacy was thus conceived as necessarily passing through the protection of his personal spaces and belongings. Secondly, the IV Amendment was designed to protect individuals from intrusions by the government, and not by other private entities. The evolution of technologies, however, increased the possibilities of, and essentially simplified, invading one's private sphere, consequently raising the potential interest governmental authorities may have in carrying out such intrusions for law enforcement purposes – thus rendering the limited provisions in the Constitution obsolete. The true dimension of the IV Amendment has therefore relied on its interpretations by the Supreme Court. In Katz795, the Supreme Court came to the conclusion that the IV Amendment “protects people, not places”, and that its safeguards apply, irrespective of one's location, 793 794 795 his home and correspondence”, and art.7 EU Charter, under which “everyone has the right to respect for his or her private and family life, home and communications”. See also Cruzan v. Director, Missoury Department of Health, 497 U.S. 261 (1990), where the right to privacy was construed as to encompass the right to terminate medical treatment. See CHESTERMAN, One nation under surveillance. A new social contract to defend freedom without sacrificing liberty, Oxford University Press, 2011, p. 95. CHESTERMAN points out that a second form of surveillance, as opposed to IV Amendment physical surveillance, is psychological surveillance – which may take place through torture or forced testimony. The provisions that prevent this sort of intrusion in an individual's sphere, in turn, are the V Amendment (against self-incrimination) and the VIII Amendment (against cruel and unusual punishment). Katz v. US, 389 U.S. 347 (1967). The case in question involved the placing, by federal agents, of listening and recording devices inside public telephone booths known to be used by a subject of a federal investigation. 155 whenever an individual has “an actual expectation of privacy that society recognizes as reasonable”. This decision is of particular importance for the subsequent establishment of the notion of data protection in the American privacy framework – rectius, its nonestablishment. Personal information, therein including personal data, is in fact often revealed by individuals for different purposes – commercial, medical, financial, and the like. However, the Supreme Court has consistently held that when such information is handed over to a third party, public or private, the individual loses his IV Amendment safeguards; the government may therefore access such information without a warrant being necessary. The protections of the IV Amendment, in fact, were put in place to protect only places, things and conduct in relation to which the individual carries a legitimate or reasonable expectation of privacy; an expectation of privacy with respect to information that was voluntarily disclosed is, in the eyes of the Court, not reasonable nor, therefore, legitimate. This theory is referred to as the “third party doctrine”, and was first established by the Supreme Court in United States v. Miller796, with respect to financial records, and in Smith v Maryland797, concerning telephone records; and later extended by federal courts to certain internet activity data, such as material publicly posted on-line 798. Although in at least one case the Court took into consideration the possibility of a constitutional protection for “personal information” by considering it as a liberty interest protected by substantive due process799, the Court has generally been silent on the existence of a constitutional right to information privacy800. The shortcomings of the constitutional framework concerning the protection of personal data were partially amended through subsequently enacted statutes. The basic privacy statute, roughly comparable to the European Data Protection Directive (now General Data Protection Regulation), is the Privacy Act of 1974 801. The Privacy Act governs the collection, maintenance, use, and dissemination of personal information that is contained 796 797 798 799 800 801 United States v. Miller, 425 U.S. 435 (1976). Smith v. Maryland, 442 U.S. 735 (1979). Guest v. Leis, 255 F.3d 325 (6th Circuit, 2001). See GARLINGER, Privacy, free speech, and the Patriot Act: first and fourth amendment limits on national security letters, New York University Law Review, Vol. 84, 2009, pp. 1113-1114. Whalen v. Roe, 429 U.S. 589 (1977). BIGNAMI, European versus American Liberty: a comparative privacy analysis of antiterrorism data mining, Boston College Law Review, Vol.48, 2007, p. 625. 5 U.S.C. § 552(a)-(v). 156 in “systems of records” by federal agents. It imposes a number of requirements on the federal agencies maintaining such systems of records, including purpose limitation, data security, and data quality; it also provides individuals with civil remedies in the event of unlawful processing of data. The Privacy Act is rather weak if compared to European data protection legislation802. Unlike the EU General Data Protection Regulation, in fact, the Privacy Act does not apply to private entities but only to federal agencies. Moreover, enforcement mechanisms are limited – as it is hard for individuals to prove they have suffered actual injury due to a violation of the provisions of the statute –, and many exceptions were added exempting certain agencies from the duties established in the Act 803. A general exemption, in particular, was added for systems of records held by the Central Intelligence Agency (CIA) and for “agencies or components thereof which perform as its principle function any activity pertaining to the enforcement of criminal laws”804. The Privacy Act was integrated by later statutes addressing specific types of personal information, such as the Right to Financial Privacy Act (RFPA) of 1978 805, which regulates the government's access to information contained in financial records, and the Electronic Communications Privacy Act (ECPA) of 1986, which governs the government's access to wire, oral and electronic communication806. This latter statute is of particular interest as it governs and regulates activities conducted for law enforcement purposes – such as, for example, wiretaps – and thus provides heightened privacy standards in domestic investigations. Again, however, what emerges from the statutory additions to the right to privacy is, in general, the fact that the data protection framework is not comprehensive, but rather the result of piecemeal amendments or enactments covering specific sectors at a time; and, in particular, the absence of a comprehensive data protection scheme in the 802 803 804 805 806 See BIGNAMI, European versus American Liberty, pp. 631-635. 5 U.S.C. § 552(j) and (k). 5 U.S.C. § 552(j)(2). 12 U.S.C. § 3401-3422. The ECPA is comprised of three parts: the Wiretap Act (18 U.S.C. § 2510-2522), which focuses on communications intercepted while in transmission, already known as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (commonly referred to as “Title III”); the Stored Communications Act (18 U.S.C. § 2701-2712), which regulates access to communications in electronic storage; and the Pen Register Act (18 U.S.C. § 3121-3127), governing the government's use of pen registers and trap and trace devices, on which see infra, para. 2.2.1. For a detailed analysis of the ECPA see SOLOVE, Reconstructing Electronic Surveillance Law, The George Washington Law Review, Vol.72, No.6, 2004, pp. 1701-1747. 157 private sector807. Moreover, significant exceptions – fully allowing disclosure of personal information in specific circumstances – are present in both of the foregoing statutes808. 2.2. National security surveillance law. As anticipated above, American legal doctrine distinguishes surveillance conducted for law enforcement purposes from that conducted for national security purposes. The concept of “national security surveillance”, thus involving activities exceeding the scope of ordinary criminal investigations, developed during World War II, when President Roosevelt expressed the desire “that listening devices be used when grave matters involving the defense of the nation, such as espionage or subversion, might be involved” 809. For obvious historical reasons, terrorism was not a concern at those early stages. Initially, the Supreme Court generally endorsed such surveillance activities, consistently holding that the placing of wiretaps to overhear conversations did not constitute trespassing, and therefore fell outside the scope of the IV Amendment 810. This inclination stemmed from the absence in the Constitution, as explained above, of a clearly defined right to privacy; the IV Amendment jurisprudence was therefore based on the protection of property from government trespassing rather than the protection of privacy811. Even when, in Katz, the interpretation of the IV Amendment shifted towards the idea that it should “protect people, not places”, thus making a warrant always mandatory in the event of electronic surveillance, the Court pointed out that its decision did not, however, apply to national security surveillance. The need for lower privacy standards in national security surveillance emerged even stronger during the cold war, when it appeared obvious that espionage activities conducted on American soil against potential threats for national 807 808 809 810 811 See SHAFFER, Globalization and social protection: the impact of EU and international rules in the ratcheting up of U.S. privacy standards, The Yale Journal of International Law, Vol.25, 2000, pp. 2-86. See infra, para. 2.2.3. CINQUEGRANA, The walls (and wires) have ears: the background and first ten years of the Foreign Intelligence Surveillance Act of 1978, University of Pennsylvania Law Review, Vol.137, 1989, p.798. Olmstead v. United States, 277 U.S. 438 (1928); Goldman v. United States, 316 U.S. 129 (1942). In Olmstead, the issue was whether private telephone conversations intercepted through warrantless wiretaps were admissible in criminal court. he Court held that “voluntary conversations secretly overheard” could not be compared to “things” seized by the government, and that IV Amendment protection should therefore not apply. A famous dissent, calling for a wider interpretation of the safeguards set by the IV Amendment, was written by Justice Brandeis – widely recognized as the “inventor” of the concept of the right to privacy. CINQUEGRANA, The walls (and wires) have ears, p. 798. 158 security (for example, the staff of Soviet embassies) should not require the same level of protection afforded to American citizens in the course of ordinary criminal investigations through the IV Amendment and Title III (namely, the need for a warrant issued by a judge subject to the existence of probable cause) 812. The line between the two was finally traced by the Supreme Court in 1972 in the Keith case813. The case involved a member of a radical domestic group (“White Panthers”) who had been accused of placing a bomb in a CIA recruiting office in Michigan. During the investigations, the government had engaged in electronic surveillance of the individual (in that case, wiretapping) without obtaining a court warrant beforehand. The Court was thus called to answer the question whether the government's activity constituted a violation of the requirements set by the IV Amendment. The government sought an exception to the IV Amendment by arguing that said activity had taken place pursuant to the President's inherent power to “preserve, protect and defend the Constitution of the United States”814. The Court, however, unanimously held in favor of the defendant. While holding that the safeguards of the IV Amendment and Title III could be lifted for national security purposes, because they involved “different policy and practical considerations from the surveillance of ordinary crime”815, it also made a distinction between the domestic aspects of national security (such as those relating to the defendant, a member of a purely domestic radical group), and the activities of foreign powers or their agents816, and found that the constitutional requirements could be omitted only in the latter case. Concerning the former, in fact, the Court feared that allowing an exception to the IV Amendment warrant requirement would signify unrestricted power for the government to engage in broad surveillance of American citizens. What emerges as striking from this early case is the different level of legal protection granted to American citizens, on one side, and everyone else, on the other. As will be further shown, this distinction has remained consistent in the American approach to 812 813 814 815 816 SWIRE, The System of Foreign Intelligence Surveillance Law, The George Washington Law Review, Vol. 72, 2004, pp. 1312-1313. United States v. United States District Court for the Eastern District of Michigan, 407 U.S. 297 (1972). U.S. Constitution, art. II. Judgment of the Court, para. 322. See BIGNAMI, The US legal system on Data Protection in the field of law enforcement. Safeguards, rights ad remedies for EU citizens, Study for the European Parliament LIBE Committee, PE 519.215, 2015, pp. 20-21. 159 surveillance817. The Supreme Court's decision in Keith set the ground for the establishment of the current legal framework for national security surveillance, which is today comprised of the three main instruments: the Foreign Intelligence Surveillance Act (FISA), Executive Order 12.333, and National Security Letters. The use of personal data for counter-terrorism purposes falls within this framework. It has been argued 818, however, that while the original intent of these measures was to control government surveillance activities when directed towards American citizens, recent developments – spurred by counter-terrorism efforts – have, in fact, determined the opposite effect: amendments of FISA, especially, have laid the ground for unrestricted government surveillance involving not specific individuals, but broader parts of the population. 2.2.1 The Foreign Intelligence Surveillance Act. The Foreign Intelligence Surveillance Act819 (henceforth FISA) was adopted in October 1978 in order to provide a legal framework for foreign intelligence surveillance of electronic communications which took place inside the United States. FISA was adopted in the midst of political turmoil created by the aftermath of the Watergate scandal and the findings of the Church Committee, which had been appointed to investigate into abuses of authority committed by intelligence agencies and had revealed the existence of substantial infringements on individual privacy rights820, in particular through the use of warrantless electronic surveillance of individuals against US citizens “who were not readily identifiable as reasonable sources of foreign intelligence information, who appeared to pose little threat to the national security, and who were not alleged to be involved in any criminal activity”821. These two circumstances convinced Congress that legislation was needed to prevent the executive from engaging in broad surveillance of the American people; FISA was thus enacted precisely for that purpose. 817 818 819 820 821 NSA director, Gen. Hayden, notoriously stated that “the IV Amendment is not an international treaty”. CBS News, 30 June 2013. BOWDEN and BIGO, The US surveillance programs and their impact on EU citizens' fundamental rights, Study for the European Parliament LIBE Committee, PE 474.405, 2013; BIGNAMI, The US legal system on Data Protection. 50 U.S.C. §§ 1801-1885c. Final Report of the Select Committee to study governmental operations with respect to intelligence activities, 23 April 1976, U.S. Government Printing Office, Washington. CINQUEGRANA, The walls (and wires) have ears, p. 807. 160 Scholars refer to FISA as a compromise between the legal and political tension to safeguard civil liberties, one one hand, without depriving the government of a useful tool to gather foreign intelligence, on the other822. When FISA was enacted, in 1978, it was meant to allow only the surveillance of “electronic communication” 823 which took place inside the United States, when the investigation was conducted for “the primary purpose” of obtaining foreign intelligence824. In fact, in order to acquire personal information under FISA, the government had to show “probable cause” that “the target of the electronic surveillance is a foreign power or an agent of a foreign power” 825. This provision contained two essential safeguards against broad surveillance: first of all, the surveillance powers available in FISA could only be used against specific, targeted individuals who had to be identified before the interception of the communication took place; secondly, surveillance was subordinated to a probable cause standard, which although was not rigorous as that established for law enforcement surveillance (which requires probable cause that the individual in question has committed, is committing, or will commit a particular crime), nonetheless required the applicant to demonstrate probable cause that the entity or individual to be placed under surveillance was a foreign power, or an agent of a foreign power826. Moreover, the government was also required to adopt “minimization procedures”827 in order to reduce to a minimum the amount of information acquired concerning US persons (i.e. citizens, permanent residents, and certain corporations and associations828). Minimization was mandated not only with respect to the analysis of the data, but to its acquisition and retention as well. Finally, in order to actually conduct the surveillance activities, the government was required to file an application for an order approving the sought interception before a special judicial body established ex novo, the Foreign Intelligence Surveillance Court (FISC) 829, constituted by eleven (originally seven) district court judges. A Foreign Intelligence Surveillance Court of Review was also 822 823 824 825 826 827 828 829 SWIRE, The System of Foreign Intelligence Surveillance Law, pp. 1320-1325. Defined at 50 U.S.C. § 1801(f). 50 U.S.C. § 1804(a)(6)(B). As will be explained further, the standard has been lowered and obtaining foreign intelligence must now be a “significant” purpose of the investigation rather than its “primary” purpose. 50 U.S.C. § 1805(a)(2)(A). See DONOHUE, Bulk metadata collection, pp. 783-793. 50 U.S.C. § 1801(h). 50 U.S.C. § 1801(i). 50 U.S.C. § 1803. 161 established. One of the features of FISA which immediately jumps to the European's observer eye is the double standard of protection afforded to US citizens and non-citizens. While the privacy of US citizens is safeguarded by various provisions throughout the Act830, no mention is made or concern raised regarding privacy rights of individuals who are do not fall within the category of “US persons”. Originally, FISA only governed the conducting of “electronic surveillance”. However, its scope was expanded over time to other measures commonly used for domestic criminal investigations by law enforcement authorities. Although major changes were enacted as a response to 9/11, FISA was already amended in 1998 to allow “the installation and use of a pen register or trap and trace device for foreign intelligence and international terrorism investigations”831. A pen register is a device that records or decodes information transmitted by an instrument, such as the destination of a communication; a trap and trace device, instead, captures information incoming to an instrument, such as the number of a received call832. Together, these devices allow what is referred to as “metadata surveillance”, i.e. the acquisition of to/from information pertaining to telephone calls, emails, and visited websites. Unlike regular electronic surveillance, involving content, there is no requirement that the target of the surveillance be an agent of a foreign power 833; moreover, providers of electronic communication services are required to “furnish […] technical assistance necessary to accomplish the installation and operation” 834 of said devices, and to refrain from disclosing their existence. This latter provision, because of its “silencing” nature, is often referred to as the “gag rule”835. Furthermore, providers of wire or electronic communications are required, upon request of the applicant Federal agency, 830 831 832 833 834 835 For example, pursuant to 50 U.S.C. § 1801(b), a US person may be considered an “agent of a foreign power” only if he knowingly engages in clandestine intelligence gathering activities, sabotage or international terrorism, while non US persons are considered “agents of a foreign power” as long as they “act as an officer or employee of a foreign power”; pursuant to 50 U.S.C. 1801(h), minimization procedures limiting the effect of electronic surveillance must be adopted only towards US persons; pursuant to 50 U.S.C. 1802(a)(1)(A) and (B), there is no need of a FISC order when the electronic surveillance is solely directed at the acquisition of communications between foreign powers, or there is no substantial likelihood that the surveillance will acquire communications to which a US person is party. 50 U.S.C. §§ 1841-1846. The definitions of the terms “pen register” and “trap and trace device” can be found at 18 U.S.C. § 3127(3) and (4). BIGNAMI, The US legal system on Data Protection, p. 24. 50 U.S.C. § 1842(d)(2)(B)(i). 50 U.S.C. § 1842(d)(2)(B)(ii). 162 to disclose personal information relating to the customer or subscriber using the service covered by the order836, as well as to any customer or subscriber of incoming or outgoing communications to or from the service covered by the order 837. This means that individuals who are not involved in investigations may be subject to disclosing of personal information to governmental authorities. Providers may receive compensation for any reasonable expense incurred in providing the information, or the technical assistance838. In the same year, FISA was also extended to allow the FBI limited access to tangible business records, such as those held by common carriers (buses, airplanes, and railroads), public accommodation facilities (motels, hotels), physical storage facilities, and vehicle rental facilities839: essentially, records relating to travel-related businesses. In order to access such documents, the applicants must seek to obtain a subpoena from a FISC judge which differs from ordinary subpoenas in that the recipient is prohibited from disclosing the existence of the subpoena, and the customer or client (i.e. the target of the investigation) may not contest the court order – in fact, the targeted individual might not eve be aware of it. The Foreign Intelligence Surveillance Courts issues the requested subpoena if the applicant shows that the records are being sought for foreign intelligence purposes or for an investigation concerning international terrorism, and there are specific facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power. These provisions were, to some degree, influenced by episodes of terrorist activity which had taken place in the United States in the early nineties, such as the World Trade Center bombing of 1993 and the Oklahoma City bombing of 1995840. 2.2.2 Executive order 12.333 The originally limited scope of FISA to certain types of domestic electronic surveillance 836 837 838 839 840 50 U.S.C. § 1842(d)(2)(C)(i). The personal information to be disclosed includes: the name of the customer or subscriber; address; telephone or instrument number; length of the provision service; types of services utilized; local or long distance telephone records; records reflecting periods of usage; mechanisms or sources of payment for such service, including the number of any credit card or bank account used for payment of the service. 50 U.S.C. § 1842(d)(2)(C)(ii). 50 U.S.C. § 1842(d)(2)(B)(iii). 50 U.S.C. § 1861-1863. SWIRE, The System of Foreign Intelligence Surveillance Law, p. 1329. 163 left a wide range of activities unregulated. In particular, FISA was not applicable to any type of foreign intelligence surveillance that was not “electronic”, as defined by FISA, or took place entirely outside the United States – as FISA safeguards only applied to surveillance which occurred within United States boundaries. The American legislator was well aware of these shortcomings while FISA was being drafted and felt the need to point out that “the fact that [FISA] does not bring the overseas surveillance activities of the U.S. intelligence community within its purview […] should not be viewed as a congressional authorization of such activities as they affect the privacy interests of Americans” 841. This deficiency was partly remedied by Executive Order 12.333, adopted by President Reagan in 1981842. Executive orders are presidential directives which require or authorize action within the executive branch843. Executive Order 12.333, in particular, meant to provide a legal framework for surveillance activities that fell outside the purview of FISA, and namely: foreign-to-foreign electronic communications; foreign intelligence, inside or outside US borders, not involving electronic communications; personal data on US persons incidentally collected in foreign intelligence surveillance 844. Despite the fact that its selfdeclared purpose was to establish “certain general principles that […] are intended to achieve the proper balance between the acquisition of essential information and protection of individual interests”845, the privacy standards set in Executive Order 12.333 are much more relaxed compared to the requirements set by FISA. In fact, surveillance activities regulated by Executive Order 12.333 can be conducted without prior authorization by a court, such as FISC, and are instead merely supposed to abide by procedures established 841 842 843 844 845 H.R. Rep. No. 95-1283(1), 1978, at 50-51, cited by DONOHUE, Section 702 and the collection of international telephone and internet content, Harvard Journal of Law and Public Policy, Vol. 38, p. 145, at note 55. Executive Order 12.333 was amended three times: in 2003, by Executive Order 13.284; in 2004, by Executive Order 13.355; and, finally, in 2008, by Executive Order 13.470. Definition by MAYER, Executive Orders and Presidential Power, The Journal of Politics, Vol.61, No.2, May 1999, p. 445. MAYER adds that “Presidents have used executive orders to establish policy, reorganize executive branch agencies, alter administrative and regulatory processes, affect how legislation is interpreted and implemented, and take whatever action is permitted within the boundaries of their constitutional or statutory authority”. As DONOHUE recalls in Section 702, at note 99, the House of Representatives Report on FISA explained that “[FISA] does not afford protection to US persons who are abroad, nor does it regulate the acquisition of the contents of international communications of US persons who are in the United States, where the contents are acquired unintentionally”. See also BIGNAMI, The US legal system on Data Protection, p. 27. Executive Order 12.333, para. 2.2. 164 by the head of each element of the Intelligence Community 846, and approved by the Attorney General847. Moreover, it is required that Agencies involved in data surveillance “use the least intrusive collection techniques feasible” 848. All the – indeed very basic – protections granted under Executive Order 12.333, however, are almost entirely designed to apply exclusively to US persons849. 2.2.3 National Security Letters National Security Letters (NSLs) are a form of administrative subpoena available to the government – and mainly to the FBI – in national security investigations, through which certain commercial entities can be compelled to disclose personal information relating to clients or customers. Similarly to FISA orders, NSLs differ from ordinary court subpoenas in the sense that recipients are prohibited from revealing that the government had sought records pertaining to certain individuals; however, NSLs require no prior judicial review of the government's demand. FBI officials, that is, have the power to autonomously draft and issue requests compelling certain service providers to hand over certain categories of information with no judicial oversight in the process. Despite the particularly intrusive nature of NSLs, the information acquired by the government through this means does not, from a Constitutional point of view, fall under the protection of the IV Amendment as it involves personal data the individual has already voluntarily handed over to third parties. Moreover, a peculiar feature of NSLs which renders such an instrument even more dangerous to the privacy of individuals is that the privacy interests of the recipient of the NSL (i.e. the private company) are at no point entirely at stake, thus giving the recipient little incentive to disregard or challenge the subpoena850. An early form of NSL was created as an exception to the privacy requirements established 846 847 848 849 850 Executive Order 12.333 also established the so-called “Intelligence Community”, a federation of sixteen government agencies belonging to different federal departments, such as Defense, Justice, State, Treasury – with the exception of the CIA, which is an independent agency not linked to any federal executive department – responsible for conducting intelligence gathering operations. Among the elements of the Intelligence Community are the Central Intelligence Agency (CIA), the Intelligence Branch of the FBI, the National Security Agency (NSA). Executive Order 12.333, para. 2.3.The United States Attorney General is the head of the Department of Justice. Executive Order 12.333, para. 2.4. BIGNAMI, The US legal system on Data Protection, p. 27. SCHULHOFER, Rethinking the Patriot Act, p. 52. 165 by the Right to Financial Privacy Act (RFPA) that financial institutions were required to abide by with respect to financial information pertaining to their customers. In particular, Section 1114(a) simply stated that the rules set by the RFPA did not apply to requests for production of financial records issued by the Government. This provision, however, did not grant the government affirmative authority to request the documents, neither did it mandate financial institutions to do so: it merely stated an exception, thus providing a legal safeguard to those companies who turned over the sought after documents upon governmental request. Some companies, however, denied the government access to the documents because of the existence of State law explicitly prohibiting such practice 851. Explicit authority to request certain commercial documents was first granted to the FBI in 1986, not only concerning financial records but also records held by telephone companies and other communication service providers – the former through an amendment of the RFPA852, while the latter through a provision included in the Electronic Communications Privacy Act (ECPA) passed in that year 853. However, the persistent lack of express enforcement mechanisms or penalties for non-compliance with the production request as well as with the gag order limited the effectiveness of NSLs. The plethora of NSLs was expanded in the mid nineties with the addition of relevant provisions to the Fair Credit Reporting Act of 1970854 and to the National Security Act of 1947 855. The former granted the FBI the power to request credit records “for counterintelligence purposes”, while the latter authorized access to a number of records pertaining to certain federal employees856. As Schulhofer points out857, prior to 9/11 NSLs were generally subject to two limitations. Firstly, FBI officials were required to certify that the records were being sought for foreign intelligence purposes, and that there were specific facts showing that the records belonged to the foreign agent858; secondly, only limited categories of personal information could be 851 852 853 854 855 856 857 858 DOYLE, National Security Letters in Foreign Intelligence Investigations: Legal Background, Congressional Research Paper, Report No. RL33320, July 2015, p.1. 12 U.S.C. §3414(a)(5)(A). 18 U.S.C. §2709(b). 15 U.S.C. § 1681(u). 50 U.S.C. § 3162. Prior to the Patriot Act, this provision was the only granting authority to issue NLSs to agencies other than the FBI (“any authorized investigative agency”). This provision in particular was adopted as a consequence of the 1994 Ames espionage case, in which a CIA agent (Aldrich Ames) was convicted for having provided classified information to the Soviet Union. SCHULHOFER, Rethinking the Patriot Act. Keeping America safe and free, The Century Foundation Press, New York, 2005, p. 59. These requirements were the same that were in place for FISC orders to obtain certain records discussed 166 sought trough NSLs – namely, bank records, telephone and other electronic telecommunication providers billing records, and certain credit agency reports. Furthermore, as NSL statutes envisioned no enforcement mechanisms, acquisition of the sought-after information relied entirely on voluntary compliance from the requested entities. 2.2.4 Surveillance law after September 11th. Many of the provisions of the above-mentioned instruments allowing the collection and use of personal data for national security intelligence purposes (FISA, Executive Order 12.33, and National Security Letters) were amended or affected by acts adopted following the 9/11 attacks, and thus in the context of the fight against terrorism. In particular, the Patriot Act – by and large the most discussed and criticized piece of legislation enacted in the aftermath of 9/11 – brought or set in motion sensible changes in the national security surveillance legislation framework. The purpose of such changes was to enhance and broaden surveillance powers of American governmental agencies, in order to prevent the possibility of terrorist activities, such as those occurred in New York and Washington. Title II of the Patriot Act, concerning “Enhanced Surveillance Procedures”, is the epitome of the American's government shift from a repressive to a preemptive strategy in countering terrorism. However, alongside heightened surveillance powers, the Patriot Act also provided governmental agencies the power to access business, financial, and personal records – held by private entities – which would have previously been confidential. First of all, various sections of FISA were modified by the Patriot Act, as well as by subsequent statutes such as the Protect America Act (PAA) of 2007, and the FISA Amendment Act (FAA) of 2008859. The most significant change, perhaps, consisted in the elimination of the barrier that previously prohibited information collected for national security purposes from being used for law enforcement purposes. The reason behind the existence of such a “wall”, as it is commonly referred to in American legal practice, was 859 supra, para. 2.2.1. SCHULHOFER, Rethinking the Patriot Act, p. 60. On how the Patriot Act affected FISA, see generally: SCHULHOFER, Rethinking the Patriot Act, pp.29-78; JAEGER, BERTOT, MCCLURE, The impact of the USA Patriot Act on collection and analysis of personal information under the Foreign Information Surveillance Act, Government Information Quarterly, vol.20, 2003, pp. 295-314; KERR, Internet Surveillance Law after the USA Patriot Act: the Big Brother that isn't, Northwestern University Law Review, vol. 97, pp. 607-673. 167 the preservation of US citizens' IV amendment rights in criminal proceedings: information gathered in the context of national security surveillance, and thus without the safeguards established by the Constitution – a warrant and probable cause – should not and could not have been used against an individual in a criminal trial. Section 218 of the Patriot Act modified FISA by providing that intelligence gathering pursuant to FISA rules must be a “significant” purpose of surveillance, rather than the purpose tout court. In practical terms, this means that were an investigation involving criminal activity is somehow linked to foreign intelligence – foreign intelligence thus being one, and not the only, purpose of the investigation – less restrictive FISA standards can be used to conduct surveillance instead of Title III safeguards. Moreover, section 504 of the Patriot Act explicitly allows federal officers conducting electronic surveillance to “consult with Federal Law enforcement officers” in order to “coordinate efforts to investigate or protect against […] sabotage or international terrorism by a foreign power or an agent of a foreign power”. Section 501 of FISA, previously recalled, which allowed the FBI to require disclosure of certain travel-related records, was expanded by section 215 of the Patriot Act to include the production of “any tangible thing”, therein including “books, records, papers, documents, and other items” where an investigation was being conducted “to protect against national terrorism or clandestine intelligence”. Despite the heading, which refers to “certain business records”, section 215 expanded the reach of FISC document production orders to non-commercial documents as well, including medical reports, library records, and files pertaining to religious entities such as churches and mosques860. Moreover, although it maintained that the items could be sought only in the course of “an investigation to protect against international terrorism or clandestine intelligence activities”, it did away with the requirement that the application include “specific and articulable facts” that the individual to whom they pertain is an agent of a foreign power. In other words, records other than those pertaining or belonging to the target of an investigation could be sought, as long as they were relevant to the investigation itself, even though they belonged to an individual not subject to any investigation. Section 215 is particularly relevant for the purposes of this discussion as it provided the legal basis for the enactment of the NSA's telephone metadata 860 SCHULHOFER, Rethinking the Patriot Act, p. 62. 168 program861. The Patriot Act also relaxed the requirements established by FISA for the use of 'pen register' and 'trap and trace' devices862, and expanded the use of roving surveillance – a feature of criminal investigations which consists in keeping track of every form of communication pertaining to an individual, rather than on a specific form such as a telephone number or an email account – to FISA investigations as well863. The fragmented statutory framework governing National Security Letters was also amended as a consequence of the Patriot Act, and subsequent legislation 864. In modifying three of the four provisions regulating NSLs 865, section 505 expanded the subjective and objective scope of NSLs – similarly to what it had done with FISC production orders. First of all, it increased the number of FBI officials who are granted authority to issue such requests; secondly, and most importantly, it lowered the standards necessary for issuance of an NSL to a point where not only records “pertaining to foreign powers or to the agent of a foreign power” can be sought, but more generally any record (falling under the definition provided by each provision) which is “relevant to an investigation to protect against international terrorism or clandestine intelligence activities”. In other words, the Patriot Act modified NSL statutes to condition their lawfulness not to the ex ante existence of an objective basis for suspicion (the “specific and articulable facts” standard), but to the possibility that the sought after documents might – ex post – be relevant to an antiterrorism investigation. Moreover, NSLs can be used to obtain information not limited to individuals knows or believed to be agents of foreign powers, but to ordinary American citizens as well866. In addition to the foregoing amendments, Section 358(g) of the Patriot Act also added a new NSL option under the Fair Credit Reporting Act 867 by which the authority to issue NSLs was extended, with respect to consumer credit records, to any 861 862 863 864 865 866 867 See infra, para. 2.4.1.1. USA PATRIOT ACT, §§ 214 and 216. See DONOHUE, Bulk metadata collection: statutory and constitutional considerations, Harvard Journal of Law and Public Policy, Vol.37, 2014, pp.793-797. USA PATRIOT ACT, § 206. See NIELAND, National Security Letters and the Amended Patriot Act, Cornell Law Review, Vol. 92, 2007, pp. 1207-1237; GARLINGER, Privacy, free speech, and the Patriot Act: first and fourth amendment limits on national security letters, New York University Law Review, Vol. 84, 2009, pp. 1105-1147. 18 U.S.C. § 2709(b); 12 U.S.C. 3414(a)(5)(A); 15 U.S.C. 1681(u). With the exception, which some commentators believe to be merely symbolic, that investigations of U.S. persons may not be conducted solely upon the basis of activities protected by the right to free speech. 15 U.S.C. § 1861(v). 169 “government agency authorized to conduct investigations of, or intelligence or counterintelligence activities or analysis related to, international terrorism”. The purpose of this provision is to allow agencies other than the FBI to obtain, upon request, information concerning the credit reports of any individual868. The changes brought by the Patriot Act to the scope of NSLs are all the more significant in light of the parallel and independent evolution of the interpretation of the single provisions concerning the type of information government officials are entitled to require. For example, 18 U.S.C. § 2709, which governs the issuance of NSLs directed at the acquisition of “subscriber information”, “toll billing records information” and “electronic communication transactional records” has been interpreted – by the government itself – in the sense to allow request of an individual's internet web browsing history; while “wire or electronic communication service providers”, the targets of the request, have come to include “any business or organization that enable users to send messages through a web site”, such as, for example, universities, libraries, political organizations, and charities869. The constitutionality of NSLs with respect to the I and IV Amendment was challenged twice in lower federal courts870. Two aspects of NSLs were contested. First of all, the absence of a judicial review mechanism, which the claimants argued amounted to a violation of IV Amendment rights, as it allowed the FBI to issue subpoenas absent verification of their level of “reasonableness” 871, as well as of the I Amendment, because of the chilling effect an unrestricted power to order document production might have on certain types of communication – in particular, activities which take place over the internet. Secondly, the non-disclosure provision (or “gag order”), which according to the plaintiffs constituted an infringement on free speech rights as well. In both cases, the judiciary struck down the contested provisions of the Patriot Act acknowledging that they amounted to a violation of I and IV Amendment rights. The foregoing cases provided 868 869 870 871 As credit reports contain, in addition to personal data such as one's address, social security number, and employment history, information relating to an individual's expenses, it is possible – and even likely – that they might be revealing of data that under EU regulation 2016/679 is considered sensitive: for example, detailed medical expenses can reveal one's health condition; bookstore or newsstand expenses can give insight on one's political or religious orientation. NIELAND, National Security Letters, p. 1214. Doe v. Ashcroft; Doe v. Gonzales. The cases only involved NSLs issued under 18 U.S.C. 2709(b). It is noteworthy to stress that in the present case the plaintiff argued for its own privacy right, and not those of its customers. 170 impetus for further changes of the NSL framework. The amendment of the NSL framework was in fact completed by the Patriot Act Reauthorization statutes adopted in 2005 and 2006 which, while on one side finally set up a judicial review mechanism for NSL requests872, on the other provided for judicial enforcement of said requests and established penalties for non-compliance873. Lastly, section 507 of the Patriot Act added a new, specific counter-terrorism exception to privacy standards in the Family Educational Rights and Privacy Act, allowing government authorities to access confidential education records without resorting to FISC orders or NSLs874. 3. Bulk collection of data. After having outlined the main features of American surveillance law, and the changes brought to it by post-9/11 legislation, a line – necessary for the purposes of this dissertation – must be traced between “surveillance” and “information gathering”. Whereas “surveillance” refers to the direct monitoring of individuals or groups, “information gathering” refers instead to the collection of already existing information from third parties; generally, but not exclusively, these third parties are private corporations active in the internet and telecommunication sectors875. The two concepts are comparable in the sense that they both target, albeit in different ways, personal data, that is “any information relating to an identified or an identifiable natural person” 876. One of the most controversial changes in national security surveillance law enacted in the United States following the 9/11 attacks was the increased use of mass information gathering tools or, in other words, the addition – to forms of specific collection of personal data – of forms of bulk collection of personal data877, adopted for the purpose of uncovering terrorists and preventing terrorist 872 873 874 875 876 877 28 U.S.C. § 3511. 28 U.S.C. § 3511(c); 18 U.S.C. 1510(e). 20 U.S.C. §1232g(j) Definition taken by GARLINGER, Privacy, free speech, and the Patriot Act, p. 1107, at note 13. Art. 4(1), Regulation (EU) 2016/679. Despite the focus of the discussion being the American legal system, the EU's definition of personal data is preferable. This increased use of “mass surveillance” did not go unnoticed in the press. See, e.g., SAFIRE, You are a suspect, The New York Times, 14 November 2002, available at: http://www.nytimes.com/2002/11/14/ opinion/you-are-a-suspect.html?_r=0 171 activity. Bulk or blanket collection of data can be defined as the collection by government authorities of certain types of personal information (most notably, telephony data, internet data, and related metadata; relevant information, however, includes other type of data such as financial data and travel data) in an all-inclusive fashion and without a precise target. In fact, it can be argued that the rationale behind such activities is reverse to that of regular surveillance activities conducted for law enforcement purposes, such as interceptions. Rather than specific individuals being monitored because there is proof that they pose a threat to the community, the community is instead monitored in search of individuals who might pose a threat to it, rectius, in search of the individuals who pose a specific threat to it878. While in the former mode of surveillance the invariable premise is the commission of a certain crime by a certain individual, the invariable factor in the latter – and the underlying justification for the collection activity itself – is the constant and indisputable presence of a certain threat to the greater public. In other words, in regular surveillance an identified subject (the suspect) is monitored for a potential crime; in bulk surveillance, potential subjects are monitored for an identified crime (terrorism). Alongside targeted surveillance, bulk data collection is another modality national security surveillance activities can be pursued, and is, arguably, the most controversial and the one that raises more issues with respect to possible encroachments on privacy rights. Once the data are gathered, in fact, they are subject to processing activities in the expectation that relevant information will be revealed. One such activity particularly appreciated in counter-terrorism is data mining879.. Data mining involves “creating profiles by collecting and combining personal data, and analyzing it for particular patterns of behavior deemed to be suspicious”880. It goes almost without saying that successful data mining implies the processing of very large amounts of personal data. While under 878 879 880 This idea is also advanced by LYON, who stresses the importance of “Big Data”: “[...] Big Data reverses prior policing or intelligence activities that would conventionally have targeted suspects or persons of interest and then sought data about them. Now bulk data are obtained and data are aggregated from different sources before determining the full range of their actual and potential uses […] to predict and intervene before behaviors, events, and processes are set in train”. LYON , Surveillance, Snowden, and Big Data: Capacities, consequences, critique, Big Data & Society, July-December 2014, p.4. On the use of data mining in counter-terrorism, see generally SOLOVE, Data mining and the securityliberty debate, The University of Chicago Law Review, Vol.75, No.1, 2008, pp. 343-362; RUBINSTEIN, LEE, and SCHWARTZ, Data mining and internet profiling: emerging regulatory and technological approaches, The University of Chicago Law Review, Vol.75, No.1, pp. 261-285. SOLOVE, Data mining, p. 343. 172 European standards data mining is perceived as an unacceptable invasion of privacy, and as thus absolutely forbidden – it is worth recalling that in Digital Rights Ireland the Court of Justice of the European Union struck down the Data Retention Directive, which posited the processing of data through traffic analysis, a much less invasive system than data mining –, the more relaxed privacy standard in the United States have lead policy makers and legal scholars alike to accept the possibility, and even endorse the use, of data mining881. The following paragraphs will attempt to examine the most relevant forms of personal data gathering enacted by the US, and in particular by the National Security Agency, as a response to the New York and Washington attacks. The highly controversial nature of the topic imposes certain caveats before its analysis. As the present aims to be a legal dissertation, while discussing the following issues a purely juridical approach – the only appropriate in this setting – will be maintained. The analysis will deal with the mass surveillance programs – a common and more sensationalist expression for activities that involve bulk collection of personal data – enacted by the United States government in the post-9/11 era, focusing especially on the legal grounds for their adoption and their compatibility with Constitutional and statutory provisions. Alleged or unverified facts of tabloid derivation will not be taken into consideration because of their speculative nature. 3.1 Bulk data surveillance by the NSA after 9/11. Following the events of September 11th, initiatives aimed at the acquisition and subsequent analysis of large quantities of diverse types of personal data for counter-terrorism purposes have been primarily conducted by the National Security Agency (NSA), the leading intelligence agency entrusted with the collection of signals intelligence (SIGINT) 882, created by President Truman in 1952 within the Department of Defense. In reality, the United States government – through its intelligence agencies, i.e. NSA, FBI and CIA883 – 881 882 883 According to judge POSNER, “in an era of global terrorism and proliferation of weapons of mass destruction, the government has a compelling need to gather, pool, sift, and search vast quantities of information, much of it personal”. POSNER, Not a suicide pact: the Constitution in a time of national emergency, Oxford University Press, 2006, p. 141, cited by SOLOVE, Data mining, p.344, at note 9. Signals intelligence, or SIGINT, differs from human intelligence, or HUMINT, which is instead within the remit of the Central Intelligence Agency (CIA). Unlike the NSA and the FBI, the CIA is an independent agency. 173 has engaged in massive collection of personal data for national security purposes since as early as the 1960s884. These programs885, which mainly involved the collection and analysis of communication data, took advantage of the fact that the privacy framework of the time – essentially consisting in the IV Amendment, and its interpretation by the Supreme Court – had not been able to keep the pace of the evolving technologies, thus creating legal ambiguity concerning the lawfulness of said data collection measures. The political upheaval following the disclosure of these programs, in the late 1970s, was one of the factors which eventually lead to the adoption of FISA in the first place; the NSA in particular was one of the agencies whose activities had raised the highest concern. The Church reports revealed that the NSA, despite its foreign intelligence mandate, had in fact engaged in broad domestic surveillance of American citizens as well. FISA was thus enacted precisely to keep governmental agencies from engaging in such far-reaching and internal surveillance activities. In the context of the counter-terrorism efforts adopted after 9/11, however, the trend has been again one of increasing use of broad information gathering, targeting not only foreign populations – as was the case for the Echelon program 886 – but American citizens as well. 884 885 886 DONOHUE, Bulk metadata collection: statutory and constitutional considerations, Harvard Journal of Law and Public Policy, Vol. 37, 2014, pp. 772-777. However, on mass surveillance programs enacted during the Roosevelt presidency, see KATYAL and CAPLAN, The surprisingly stronger case for the legality of the NSA surveillance program: the FDR precedent, Stanford Law Review, Vol. 60, 2008, pp.1023-1077. Project MINARET and Operation SHAMROCK, conducted by the NSA; COINTELPRO, conducted by the FBI; Operation CHAOS, conducted by the CIA. Echelon was one of the first system of bulk data collection to be publicly revealed, between 1999 and 2000. Its purpose was the interception of international telecommunications such as phone conversations, faxes, and e-mails. From an operational point of view, it was set up under a secret agreement between five States – the US, the UK, Australia, New Zealand, and Canada – known as “UKUSA”, signed in 1947 but officially confirmed only in 1999. Echelon was not therefore exclusively operated by the US government, but relied on external support as well. The disclosure of Echelon's existence caused particular turmoil in the European Union, where a temporary committee was even set up in June 2000 in order to assess the compatibility of such a system with European privacy standards and to evaluate whether European citizens' privacy rights were being violated. However, differently from later programs involving the bulk collection of data, the issue which received the most concern and attention in the debate following the disclosure of Echelon's existence was the extent to which the US government was using the data obtained through Echelon for commercial espionage purposes. The temporary committee's final report – known as the Schmid Report – was adopted on 5 September 2001. Consistently with prior debates, the Report stressed that the main problem with Echelon was “the risk of its network being abused” for commercial purposes, and thus the threat posed by industrial espionage to European industrial competition. Only a minority, in the European Parliament, based its criticism of Echelon on the degree to which it affected European citizens' privacy rights. For a complete account of the action taken by the EU in the wake of the Echelon revelation, see The Echelon Affair. The EP and the global interception system 1998-2002, European Parliamentary Research Service, November 2014, PE 538.877. 174 The discussion concerning activities of mass data collection by the NSA was rekindled recently by the 2013 revelations of Edward Snowden, that shed light on two governmental programs grounded on FISA provisions: the call records program, and the infamous PRISM and Upstream programs. Strong opposition to the breadth of these programs came both internally, inside the United States, and externally, from the European Union887. 3.1.1. The Section 215 call records program. The NSA telephony metadata collection program was an intelligence program by which the FBI, under section 215 of the Patriot Act 888, periodically requested FISC to order major telecommunication providers889 to produce telecommunication metadata in bulk to the NSA, for it to be stored, queried, and analyzed for counter-terrorism purposes. Four players were thus involved in the program: the FBI, who has the power to apply for FISC orders under section 215; the Foreign Intelligence Surveillance Court, who was supposed to verify whether the FBI's requests met the standards set by FISA and subsequently issued the court order (which it did for a total of thirty-four times between 2006 and 2013); telecommunication service providers, the recipients of the FISC orders; and finally the NSA, who was in charge of storing and analyzing the personal data it received from the telecommunication providers. As the NSA call records program was structured, all the data passed over from telecommunication service providers to the NSA – which consisted in metadata, and therefore information concerning the number of the calling and receiving mobile devices, duration of the call, as well as its date and location – was stored by the NSA in a gargantuan database. The NSA could thereafter conduct searches of the databases by using a “seed” – i.e. a piece of already known information, such as a telephone number – concerning which there was “reasonable suspicion” that such an identifier was associated with a terrorist organization. The seed would thus be run against the entire database, leading to other telephone numbers (and related data) who had been in contact with the original number queried. The FISC orders allowed to NSA to access information pertaining 887 888 889 BOWDEN and BIGO, The US surveillance programs and their impact on EU citizens' fundamental rights, Study for the European Parliament LIBE Committee, PE 474.405, 2013. U.S.A. PATRIOT ACT § 215, 50 U.S.C. § 1861 and FISA § 501 all refer to the same provision. Such as Verizon, AT&T, and Sprint. 175 not only to the data related to the original number, but also to data related to the result of the first search – in NSA jargon, this process was referred to as “hops”. In fact, FISC orders allowed NSA access information within up to three “hops” 890. Relevant information obtained through such data mining was then turned over to the FBI, or other agencies in the Intelligence Community. Raw data collected and never used was retained for five years from its collection891. It has been argued that “the NSA's bulk collection of telephony metadata embodies precisely what Congress sought to avoid by enacting FISA” 892. As explained above, FISA was in fact enacted precisely to prevent forms of broad surveillance as those revealed by the Church Committee. However, the NSA's call records program – based on FISA – had a scope much wider than that of the surveillance programs carried out before the existence of FISA893. Moreover, while FISA meant to provide a higher standard of privacy for American citizens, the information collected in bulk by the NSA through its call records program pertained primarily to calls made within the United States, and between the United States and foreign countries. According to the government, the telephony metadata program fell within the boundaries of statutory and constitutional lawfulness 894. With respect to Section 215, the government's arguments can be summarized as follows. First of all, the telephony metadata records were sought in the context of an authorized investigation into international terrorism. Secondly, telephony metadata could be considered a “tangible thing” in the sense of 50 U.S.C. 1861(a)(1); not only did any electronically stored information in general fall under such definition, but “records” of it did so as well, as the term “record” is commonly used in relation to electronically stored 890 891 892 893 894 Given S, the “seed”, NSA was allowed access to data (e.g. phone numbers) directly connected to S, for example a phone number (A) which had been in direct contact with S. NSA, however, was also allowed access to the information relating to phone calls made by A (for which there was no “reasonable suspicion” of terrorist activity, as this had been showed only for S), e.g. to a third phone number, B (the “second hop”). Under the FISC orders, NSA could obtain information relating to B's contacts as well (e.g. a fourth phone number, C – the “third hop”). See Bulk collection of telephony metadata under Section 215 of the Patriot Act, Administration White Paper, 9 August 2013, pp. 2-5. DONOHUE, Bulk metadata collection, p. 763. DONOHUE, Bulk metadata collection, p. 803: “[Its] number eclipses the total number of U.S. citizens subject to the most egregious program previously operated by NSA (Project SHAMROCK), which gave rise to FISA in the first place” The Government's stance on and legal assessment of the Section 215 metadata collection program is explained in the Administration White Paper, pp.5-22. 176 information. Thirdly, the data sought by the government was, as by statutory requirement, “relevant” to an authorized investigation to protect against international terrorism. Compliance with the relevance standard was by far the aspect most deeply analyzed in the Administration White Paper. Here, in order to demonstrate that the relevance standard had been satisfied, the government relied on two arguments: on one hand it argued that “relevance” in general should be interpreted broadly, relying, for this assertion, on the standards commonly used in civil discovery, as well as in administrative and criminal investigations; on the other, it claimed that “a number of textual and contextual indications […] intended Section 215 to embody an even more flexible standard that takes into account the uniquely important purposes of the statute” 895. Such “textual and contextual indications” included the particular prospective, rather than retrospective, scope of Section 215; the breadth, compared to ordinary criminal investigation, of counter-terrorism investigations; and the existence of prior judicial review by FISC of the government's assertions that the sought-after document indeed met the relevance requirement. Lastly, the absence in Section 215 of any specific limitation of the request to previously existing documents allowed the FBI to request metadata prospectively: the way the system was set up, by which the Foreign Intelligence Surveillance Court routinely, on a 90-day basis, renewed the Government's request for all data stored by the telecommunication providers in the following three months, was therefore justified and, in the Government's opinion, also avoided excessive amount of paperwork that would be involved if the request were to be renewed on a daily basis. The Administration then turned to analyze of whether the NSA call records program complied with Constitutional requirements. In a relatively short assessment, spanning just short of four pages, the Government argued that the program complied with the IV and I Amendments. Concerning the former, the Administration relied on the Supreme Court's third party doctrine and argued that, as the program targeted information which had already been collected (and would have regardless of Section 215896) by the service providers, individuals had no reasonable expectation of privacy on such data; moreover, the scope of the program – in the Government's words, “the fact that the telephony metadata records of many individuals are collected rather than those of a 895 896 Administration White Paper, p. 11. 47 C.F.R. § 42.6, adopted in 1986, requires carriers to retain metadata for a period of 18 months for billing purposes. 177 single individual”897 – bore no relevance, as the sheer volume of the program did not in itself generate higher privacy standards. Furthermore, even if the individuals whose data were collected absent suspicion of wrongdoing (in fact, the vast majority) were found to enjoy a reasonable expectation to privacy, the Government argued that this would nonetheless be trumped – pursuant, again to Supreme Court jurisprudence 898 – by the minimal nature of the invasion of their privacy899, on one side, and on the existence of a strong public interest, on the other. Finally, according to the government the NSA call records program entailed no violation of the I Amendment right to free speech as it did not contemplate collection of the content of any communication, nor – for precisely the same reason – did it carry any imaginable chilling effects on protected speech. Several misconceptions and inaccuracies make the administration's legal assessment of the call records program unconvincing. Starting with the program's compliance with Section 215 of the Patriot Act900, the government's argument that all telephony metadata is relevant for counter-terrorism investigations is confuted by a number of arguments. As explained above, pursuant to 50 U.S.C. § 1861(b)(2)(A) “tangible things”, including call records 901, could be sought by the FBI if there were “reasonable grounds to believe that the tangible thing sought are relevant to an authorized investigation […] to obtain foreign intelligence information […] or to protect against international terrorism”. Two aspects of the NSA's call records program directly contravene this statutory requirement. First of all, the administration's all-inclusive interpretation of the relevance requirement de facto eliminates the difference between relevant and irrelevant records (as, by using the government's standard, the latter category would be empty). Moreover, pursuant to the statutory language, metadata (as any other tangible thing) can be deemed relevant only where such contention lies on reasonable grounds. The provision is to be interpreted in the sense that “reasonable grounds” of establishing relevance must be assessed – for compliance with the statutory framework – not with respect to all the data (i.e. the 897 898 899 900 901 Administration White Paper, p. 20. Here, the administration cited Maryland v King, 569 US__ (2013). In many parts of the text the administration points out that the actual content of the phone calls is never analyzed by the NSA. The view adopted throughout the following analysis is that of DONOHUE, Bulk metadata collection, pp. 836-862. The USA Freedom Act of 2015 has added a new provision, 50 U.S.C. §1861(b)(2)(C), specifically governing “the production on an ongoing basis of call detail records”. See infra, para. 2.4. 178 argument by which all data is in theory relevant for counter-terrorism purposes), but for the records of each customer taken separately. A lawful use of Section 215, that is, would require the government to show reasonable grounds of relevance for each individual whose call records are sought after. Secondly, the second part of the provision in question requires relevance to be established in relation to an authorized investigation. The purpose of the provision is to create a “filter” of sorts, which separates things that are relevant to a certain, ongoing investigation – for which a production order can be issued, and can therefore be collected – from things that are not relevant to said investigation, which can therefore not be collected. It is obvious that, pursuant to a rigorous application of the law, the filter lies at the collection, and not at the analysis of the metadata. The NSA call records program, instead, was structured to allow unrestricted collection, with precise rules for limiting which data could be queried, or analyzed. Essentially, the NSA had taken the role and place of the Foreign Intelligence Surveillance Court as arbiter of the selection. Furthermore, the expression “authorized investigation” (rectius, “an authorized investigation”) suggests that the production of the sought data should be subject to the existence of a particular ongoing investigation.. The call records program, however, allowed the NSA to obtain data which could have been relevant for – necessarily – future investigations. Another provision quite obviously violated by the NSA call records program was 50 U.S.C. § 1861(c)(2)(D), according to which “[a court order] under this section may only require the production of a tangible thing if such thing can be obtained with a subpoena duces tecum issued issued by a court of the United States in aid of a grand jury investigation [...]”. While the general standards to obtain a FISC court order are generally lower than those set for obtaining subpoenas in criminal trials or grand jury investigations902, this provision was meant to provide a limit to the type of object that could be sought through a FISC tangible goods-production order by holding that the same standards of grand jury subpoenas apply. Under the latter framework, subpoenas may not 902 See supra, para. 2.2.3. In the United States criminal system, a grand jury is a body established in accordance with the V Amendment at the federal level (and occasionally at the state level as well), that acts as a check on prosecutorial discretion by determining, in a preliminary hearing, whether the prosecution's case is strong enough to support formal charges in trial. See EPSTEIN and WALKER, Constitutional Law for a changing America, 6th edition, CQ Press, 2015, pp. 590-591. 179 be used to engage in fishing expeditions; they must be specific, i.e. target specific individuals or entities; and they must, contrary to the government's assertion, be retroactive, that is used to seek evidence for a past crime903. Arguments can be brought forward in support of the unconstitutionality of the bulk metadata collection program as well. In particular, the government's reliance on the third party doctrine as elaborated in Smith v. Maryland is ill-placed, as fundamental differences exist between the privacy intrusion (upheld as constitutional) in Smith, and the metadata collection program enacted by the NSA904. More in general, however, the Supreme Court is proving to be increasingly aware of the importance of technologies in the modern way of life, and their effect on the individual's right to privacy. Government activities relying on technology and involving the use of personal data or, otherwise, surveillance, have been struck down as unconstitutional irrespective of the doctrinal approach to privacy adopted: whether it be construed as a property right, thus protecting from government trespass 905, or as an individual's reasonable expectation906, an increasing tendency by the courts in assessing privacy cases is the factoring in of modern technology as an unavoidable peculiarity of the digital age. And this is true from the point of view of the government's increased surveillance powers, which makes it easier to infringe upon individual privacy rights – thus lowering the bar for unlawful trespasses and searches – as well as from the point of view of the general population's increased reliance on devices, most of which process relevant amounts of personal data – thus raising the bar of one's reasonable expectation of privacy. The foregoing considerations lead Donohue to conclude that “under either approach, the program, and similarly situated bulk collection of US citizen's records, violates the IV Amendment”907. 903 904 905 906 907 More extensively, DONOHUE, Bulk metadata collection, pp. 850- 857. These can be summed as follows. First, Smith involved the installation of a pen register on the telephone of an individual who was already suspected of having committed a certain crime, unlike the vast majority of the individuals subject to the metadata collection program. Second, the purpose of the surveillance device in Smith was limited to the analysis of the phone calls placed by the suspect, while the NSA program monitors a greater number of data – including location data. Third, the device in Smith was placed for a limited period of time, while the NSA program was periodically renewed. Fourth, and most importantly, reliance on technology is much higher in the digital era, than when Smith was decided (1979). See Kyllo v. United States, 533 U.S. 27 (2001) and Florida v. Jordines, 569 U.S. 1 (2013). See United States v. Warshak, 631 F.3d 266 (6th Circuit 2010). DONOHUE, Bulk metadata collection, p. 892. 180 The overall unlawfulness of the program was even confirmed in a FISC judgment 908, in which the court recognized that the NSA call records program involved the collection of information relating to calls made by US persons within the US which “could not otherwise be legally captured in bulk”. Notwithstanding the unlawfulness of the program, two reasons lead the court to allow the collection to take place in that instance, and renew the orders over time: firstly, assertions under oath by the NSA that access to the call detail records was vital to the NSA's counter-terrorism missions; and secondly, the establishment of “stringent minimization procedures that strictly controlled the acquisition, accessing, dissemination, and retention of the records by the NSA and the FBI”909. Section 215 of the Patriot Act was meant to sunset on 1 June 2015. The adoption of the USA Freedom Act on 2 June 2015, and its general ban on forms of bulk collection of personal data, determined the interruption of the Section 215 call records program, effective from October 2015. 3.1.2. PRISM and Upstream. While NSA's section 215 program focused on telephony metadata, other two programs conducted by the NSA, called PRISM and Upstream, involve the collection of internet data – including content data – for counter-terrorism purposes. PRISM and Upstream, also known as “Section 702 surveillance”, were disclosed to the broader public in June 2013 by British and American newspapers910 who acquired and revealed a confidential slide presentation explaining the foregoing systems of personal data collection and analysis. According to the slides, through PRISM the NSA could allegedly tap directly into servers belonging to nine major internet service providers 911 and extract all sorts of data, such as emails, video and voice chats, videos, photos, stored data, voice over internet protocol 908 909 910 911 United States Foreign Intelligence Surveillance Court, In re production of tangible things, Docket number BR 08-13, 2 March 2009. In re production of tangible things, pp. 2-3. GRENENWALD, NSA Prism program taps in to user data of Apple, Google and others, The Guardian, 7 June 2013; GELLMAN and POITRAS, US, British intelligence mining data from nine U.S. Internet companies in broad secret program, The Washington Post, 7 June 2013. Together with the disclosure of the NSA call records program, these constitute what is commonly referred to as the “Snowden revelations”, as such information was acquired by the foregoing newspapers thanks to whistleblower Edward Snowden. Microsoft (Hotmail), Google, Yahoo!, Facebook, Paltalk, YouTube, Skype, AOL, and Apple. The first provider to be added to the program was Microsoft, in September 2007; the last was Apple, in October 2012. 181 (VoIP), file transfers, video conferencing, notification of target activities (e.g. log-ins), online social networking details, and “special requests”. The NSA, similarly to its Section 215 program, would then mine the data acquired in search of leads of useful leads for counter-terrorism purposes it could then pass over to the FBI. Upstream collection, instead, differs from PRISM in two essential respects concerning the mode of collection of personal data. First of all, Upstream targets e-mails and other forms of electronic communications not from ordinary internet service providers, but from providers who control what is known as the “Internet backbone” – i.e. a sort of highway for internet communications. Secondly, Upstream involves the acquisition of two additional types of data the collection of which is not contemplated under PRISM: namely, so-called “about” communications, and “multiple communications transactions” (MCT). As will be further explained, the former relates to communications which do not pertain to a certain target (e.g., a particular e-mail account) but rather contain a reference to such target, while the latter refers to broader “packets” of information transiting through the Internet which happen to contain “to, from or about” (TFA) communications of the target in question, albeit among other communications as well, which are unrelated to the target. Newspaper reports, however, have been proved to be inaccurate in their depiction of the foregoing programs. The most remarkable imprecision concerns the functioning of PRISM, which in reality does not give the NSA direct access to the servers of internet service providers, but is rather based on orders issued by FISC, upon requests by the NSA – subject to conditions which will be further addressed in detail – compelling said providers to hand over to/from communications of certain specified targets. Through PRISM, the government can therefore obtain broad categories of foreign intelligence, although only those of selected targets – and not in a dragnet fashion. Ensuing scholarly discussion has in fact highlighted that while Upstream can in fact be considered as a system of bulk data collection, PRISM is instead “a targeted technology used to access court ordered foreign internet accounts”912, and this view was also acknowledged and 912 CAYFORD, VAN GULIJK and VAN GELDER, All swept up: An initial classification of NSA surveillance technology, in: Safety and Reliability: Methodology and Applications, NOWAKOWSKI et al., CRC Press, 2015, p. 646; in this sense, see also SWIRE, US surveillance law, safe harbor, and reforms since 2013, Georgia Tech Scheller College of Business Research Paper No.36, December 2015, pp. 10-22. According to the latest Statistical Transparency Report Regarding Use of National Security Authorities, issued in April 2016, at p.5, the estimated total number of individuals targeted by Section 702 orders is 94.368. 182 adopted by independent human rights agencies on both sides of the Atlantic, such as the Privacy and Civil Liberties Oversight Board (PCLOB) 913 and the European Union Agency for Fundamental Rights (FRA)914. Irrespective, however, of the bulk or targeted nature of the acquisition of personal data through said programs, an assessment of their statutory and constitutional origin and compliance cannot be overlooked. The two programs are based on Section 702 of FISA, an addition made to the original statutory framework by the FISA Amendment Act (FAA) of 2008915. The origins of Section 702 can be traced back to the so-called Terrorist Surveillance Program (TSP), itself part of a broader data collection program known as the President's Surveillance Program enacted under the Bush administration in October 2001. The purpose of the TSP was the collection of international communication (foreign-to-foreign, or US-to-foreign) from within the United States; the TSP took place outside the purview of and thus without the safeguards set by FISA – most importantly, judicial review of the government's request. Public disclosure of the program in 2005, however, lead to its “moving” to FISA grounds. In other words, because of the mounting pressure following the public disclosure of the program – which had up to then remained confidential – the government was forced to move it to more secure legal footings. In January 2007 the Foreign Intelligence Surveillance Court issued an order916 allowing the government surveillance of very broadly defined “targets” and “facilities”917, as long as it established probable cause that one of the communicants 913 914 915 916 917 Although certainly a high number, it falls well short of those reported – in the range of hundreds of millions of individuals. SWIRE, at p. 17, even claims that “the legal rules that authorize Upstream mean that this is a targeted program as well”. Private and Civil Liberties Oversight Board, Report on the Surveillance Program operated pursuant to section 702 of the Foreign Intelligence Surveillance Act, 2 July 2014, which at p.111 finds that – despite the breadth of the program – “unlike the telephone records program conducted by the NSA under Section 215 of the Patriot Act, the Section 702 program is not based on the indiscriminate collection of information in bulk. Instead, the program consists entirely of targeting specific persons about whom an individualized determination has been made”. European Union Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU, 2015, pp. 17-18. On the evolution of Section 702, see: DONOHUE, Section 702 and the collection of international telephone and internet content, Harvard Journal of Law and Public Policy, Vol. 38, 2015, pp. 124-153; BANKS, Responses to ten questions. Is the FISA Amendments Acts of 2008 good policy? Is it constitutional?, William Mitchell Law Review, Vol. 35, Issue 5, pp. 5007-5017. The FAA is set to expire in December 2017. Foreign Telephone and E-mail Order of 10 January 2007. Under ordinary FISA electronic surveillance, pursuant to 50 U.S.C. § 1804(a)(3)(A) and (B), applications by the government for electronic surveillance within the US for foreign intelligence purposes are required to indicate “the identity [...] or description of the specific target of the electronic surveillance”, as well as the facilities where the electronic surveillance will be directed. As DONOHUE 183 was a member of a terrorist organization; the President subsequently determined not to reauthorize the TSP. The order was revised in May 2007; this time, however, the Court held that the probable cause determination had to be made by the Court itself, and not by the government. This change spurred requests, at the behest of the government, of amendments to FISA. The government argued that because of evolutions in technology, surveillance activities which would have previously fallen under the lax framework of Executive Order 12.333, such as foreign-to-foreign e-mail interceptions, were progressively shifting under the authority of FISA. The reason is easy to understand: while a phone call from London to Moscow would have never transited inside the United States, an e-mail from London to Moscow might instead (and usually does) pass through an American internet service provider. Because of this, surveillance of that e-mail is to be considered taking place within the US, thus activating the safeguards established by FISA. According to the government, this lead to administrative overburdening, because of the necessity to draft individual applications for FISC orders even when the subjects being targeted had no connection to the US other than the servers their emails transited through, and, ultimately, to an intelligence gap. In essence, the problem was that intelligence was being lost because of the restrictive statutory requirements of FISA applying to persons located outside the US as well. The government's requests were heeded by Congress with the adoption of the Protect America Act (PAA) in 2007, and the FISA Amendment Act (FAA) in 2008. The PAA removed foreign-to-foreign and US-to-foreign communications from the purview of ordinary FISA rules918. In particular, surveillance of communication data (including content) could take place – for up to one year – pursuant to an authorization by the Attorney General and the Director of National Intelligence, as long as it concerned “persons reasonably believed to be outside the United States”, regardless of their status in 918 recalls in Section 702, at pp.129-135, before moving the TSP under FISA, the government sought a redefinition of “facility” in order for it to include, alongside single phone lines and single e-mails, international switches such as “gateways” and “cable heads” – in other words, telecommunication companies' routing databases. This would have exponentially increased the amount of content information that could be acquired through electronic surveillance Under the new definition of “electronic surveillance”, this was meant to include only purely domestic communications. 184 relation to a foreign power or a terrorist organization. The need to apply for a FISC order was thus eliminated – even if one of the two parties was a citizen of the US, inside the US. Upon expiration of the PAA in February 2008, the FAA was enacted in July of that same year and codified as Title VII of FISA. Three key provision were introduced in FISA by the FAA: section 702, which applies to non-US persons, and sections 703 and 704, applicable to US citizens and permanent residents. Pursuant to section 702, the Attorney General and the Director of National Intelligence “may authorize jointly, for a period to up to one year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information”919. Section 702 surveillance is thus meant to target persons with no ties to the US (for example, Europeans) who are not in the US at the time the acquisition takes place, when the acquisition itself instead occurs within American borders. In this sense, section 702 supplants Executive Order 12.333 and provides a statutory framework to previously almost unregulated surveillance. However, the scope of section 702 is particularly broad, when compared to traditional FISA surveillance, from two points of view. First of all, individuals need not be agents of foreign powers or suspects of terrorism to be surveillance targets, as no indication in that sense appears anywhere in the provision. Rather, it suffices that “a significant purpose of the acquisition is to obtain foreign intelligence information” 920. Secondly, the government is not required to identify a particularly known facility where the intercepted communications occur; surveillance may therefore be directed towards a terrorist organization, a telephone number, an e-mail address, or even an entire internet service provider or area code921. These two provisions – rectius, the lack thereof – revealed, at the outset of the adoption of the FAA, its potential for bulk collection of data. Procedurally, the government is required to submit a certification to the Foreign Intelligence Surveillance Court attesting that targeting and minimization procedures have been adopted 922; such 919 920 921 922 FISA § 702(a). FISA § 702(g)(2)(A)(iv). BANKS, Responses to ten questions, p. 5014. FISA § 702(g). Targeting procedures – still partly classified – are designed to ensure that any authorized acquisition is limited to targeting persons reasonably believed to be located outside the US, and to prevent intentional acquisition of purely domestic communications; minimization procedures are instead designed to minimize the acquisition and retention, and prohibit dissemination, of non-publicly available information concerning unconsenting US persons. The fact that minimization procedures, exclusively 185 certification, together with the targeting and minimization procedures, is reviewed by the Foreign Intelligence Surveillance Court. The level of judicial review is quite modest: if FISC finds that the certification contains all the elements required by the law, and that the targeting and minimization procedures are adopted in accordance with the law and are consistent with its requirements, the Court shall – apparently, without any discretion – enter an order approving the use of the procedures for acquisition923. It is at this point that, once the order has been issued924, the Attorney General and the Director of National Intelligence may authorize surveillance; in doing so, they may issue a directive to an electronic communication service provider to “immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition [...]”; if such providers wish to keep records of their involvement in the government's data collection activities, they shall “maintain under security procedures […] any records concerning the acquisition or the aid furnished”. For their assistance, providers receive compensation and immunity from liability; the government's directives can also be legally enforced by the Foreign Intelligence Surveillance Court, and failure to comply may be punished as contempt of Court. A significant addition made by the FAA is the possibility for providers to challenge the directive before FISC; the standard for review by the court is the general unlawfulness of the directive925. Finally, section 702 includes a detailed list of annual and semi-annual reviews and assessments in order to verify compliance, by the government, with the targeting and minimization procedures926. As anticipated above, section 702 provides the statutory framework for two controversial NSA data collection programs, PRISM and Upstream. While the features revealed in the press are quite exaggerated, a careful assessment of both is nonetheless necessary to 923 924 925 926 concerning US persons, were included in section 702 – which governs acquisition of data relating to non-US persons – somehow reveals Congressional awareness that surveillance allowed pursuant to section 702 might eventually lead to the acquisition of data of US persons as well. FISA § 702(i)(3). Pursuant to FISA § 702(c)(2), where the Attorney General and the Director of National Intelligence believe that exigent circumstances exist because, without immediate implementation of an authorization, intelligence important to the national security of the United States may be lost or not timely acquired, and time does not permit the issuance of a court order, they may issue a “determination” In this case, judicial review occurs only ex post to “approve the continued use of the procedures for the acquisition”. FISA § 702(h). FISA § 702(l). 186 evaluate their compliance with basic privacy standards. Two aspects of these programs are worthy of particular analysis from privacy standpoints: the targeting procedures, which govern whose data can be collected; and the actual functioning of PRISM and Upstream, which determine how such data is gathered. Starting from the targeting procedures927, it is important to notice that these are largely classified – thus gravely affecting accountability assessments. They are in fact internal guidelines, used by the intelligence agencies (the NSA, the FBI, and the CIA) to assess potential targets based on foreign intelligence leads. Before commencing surveillance, these agencies must have in mind a precise individual, and a precise selector which is believed to be used by such individual (e.g., an e-mail address) in order to communicate “foreign intelligence information”. Once a person has been identified, the NSA must make what is called a “foreignness determination”: the lax requirement of section 702 may apply only if said individual is a non-US person, and is located outside the United States. However, it has been pointed out that the NSA largely relies on assumptions in this phase, rather than on positive evidence: in other words, a target not known to be in the US is assumed to be located outside domestic borders, despite concrete evidence thereof, and a target known to be outside the US is assumed to be a non-US person, absence evidence of the contrary928. These assumptions may lead to acquisition of data pertaining to US persons. Again, it is worth stressing that American legal scholars tend to consider this aspect – the degree to which American communications may be placed under surveillance – as paramount in the assessment of the lawfulness of the NSA's actions, rather than questioning whether its programs respect a minimum privacy threshold for all individuals potentially subject to them. In addition to a foreignness determination concerning each target, the NSA must also make a “foreign intelligence purpose determination”, that is a determination that tasking a specific selector will likely yield foreign intelligence information929. Once the targeting procedures are complete, and after the issuance of a FISC order upon submission of a certification by the government, the actual acquisition of personal data may take place. The selector tasked for targeting is sent to an electronic communications 927 928 929 PCLOB Report, supra note 800, at pp. 41-48. DONOHUE, Section 702, p. 165. PCLOB Report, p. 45. 187 service provider based in the US930, who is compelled to seek for data relating to the selector, and to subsequently hand back over to the NSA the raw data 931 thus acquired. As mentioned above, there are two types of Section 702 acquisition: PRISM collection, and Upstream collection932. The main differences between the two have been outlined above. They will be now analyzed in more detail. To begin with, it is worth recalling that section 702 surveillance, whether through PRISM or through Upstream, does not entail direct access to servers held by electronic communication service providers, but instead consists in receiving data by such providers based on the government's criteria for acquisition. However, absence of direct access to servers does not in itself mean that bulk collection of data is not taking place. In fact, although some scholars even argue that both programs are “reasonable and lawful responses to changing technology”933, it is generally agreed upon that at least Upstream surely involves what can be considered as bulk collection of data. Upstream allows the collection of internet and telephone data; it differs from PRISM collection in the sense that the data is collected not with the compelled assistance of a United States service provider, but with United States internet backbone providers. Setting aside technical explanations which by far exceed the reach of this dissertation, suffice it to say that, through this means, the NSA may acquire information which it would not under PRISM; PRISM and Upstream are thus complementary programs 934. Upstream collection, in turn, is subject to different rules according to whether internet communications or telephone communications are being acquired. The more problematic, from a privacy perspective, is surely the former 935. As Upstream is set up, in fact, when electronic providers are given a certain selector (for example, an e-mail address pertaining to an individual who is not a US-person and is reasonably believed to be outside the US), they are required to collect not only information 930 931 932 933 934 935 Again, it is important to underline that the US-based nature of the service provider is essential for the application of Section 702. “Raw data” means data that have not yet been mined by the NSA, or other intelligence agencies. The underlying assumption here is that data other than those pertaining to the actual target are generally gathered by providers because of the broad research scope their directives generally entail. PCLOB Report, pp. 32-41. SWIRE, US surveillance law, pp. 10-22. Upstream collection, however, accounts for only 10% of the total collection of data by NSA, the other 90% being obtained through PRISM. See SWIRE, US surveillance law, p.17. Upstream collection of telephone communication is governed by the same rules which apply to PRISM collection. 188 to that selector or from that selector, but also information about that selector (i.e. “TFA information”). For example, if the selector of upstream surveillance is the indicator “terrorist@gmail.com”, Upstream permits the acquisition of a communication between two other individuals (e.g., innocent1@gmail.com and innocent2@gmail.com), if the content of their email contains a reference to the actual target – in the foregoing example, terrorist@gmail.com. The acquired communication is thus neither to nor from the specific target but, precisely, about the target. If the difference between targeted surveillance and bulk surveillance is that in the former the person or entity whose data are targeted can be specified in advance, while in the latter it cannot936, then Upstream surely qualifies as bulk surveillance, as data relating to individuals who may in no way be related to the actual target of the surveillance is nonetheless collected in the process. The essentially bulk nature of Upstream collection of data is further confirmed by the fact that in acquiring Internet communication, Internet transactions are also caught in the collection net. Internet transactions are sets of data traveling across the internet, which may consist of single as well as multiple communications – not necessarily originating from the same source or subject. Under Upstream, however, if a targeted communication is contained in a multicommunication transaction, the NSA is allowed access to all of the communications therein. Again, communications sent and received by subjects who have nothing to do with the surveillance target – and with respect to whom no foreignness or foreign intelligence purpose determination have been previously made – may thus be acquired by the government as long as they happen to be included in the same “packet” containing TFA communications relating to the target937. The wide scope of Upstream collection is partially balanced by the fact that, unlike PRISM collection, only the NSA – and not other intelligence agencies, such as the FBI and the CIA – can access raw data obtained through Upstream for its subsequent analysis938. PRISM collection relies on the coerced collaboration of American-based Internet service 936 937 938 Definition taken by the Dutch Review Committee for the Intelligence and Security Services (CTIVD) Annual Report 2013-2014, pp. 45-46 (referring to bulk surveillance as “untargeted interception”). The combined effect of the two features of stream lead to the possibility that multi-communications transactions may be acquired even where the packet in question contains a communication about the targeted individual or selector. In that case, an entire packet of data can be acquired and accessed by the NSA although none of the communications therein actually originate or are destined to the real target of the surveillance. PCLOB Report, p. 35. 189 providers939. As with Upstream, these providers are served with a directive – issued in accordance with the targeting procedures explained above – requiring the collection of data pertaining to certain selectors; the providers are then required to hand over to the NSA internet communications sent or received by the selectors, but not those communications which merely contain a reference to the target. The intrusiveness of PRISM stems from the fact that, unlike section 215 surveillance, the government acquires content information in addition to metadata. Moreover, although the internet service providers are mandated to deliver the data to the NSA, data collected through PRISM can be also sent to the FBI and the CIA. Once the data have been acquired, through PRISM or Upstream, they may be accessed by NSA, FBI, and CIA personnel, and subsequently queried. Until then, they are referred to as unminimized (or “raw”) data. Certain safeguards, mainly involving the level of technical training received by intelligence personnel and entirely set by internal minimization procedures, govern the access to the acquired data, that is the mere possibility of entering in contact with the databases of collected content and metadata 940. Upon access by qualified agents, the data are queried941. A query is essentially a search conducted through specific terms or identifiers, such as en e-mail address, a telephone number, or a key word. NSA minimization procedures require that the searches be “reasonably likely to return foreign intelligence information”942, thus prohibiting excessively broad searches, or searches conducted for reasons other than acquiring foreign intelligence. Considering, however, that such queries are conducted on large amounts of content data, as well as metadata, the provision seems insufficient to adequately limit invasions to the privacy of the individuals whose data is being searched. Moreover, the FBI and the CIA – who also have access to raw collected data, with the exception of Upstream data – have their own minimization procedures, which in some instances are even less stringent than those adopted by the NSA. The FBI, for example, may query Section 702-acquired data for the purpose of finding and extracting “evidence of a crime”, in what – to a European eye – is a blatant violation of the minimum purpose limitation requirement that the data acquired be 939 940 941 942 On the functioning of PRISM, see PCLOB Report, pp. 33-34; SWIRE, US Surveillance, pp. 14-17. PCLOB Report, pp. 53-55. PCOBR Report, pp. 55-60. NSA 2011 Minimization Procedures, § 3(b)(6). 190 processed only for the purpose for which they are collected. Finally, the acquired data are subject to different retention period limitations depending on whether or not they have been accessed through a query 943. Again, it is worth pointing out that this feature of Section 702 collection, as well as the pre-collection targeting limitations and the post-collection search restrictions, is not governed by a statutory framework, but by internal agency rules instead (adopted by the agencies that are allowed access to such data – i.e. the NSA, the FBI, the CIA). FISA, in fact, merely requires that the minimization procedures also contain rules concerning “the retention [...] of non-publicly available information concerning unconsenting United States persons” 944. According to the latest publicly available NSA minimization procedures, data acquired through PRISM can be retained for a maximum of five years945, while data obtained through Upstream for a maximum of two years from the expiration of the Section 702 certification under which the data had been acquired946. While these time limits may even be considered, in abstracto, as not entirely unreasonable, some additional considerations cannot be overlooked. First of all, it is worth recalling that these limitations refer to content data, and not just metadata. Secondly, these time frames allow exceptions – thus warranting extensions of the overall retention period – in specific cases 947, as well as upon authorizations by “high-level agency officials”948. Finally, the foregoing time limits apply only to unminimized data, i.e. data that have not been accessed and queried by intelligence agencies. No limitations, instead, are set for data that have been subject to minimization procedures – these can therefore be retained indefinitely. In light of the foregoing analysis, the opinion followed by this dissertation is that both PRISM and Upstream – for a number of reasons – entail significant violations of essential privacy standards. Starting from their classification, it is safe to stay that Upstream is quite unequivocally a form of bulk data collection. By contrast, it can be conceded that PRISM 943 944 945 946 947 948 PCLOB Report, pp. 60-66. 50 USC § 1801(h)(1). The same time limit applies to data held by the FBI and the CIA. NSA 2011 Minimization Procedures, § 3(c)(1) and (2). For example, pursuant to § 6(a)(1)(a) of the NSA Minimization Procedures, enciphered data or data reasonably believed to contain secret meaning may be kept for “any period of time during which encrypted material is subject to, or of use in, cryptanalysis”. PCLOB Report, p. 60. 191 is not as far-reaching as it is commonly portrayed 949, and can perhaps be considered as targeted data collection950. However, one must also considered the scope of the collection. The targeted nature of PRISM is all but irrelevant, from a privacy perspective, against the fact that the actual content of communications is being collected – therein including also communications from individuals who are communicating to the selected target of surveillance and are not themselves targets of surveillance. Some scholars argue that the violation of privacy occurs only when the data are processed, and not when they are captured in the first place951. However, when assessing the lawfulness of a data collection program under this conception of privacy, one can not simply ignore the type of acquisition that is taking place. And it is in fact difficult to imagine government behavior which is more intrusive than the collection (albeit not analysis) of the content of one's conversations, absent any basis for it. Arguably, this course of action can be considered as an unjustifiable invasion of one's privacy not only under the strict European statutory and jurisprudential constructions of privacy952, but also under more minimal frameworks such as art.17 of the International Covenant on Civil and Political Rights, to which the United States is a party953. One particularly troublesome aspect of the legal assessment of these programs by American scholars is that attention is almost exclusively paid to the degree to which the privacy of American citizens is violated, thus deeming the infringement upon the rights to privacy and data protection of non-US persons almost as collateral damage. 949 950 951 952 953 While reports on PRISM generally depict a panopticon with access to data of hundreds of millions of people, the latest Statistical Transparency Report Regarding Use of National Security Authorities, issued on 30 April 2016, at p.5 places the estimated total number of targets of Section 702 orders at 94.368. To the easy objection that the NSA may not follow its own rules, and that the applied law is different from the written law – concern raised by DONOHUE, Section 702, pp. 194-195 – see SWIRE, US Surveillance Law, p. 18, at note 65: “[s]ome readers may not believe that the NSA follows the rules and gains access only to approved communications […]. My own view is that the NSA has built a large and generally effective compliance program in recent years. As documented by the Review Group, multiple layers of oversight exist over these NSA actions, including oversight by judges, Congress, and the NSA Inspector General”. SWIRE, US Surveillance, p. 19. It seems almost superfluous to point out that PRISM and Upstream, and bulk collection in general, contravene all of the minimum data protection principles set under EU legislation and constitutional tradition. Above all, perhaps, the principles of transparency, purpose limitation, and accountability, as enshrined in art. 4 of Directive 2016/680. On the relationship between NSA surveillance and the ICCPR, see SINHA, NSA Surveillance since 9/11 and the human right to privacy, Loyola Law Review, Vol.59, 2013, pp. 861-945. 192 3.2 Other government programs involving bulk collection of personal data. The data collection and analysis programs enacted by the NSA, mostly involving communication data (internet-based and not), although surely the most notorious, are however not the only ones which were developed as a reaction to the 9/11 attacks. Measures involving data mining activities were set up in other agencies as well 954. One such example was the Terrorism Information Awareness program (TIA), created in January 2002 at the Defense Advanced Research Projects Agency (DARPA), child agency of the Department of Defense. TIA – which originally stood for “Total” Information Awareness, but was modified as a consequence of criticism such a panopticon-evoking acronym mustered from the public – was created with the aim of developing technologies which would exploit the entire spectrum of personal data available to the government, such as passport and visa applications, car rentals, driver license renewals, criminal records, and airline ticket purchases (hence “total awareness”) by applying new analysis techniques 955. As the terrorist attacks in New York and Washington had been conducted through the highjacking of airplanes, another program explicitly set up for counter-terrorism purposes was the Computer-Assisted Passenger Prescreening System (CAPPS II 956), precursor of the measures relying on the use of PNR data957 and now replaced by a new system called “Secure Flight”. These systems rely on PNR information 958 conveyed to the government (in this case, the Transportation Security Administration – TSA) by air carriers 959, which are subsequently used to screen passengers before the flight in order to identify suspect individuals and perform additional screening, or prevent them from boarding the flight. In some cases the initiative came from private corporations, such as the Multistate AntiTerrorism Information Exchange (MATRIX) pilot project, created by a Florida based 954 955 956 957 958 959 On the issue, see SEIFERT, Data mining and Homeland Security: an overview, Congressional Research Service No. RL31798, April 2008; BIGNAMI, European versus American liberty: a comparative privacy analysis of antiterrorism data mining, Boston College Law Review, vol.48, 2007, p. 616. TIA focused on three areas of research: automated and rapid language translation; data search with pattern recognition; advanced collaboration and decision support tools. CAPPS II replaced the original program, called CAPS, itself created in 1996. See supra, Chapter II, para. 4.1.1. It is worth reminding that PNR data includes personal data such as one's name, address, phone number, date of birth, as well as data relating to the flight and to the reservation, such as special menu selections and choice of aisle or window seat. It has already been mentioned how information of a sensitive nature can be extracted from such data. See supra, Chapter II, para. 4.1. While compliance by American airlines was generally not problematic, resistance by European carriers lead to the necessity of the EU-US PNR Agreements. 193 private company. Although MATRIX was conceived as a State criminal law enforcement rather than an intelligence tool, it provides yet another example of post-9/11 activity enacted on unclear legal grounds based on the use of personal data extracted from various public databases960. 3.3. Presidential Policy Directive 28 (PPD-28) and the USA Freedom Act. Important steps were taken by the United States in recent years, by which two of the most troublesome aspects of American surveillance law – the recurrent use of bulk, rather than targeted, collection of data, and the essential indifference for the privacy concerns of nonUS persons – were addressed, by the executive as well as by the legislature, in a way that scholars refer to as being a “conceptual shift”961 in the regulation of intelligence activities. Not long after the Snowden revelations, President Obama established a Review Group on Intelligence and Communications Technology with the purpose of assessing the activities of American intelligence agencies, and proposing possible directives for reform. The Review Group yielded a lengthy Report in December 2013 962. Many of the findings of the Review Group were heeded by President Obama who subsequently issued, on 17 January 2014, Presidential Policy Directive 28 (PPD-28). According to prominent national security scholar Peter Swire, PPD-28 is “a historic document” 963, as it specifically recognizes and mandates – as PPD-28 is binding on all US intelligence agencies – privacy protections for non-US persons in the context of foreign intelligence information. At the core of PPD-28, in fact, lies the policy choice of making the protection of privacy and civil liberties rights of non-US persons not only a concern, but an integral part of the US surveillance 960 961 962 963 According to SEIFERT, Data mining and Homeland Security, p. 16, the data used included: pilot licenses, aircraft ownership records, property ownership records, information on vessels registered with the Cost Guard, state sexual offenders lists, federal terrorists watch lists, bankruptcy filings, criminal history information, driver's license information, and information from commercial sources. Telecommunication, travel and financial data were however excluded. Sic KRIS, On the bulk collection of tangible things, Journal of National Security Law and Policy, vol.7, 2014, p. 289. Liberty and Security in a changing world. Report and recommendations of the President's review group on intelligence and communication technologies, 12 December 2013. SWIRE, US Surveillance, p. 33. Other scholars, such as KRIS, are more cautious in assessing the importance of PPD-28: “[y]ears from now, [PPD-28] may be viewed as the first articulation of a new paradigm of transparency, privacy, and internationalism in US intelligence. However, it is also possible that [it] will be viewed as a collection of fairly modest changes, largely cosmetic in nature, that were designed to placate critics in the United States and abroad”. On the bulk collection of tangible things, p. 295. In this sense, see also BIGNAMI, the US legal system on data protection, pp.29-30. 194 framework964. In particular, the Directive states that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of personal information. US signals intelligence activities must, therefore, include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides” 965. This statement is important for two reasons: first, it recognizes that US intelligence activity can not keep ignoring – as has happened hitherto – privacy concerns of non US persons; second, it specifically refers to the safeguard of personal information as a concept separate from privacy, thus perhaps opening the door to a more specific data protection framework in the context of surveillance activities. Intelligence agencies were in fact instructed to adopt procedures and policies addressing data protection requirements, such as data security and access, data quality, and oversight966. PPD-28 also took a decisive stance in favor of a more controlled approach to the bulk collection of personal data. While maintaining that “the United States must […] collect signals intelligence in certain circumstances in order to identify [new or emerging] threats”, PPD-28 admits that unrestricted bulk collection of data has lead to the acquisition of an excessive amount of data, and to the unlawful involvement of individuals whose data bares no foreign intelligence relevance at all. PPD28 therefore calls for the adoption of new limits on the bulk collection of personal data 967; in particular, it sets purpose limitations for data collected in bulk, which can thus only be used for detecting and countering specific threats to US national security 968. While this is surely an improvement in American surveillance law, as it at least calls into question the negative repercussions which bulk collection of data has on the individual right to privacy, it is nonetheless quite far from a European optimum, since – as recalled by Bignami969 – under the EU's data protection framework any type of bulk collection, because of its breadth, is an intolerable invasion on the right to data protection. 964 965 966 967 968 969 SWIRE, US Surveillance Law, pp. 33-34. Presidential Policy Directive/PPD-28, 17 January 2014, § 4. SWIRE, US Surveillance, p. 35. Presidential Policy Directive/PPD-28, 17 January 2014, § 2. These include: espionage against the United States and its interests; terrorism; the development, possession, proliferation, and use of weapons of mass destruction; cybersecurity threats; transnational criminal threats. BIGNAMI, The US legal system on data protection, pp. 30-31. 195 Another major shift towards a more privacy-aware framework for national security surveillance was brought by the adoption of the USA Freedom Act970, signed into law by President Obama on 2 June 2015. The Freedom Act addresses the entire spectrum of farreaching surveillance mechanisms, decidedly following the trend set by PPD-28 concerning the limitation of bulk collection of data. The Freedom Act, in fact, goes even further: it adds a specific provision prohibiting the bulk collection of data with respect to Section 215 collection of tangible things971, pen register and trap and trace collection972, and national security letters973. Each of the NSL statues, in particular, have been modified in the sense of including a requirement that the demand be limited to specifically identified information, and not information on all the recipient's customers 974. Moreover, the procedures for the issuance of nondisclosure orders accompanying the NSL – as well as their judicial review – have been partially amended. Nondisclosure orders may in fact be issued only if the recipients are notified of their rights to judicial review, and only under specific circumstances975. The Freedom Act also increases transparency requirements by mandating the Director of National Intelligence to disclose the total number of NSLs issued on a yearly basis. With respect to Section 702 surveillance, instead, a new subparagraph is now present concerning limits on use of unlawfully obtained information, which essentially prevents the government from using in any way information acquired on the basis of a deficient certification976. The Freedom Act also includes provisions reforming the functioning of the Foreign Intelligence Surveillance Courts 977, concerning which two lines of reform were pursed. First, the screen of secrecy surrounding FISC was partially lifted by mandating the systematic declassification of decisions, orders, and opinions issued by the Court – all documents which in the past had remained, for the greater part, confidential. Second, the law now allows – and in certain cases, mandates – the Court to 970 971 972 973 974 975 976 977 Uniting and Strengthening American by Fulfilling Rights and Ensuring Effective Discipline over Monitoring Act of 2015, P.L. 114-23, 2 June 2015. Freedom Act, § 103, amending FISA § 501. Freedom Act, § 201, amending FISA§ 402. Freedom Act, § 501. Freedom Act, Title V. In particular, where disclosure may result in a danger to national security; in interference with a criminal, counterterrorism, or counter-intelligence investigation; in interference with diplomatic relations; or in endangerment of an individual's physical safety. See DOYLE, National Security Letters, pp. 17-18. Freedom Act, § 301. Freedom Act, §§ 401-402. 196 establish a group of no fewer than five independent experts (“amici curiae”) to provide assistance in important cases. It is significant that, among the qualifications an individual must have to be appointed amicus curiae, a prominent position is given to the possession of expertise in privacy and civil liberties 978. While the Court in general may appoint individuals to serve as amici curiae in any instance as it deems appropriate, when the Court reckons that an application for an order or review “presents a novel or significant interpretation of the law”, the Court must seek assistance by amici curiae. Finally, an entire title of the Freedom Act979 is dedicated to heightened transparency and reporting requirements. In addition to increased reporting required from the government, the true novelty is the statutory possibility for private companies who are subject to national security orders and nondisclosure requirements to publish detailed reports revealing the total number of all national security process received, as well as the total number of customer selectors targeted980. In conclusion, the changes brought by PPD-28 and by the USA Freedom Act can be viewed as symptoms of an encouraging trend towards a stronger affirmation of data protection standards in American national security surveillance law981. 4. American and European approaches compared. It seems appropriate to end this dissertation by submitting some conclusive remarks concerning the differences between the United States' and the European Union's approaches to the use of personal data as a counter-terrorism measure, and by considering if a certain degree of osmosis between the two is desirable – and whether, in fact, it has already taken place. The advent of the digital age, and the exploitation of its achievements for law enforcement and national security purposes, has had enormous consequences on the right to privacy. 978 979 980 981 Freedom Act, § 401(i)(3)(A). Freedom Act, Title VI. Freedom Act, § 603, amending 50 U.S.C. § 1874. Recent case law also seems to be headed in this direction as well. See United States Court of Appeals, Second Circuit, ACLU v. Clapper, 785 F.3d 787, 7 May 2015; United States District Court for the District of Columbia, Klayman v. Obama, civil action 13-851 (RJL), Memorandum Opinion of 9 November 2015. 197 Modern technologies have on one side increased the output of information produced, and on the other made it easier for governmental authorities to access data for national security purposes: these are features which the law may not overlook in a modern construction of individual privacy. At the same time, the threats to national security are changing in nature as well, and responses to those threats can not fail to rely on the potential offered by those same modern technologies. This dissertation has attempted to show how these two tensions intertwine in the broader context of the fight against terrorism; the result, it is safe to say, is a subject of relatively new, yet strong, controversy. On one hand, it is claimed that privacy must be considered as a fundamental liberty and can thus never be given up in the name of security. On the other, emphasis is put on the shifting nature of the terrorist threat and the consequential necessity for a preemptive approach to counter it. These two views are both supported by strong arguments. The main rational behind the former, aside from claims relying on the inherent importance of the right to privacy, is that absent any positive proof of the fact that renouncing privacy, by permitting bulk collection of data, will definitely yield heightened security, in the form of actually preventing terrorist activity, this trade-off should not be pursed. Advocates in favor of this opinion often misquote Benjamin Franklin's famous stance on the issue, that “those who give up liberty for safety deserve neither”. In reality, the correct quotation is as follows: “those who would give up essential liberty, to purchase a little temporary safety, deserve neither”. The difference, in our view, is not irrelevant. Furthermore, dystopian scenarios of Orwellian reminiscence are often cited as the natural outcome of policies which involve broad surveillance and data collection. The latter view, instead, concentrates more on the increased risk posed by terrorism-related activities, and on the fact that the changes in their nature – due, in some part, to the advent of new technologies – render even more indispensable the exploitation of the possibilities offered by modern forms of communication, and by the fact that every individual, now more than ever, leaves behind traces in the course of virtually every ordinary activity. If every individual, and every activity, potentially create trails of information which may be of aid in the preemption of terrorist activities; and if collecting and analyzing such trails and information is also relatively inexpensive; then broad surveillance activities are policy 198 options which – in times of emergency, as the present – must at least be taken into consideration and, if possible, implemented. The violation of privacy and data protection rights, in this conception, is simply regrettable, yet inevitable, collateral damage. The position of this dissertation is that neither view offers a concrete solution to a real problem. The first, which carries a stronger European scent, fails to take into account that systems of broad surveillance, or of large information gathering and processing, are policy options which, at least to some extent, superpowers such as the US will keep using, and emerging counter-terrorism actors such as the EU, as has been shown, are increasingly interested in. Policies which are counter-terrorism orientated, feasible, and relatively inexpensive in relation to their overall achievements, will not – and, in fact, should not – be completely ignored by governments on the abstract principle that in the tension between liberty and security, the former should prevail at any cost. The second, more American in its nature, instead seems to completely ignore the fact that privacy is not a disposable right, and that it is not circumscribed by the borders of one particular nation state. Simply dismissing plights for increased privacy as unnecessary administrative burdens leads to the failure of acknowledging the importance of the right to data protection especially in an age where the use of personal data by public and private entities is inversely proportional to the knowledge the common citizen has that such use is taking place. A middle ground between these two extreme views seems desirable, and even, in fact, feasible. It has been argued that the changes in technology and in the nature of threats to States, combined with a more general cultural shift, are paving the way for “a new social contract, in which individuals give the State power over information in exchange for security and the convenience of living in the modern world” 982. The analysis of the measures involving the use of personal data enacted on both sides of the Atlantic – and especially their history – seems to confirm this view, in the sense that American and European legal systems appear to be converging, although coming from diametrically opposite positions, around a use of personal data deemed to be acceptable in terms of privacy violations, as well as in terms of counter-terrorism efficiency; to be more precise, in terms of the maximum efficiency which can be reached upon the establishment of a 982 CHESTERMAN, One nation under surveillance. A new social contract to defend freedom without sacrificing liberty, Oxford University Press, 2011, p. 12. 199 minimum privacy benchmark. We shall now take a critical look at the past, and especially the American past, in order to consider whether valuable insight is available for a European future. 4.1 A look at the past. The first question deserving an answer is whether a comparison can be made at all between EU and US approaches to the use of personal data in the counter-terrorism area, and why such a comparison is appropriate. An easy objection, in fact, is that in the US measures involving bulk collection of data are enacted against the more general backdrop of national security and intelligence law – a feature which instead is not present in EU law, as national security is not only an area left to the competence of single Member States, but indeed one of the hallmarks of national sovereignty 983. However, it is also true that, on one side, progress has been made within the EU concerning intelligence cooperation for foreign policy, law enforcement, and internal security purposes 984; and, on the other, the Union is committed to ensuring an Area of Freedom, Security and Justice for its citizens, by adopting appropriate measures for the prevention and combating of crime985. Moreover, the nature of the most recent sequence of terrorist activity on European soil has involved not just one, but several Member States – France has been the primary target, but episodes of terrorism have taken place in Belgium and Germany as well; Italy is also constantly under declared threat by Islamic fanatics, and both Spain and the UK have suffered attacks on their territory in the past. This is relevant for two reasons. Firstly, the EU has been, and is now even more, forced – willingly or not – to became a major counterterrorism player, as it appears to have taken the place of the US as the main battlefield of terrorist warfare. Secondly, threats and attacks on single Member States can and should not be perceived merely as such anymore. If it is true, as it is abundantly clear, that the objective of the most recent terrorist activity conducted on European soil by the Islamic State (ISIS or ISIL) is not this or that specific nation, but rather the “western way of life”, then such a common threat must be addressed with appropriate means, and a collective 983 984 985 Pursuant to art.4(2) TFEU “National security remains the sole responsibility of each Member State”. See FÄGERSTEN, For EU eyes only? Intelligence and European security, European Union Institute for Security Studies Briefs, Brief No. 8, 4 March 2016. Art. 3(2) TEU. 200 response: one such response, which the present dissertation has attempted to analyze, consists in the use of personal data, enacted for the purpose of singling out individuals potentially belonging to terrorist cells by analyzing larger patterns of data. As the playing ground has thus, although perhaps somewhat fictitiously, been leveled, a comparison can therefore be attempted between European and American systems involving the use of persona data for counter-terrorism purposes. The first element which must be taken into consideration is the different conception of privacy and data protection in the two legal orders. Some authors argue that the US and the EU have “roughly comparable constitutional and statutory mechanisms for the protection of privacy against unwarranted government surveillance”986 and that the US legal order, contrary to the opinion expressed by the Court of Justice of the European Union in Schrems, ensures a level of protection of fundamental rights that is essentially equivalent to that guaranteed in the EU legal order 987. It is true that, in Schrems, the Court of Justice adopted an inaccurate view as to the functioning and nature of PRISM surveillance 988. However, there are several grounds to argue that differences indeed exist in the sense that the US legal order safeguards privacy to a lesser extent than the EU legal order, and that these shortcomings have been exploited by the government to further a policy agenda of essentially unrestricted processing of personal data and, in sum, surveillance. To begin with, in the EU legal order, privacy and data protection legislation is an emanation of the respective fundamental rights enshrined in the ECHR and in the EU Charter; by contrast, privacy statutes in the US were born primarily to fill in the gaps left by the constitutional protection of privacy. Moreover, while the European privacy framework applies to public and private entities alike, American privacy and data protection laws are exclusively meant to curtail the government's power from intrusions upon individuals. Another relevant point to be underlined is the absence, in the US, of an independent data protection regulatory agency with functions equivalent to those of the European Data Protection Supervisor. But setting aside the basic statutory or institutional 986 987 988 COLE and FABBRINI, Bridging the transatlantic divide? The United States, the European Union, and the protection of privacy across borders, International Journal of Constitutional Law, Vol. 14, No.1, 2016, p. 233. SWIRE, US Surveillance, p. 3. SWIRE, US Surveillance, pp. 14-16. 201 differences between the American and European legal orders, what is truly revealing of the distance between the American and European conceptions of privacy is the different perception of what constitutes an invasion of privacy or a violation of one's data protection rights. For example, provisions similar to those of the Data Retention Directive – which caused impressive judicial upheaval in Europe, and was eventually struck down by the Court of Justice – have existed in America since 1986989. Moreover, claims are often made by American scholars that, in the processing of personal data for counter-terrorism purposes, the invasion of one's privacy occurs not when the data are acquired but only when the government actually accesses such data990,, as if mere collection raised no juridical concerns. It is safe to say that the standard as to which type of activity constitutes a violation of privacy or data protection rights is stricter under the European data protection framework, and more relaxed under American rules. Consequently, from a European perspective American privacy standards are too lax – hence the Schrems decision; by contrast, from an American perspective European privacy standards are too rigorous – hence the criticism manifested by American legal scholars at provisions such as those concerning data transfers to third countries, which at times have been perceived as an attempt by the European Union to unilaterally impose its privacy standards onto other countries (including the US) through the threat of blocking the data market by prohibiting European companies from passing over such data. With respect to, specifically, measures involving the use of personal data as a counterterrorism measure, the first obvious difference between those enacted in the US and those enacted in the EU is their scope. While American agencies have engaged in bulk collection of personal data – “mass surveillance” – European uses of personal data in counterterrorism, as those examined in the present work, tend to be more restricted and categoryoriented. In fact, there is no one statute or law allowing the collection and processing of various types of personal data (such as, for instance, the Patriot Act, or FISA), but measures have instead been enacted piecemeal, cautiously and, in general, following US initiatives (as has been the case for PNR data, and the TFTP). Moreover, European courts are strict in the interpretation of the purpose limitation requirement concerning personal 989 990 See 47 CFR §§ 42.1-42.7, “Preservation of records of communication common carriers”. SWIRE, US Surveillance, p. 19. 202 data, that is that data can only be “collected for specific, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes” 991. By contrast, the demolition of the “wall” between national security and law enforcement authorities allowed US agencies to process personal data for purposes well beyond those originally envisioned; and, possibly – because of the bulk nature of collection – to process personal data of individuals who were not meant to be targets in the first place992. One particularly obnoxious aspect of American data surveillance programs, concerning however not the programs in themselves but instead their legal assessment, is that whenever privacy concerns are raised, they are focused exclusively on “US persons”, that is US citizens or permanent residents. More precisely, the degree to which data surveillance programs are considered as unlawfully encroaching upon individual privacy is assessed by scholars with exclusive reference to the privacy of Americans; fairly little attention is generally reserved to the issue whether privacy interests of non-Americans are violated and, when it is, it is accepted as a fact rather than questioned from a legal standpoint. By contrast, European critiques to data collection systems – which are indeed abundant – never mention the nationality of the targets as a factor to be taken into consideration in the analysis of violations to individual privacy, as privacy is perceived as a fundamental right worthy of protection irrespective of the provenance of the victim. Lastly, it is necessary to mention one last feature which differentiates EU and US use of personal data for counter-terrorism purposes: the secrecy which often veils the latter. It is true that this specific difference stems from the existence in the US of a structured national security framework which makes it possible to carry out covert operations. However, it is worth pointing out that the secrecy of a data collection program, for obvious reasons, negatively affects its accountability by the government agency in question, which instead is an essential requirement in EU data protection law. Under US legal order, instead, the processing of personal data in the context of counter-terrorism takes place pursuant to nonlegislative rules, self-applied by the same agencies (the NSA, the FBI, and the CIA) entrusted with the execution of the program itself; although forms of oversight exist, the absence of an independent data protection agency exacerbates the issue even more. 991 992 Art. 5(1)(b), Regulation (EU) 2016/679, and art. 4(1)(b), Directive (EU) 2016/680. See BIGNAMI, The US legal system on data protection, pp. 30-31. 203 In sum, it can be stated that the American legal order has proved to be generally more favorable towards systems involving the use of personal data for counter-terrorism purposes. The problem often encountered, which, in some instances, tipped such systems beyond the boundaries of lawfulness, was that the governmental agencies involved did not adhere to the (indeed limited) statutory provisions; this resulted in the adoption of programs, such as Section 215 collection and Upstream, which yielded the undesirable effect of subjecting truly large portions of the population to scrutiny of personal information relating to them and, in some instances, of the content of their communications. 4.2 An eye to the future. The previous paragraph has underlined the distance between the European and the American approach to personal data surveillance in the context of counter-terrorism, both in legal theory and in operational practice. Recent events, however, have had the effect of determining a convergence of these two distant approaches. From the European side, increased exposure to terrorist activity has lead the EU to considering, and also implementing, the adoption of a preemptive approach to counter-terrorism, and in particular to systems relying on the processing of personal information conducted with the purpose of locating purported terrorists, or individuals otherwise involved in terrorist activities. By contrast, in the wake of the Snowden revelations the US has tuned down its data surveillance activities, by statutorily prohibiting forms of bulk collection of data and by officially recognizing, for the first time in its history, privacy rights of foreigners993. The trend which can be observed, in analyzing the relationship between personal data and counter-terrorism, is thus twofold. On one hand, surveillance activities for security purposes are here to stay. They are no longer to be considered as a byproduct of emergency legislation, but rather as the natural consequence of an era where trails of personal 993 Some authors, however, argue that deficiencies nonetheless remain in the application of national safeguards to foreigners. In particular, in the context of EU-US relations, according to COLE and FABBRINI an appropriate solution would be the drafting of a transatlantic agreement setting basic privacy protections for citizens and foreigners alike. See COLE and FABBRINI, Bridging the transatlantic divide?, pp.233-237. For a critique of this view, see SCHULHOFER, An international right to privacy? Be careful what you wish for, International Journal of Constitutional Law, Vol.14, Issue 1, January 2016, pp. 238260. 204 information are left everywhere, and can therefore be of great use in specific circumstances, such as counter-terrorism activities994. On the other, however, consensus seems to be forming around the fact that bulk collection of data – and especially of communication content data – is not a desirable policy option, as it involves an excessive intrusion on basic individual privacy rights. These two concurring tendencies carry the potential to pave the way towards an efficient and lawful use of personal data in the context of counter-terrorism by envisioning a hybrid policy model which fully exploits – or rather, does not ignore – the possibilities offered by modern technology, consistently with the American approach, but at the same time does not fail to take into consideration essential, basic and – it might be added – universal, or at least transatlantic, privacy standards. A transatlantic data protection agreement, as proposed by Cole and Fabbrini, might be a starting point995; the signing of the Umbrella Agreement in June 2016996 might even be considered a first step in that direction. What is necessary, for this purpose, is a new paradigm for information privacy which is compatible with the peculiarity of an era, as the present, characterized by an exponential growth of the amount of data produced daily, as well as of the possibilities offered by an efficient exploitation of such information in the field of national security. The issue is not, as it has hitherto been presented, whether and to which degree liberty should be given up in the name of heightened security; but rather questioning what really constitutes liberty, in a time where the right to be left alone, as envisioned by Brandeis, seems to have been replaced by the – quite opposite – desire to share one's life experiences and be socially connected. An efficient, yet not unrestricted, exploitation of the opportunities offered by the use of personal data for counter-terrorism purposes, which is also – as it must be, lest it provide sanctuaries for Orwellian panopticons – respectful of the truly fundamental core of the right to privacy, can be achieved only through a reassessment of the right to privacy itself, less anchored to traditional twentieth-century constitutional views and more aware of the changes brought 994 995 996 As CHESTERMAN puts it, “[...] the clear progression is towards even greater government collection of information on the citizen. The argument here is not that it is good or bad; it is in may ways an inevitable consequence of a modern and globalized life. Rather, the point […] is to shift the focus away from questions of whether and how government should collect information, and onto more problematic and relevant questions concerning its use.” CHESTERMAN, One nation under surveillance, p.5. See supra note 901. See supra, Chapter II, para. 2.4.2. 205 by the advent of the digital age. As history flows ahead, however, the past provides not only explanations for the present, but insight for the future as well. An assessment and comparison of the European and American approaches to the fight against terrorism would be sterile and pointless, indeed a mere historical exercise, if not put to use in a concrete manner. In other words: in light of Europe's quasi-newfound role as major global counter-terrorism player, what might the European Union take away from the American experience in counter-terrorism in general, and in data surveillance in particular? There is essentially no risk that the EU will engage in something similar to the “war on terror” enacted by the Bush administration. A preemptive, rather than a responsive, approach is the most appropriate in the context of the European Union. However, if the objective is thus finding the traditional needle in the haystack, merely making the haystack bigger – in other words, simply enacting data collecting programs within the current institutional framework – does not solve the problem; rather, what is truly necessary are more – and more competent – eyes. In particular, a European agency with a broader and autonomous intelligence mandate – a European counterpart of the NSA, for example – with a remit limited to gathering information related to the countering of specific transnational unlawful activities, such as terrorism, could be of particular use. Moreover, compliance with purpose limitation requirements – a fundamental aspect of the European data protection framework – could be achieved, in light of the negative repercussions which derived in the US from its demolition by the Patriot Act, by the establishment of “barriers” between (national) law enforcement and (European) intelligence agencies: Member States, that is, could be granted the possibility of internally using the information thus gathered, for example for prosecution purposes, only under the condition of a lawful collection and only in accordance with specific data transfer requirements. Moreover, whereas one factor which allowed the development, in the US legal order, of essentially unrestricted forms of mass surveillance was the lack of adequate institutional oversight, within the EU context such a role could be taken up by already-existing privacy watchdogs, such as the European Data Protection Supervisor. An active role of the EDPS, combined with judicial review provided by the Court of Justice, would also guarantee that the scope of EU surveillance programs be limited to tailored collection of specific 206 categories of data, or data pertaining to specific individuals – as is currently taking place, with travel data and financial data – and not entail forms of bulk data collection. The end result would be a form of integration in national security activities, or rather in European security activities, with the specific aim of countering terrorism, without, however, forcing Member States to give up traditional national security and law enforcement activities. In essence, an ad hoc common framework, for a common, and indeed very serious, problem. As Schulhofer points out, in fact, the shortcomings which made 9/11 possible were not so much those concerning the amount of intelligence gathered, but rather the degree to which already existing information was not shared between relevant agencies in order the acquire the entire picture 997. Fifteen years later, the amount of overall available information is even higher. If lack of cooperation is thus to be considered the primary responsible for the successful unraveling of the terrorist plots in New York, more intelligence cooperation might, perhaps, contribute to a stronger and safer Europe. One final note, before concluding. As the final pages of this dissertation were being written, an historical event – in the neutral sense – occurred: the election of Donald Trump as 45th President of the United States. As if it were a novel, and not a legal dissertation, the present work thus ends with a cliffhanger – the kind, it seems, that tends to leave most readers wary, rather than expectant, of the story yet to come. It remains to be seen, in fact, whether the Trump administration will follow or deviate from the trends illustrated above. However, where a Trump presidency will bring the United States – and, with it, the world – can not, at the present stage, be predicted. 997 SCHULHOFER, Rethinking the Patriot Act, pp. 21-28. 207 BIBLIOGRAPHY ABRAMS, Developments in US anti-terrorism law. Checks and balances undermined, Journal of International Criminal Justice, Vol. 4, 2006, pp. 1117-1136. ARCHICK, US-EU Cooperation against terrorism, Congressional Research Service Report, RS22030, 2 March 2016. ARGOMANIZ, The EU and Counter-terrorism. Politics, polity and policies after 9/11, Routledge Contemporary Terrorism Studies, New York, 2011. ARGOMANIZ, BURES, KAUNERT, A Decade of EU Counter-Terrorism and Intelligence: a critical assessment, Intelligence and National Security, Vol. 30, Nos. 2-3, 2015, pp. 191-206. AZOULAI and VAN DER SLUIS, Institutionalizing personal data protection in times of global institutional distrust: Schrems, 53 Common Market Law Review 2016, pp. 1343-1371. BANKS, Responses to ten questions. Is the FISA Amendments Acts of 2008 good policy? Is it constitutional?, William Mitchell Law Review, Vol. 35, Issue 5, 2009, pp. 50075017 BARENTS, The Court of Justice after the Treaty of Lisbon, 47 Common Market Law Review 2010, pp. 709-728. BASSIOUNI, Torture and the war on terror. The institutionalization of torture under the Bush administration, Case Western Reserve Journal of International Law, Vol. 37, 2006, pp. 389-425. V BIANCHI, La dimensione giuridica della paura: controterrorismo e diritti umani, in GARGIULO e VITUCCI, La tutela dei diritti umani nella lotta e nella guerra al terrorismo, Editoriale Scientifica, Napoli, 2009. BIGNAMI, Privacy and Law Enforcement in the European Union: The Data Retention Directive, Chicago Journal of International Law, Vol. 8, No. 1, Summer 2007, pp. 233-255. BIGNAMI, European versus American Liberty: a comparative privacy analysis of antiterrorism data mining, Boston College Law Review, Vol. 48, 2007, pp. 609-698. BIGNAMI, The US legal system on Data Protection in the field of law enforcement. Safeguards, rights ad remedies for EU citizens, Study for the European Parliament LIBE Committee, PE 519.215, 2015. BIGO, CARRERA, GUILD, et al., The EU and its Counter-terrorism policies after the Paris attacks, CEPS Paper in Liberty and Security, No. 84, November 2015. BIONDI DAL MONTE, Terrorismo, ordine pubblico e sicurezza nazionale nell'Unione Europea, Quaderni Costituzionali, Settembre 2015, pp. 788-791. BLAKENEY, The Data Retention Directive: Combating Terrorism or Invading Privacy?, Computer and Telecommunications Law Review, Vol. 13, No. 5, 2007, pp. 153-157. BLUME, Data protection and privacy – basic concepts in a changing world, Scandinavian Studies in Law, Vol. 56, 2010, pp. 151-164. BOSSONG, The Action Plan on Combating Terrorism: a flawed instrument of EU security governance, Journal of Common Market Studies, Vol. 46, No. 1, 2008, pp. 27-48. VI BOWDEN and BIGO, The US surveillance programs and their impact on EU citizens' fundamental rights, Study for the European Parliament LIBE Committee, PE 474.405, 2013. BREYER, Telecommunications data retention and human rights: the compatibility of blanket traffic data retention with the ECHR, European Law Journal, Vol. 11, No. 3, May 2005, pp. 365-375. BROUWER, CATZ, and GUILD, Immigration, Asylum and Terrorism: a changing dynamic in European Law, Recht & Samenleving, Nijmegen, 2003. BUREŠ, Intelligence sharing and the fight against terrorism in the EU: lessons learned from Europol, European View, No. 15, 2015, pp. 57-66. BURRI and SCHÄR, The Reform of the EU Data Protection Framework: Outlining Key Changes ad Assessing their fitness for a data-driven economy, forthcoming in Journal of Information Policy, Vol. 6, 2016. CAYFORD, VAN GULIJK and VAN GELDER, All swept up: An initial classification of NSA surveillance technology, Safety and Reliability: Methodology and Applications, NOWAKOWSKI et al., CRC Press, 2015, pp. 643-650. CHESTERMAN, One nation under surveillance. A new social contract to defend freedom without sacrificing liberty, Oxford University Press, New York, 2011. CINQUEGRANA, The walls (and wires) have ears: the background and first ten years of the Foreign Intelligence Surveillance Act of 1978, University of Pennsylvania Law Review, Vol. 137, 1989, pp. 793-828. CÎRLIG, EU-US cooperation in Justice and Home Affairs – an overview, European VII Parliament Research Service Briefing, PE 580.892, April 2016. CLAPHAM, Human rights. A very short introduction, Oxford University Press, New York, 2007. COLE, The new McCarthyism: repeating history in the war on terrorism, Harvard Civil Rights-Civil Liberties Law Review, Vol. 38, 2003, pp. 1-30. COLE and FABBRINI, Bridging the transatlantic divide? The United States, the European Union, and the protection of privacy across borders, International Journal of Constitutional Law, Vol. 14, No.1, 2016, pp. 220-237. CONFORTI, Diritto Internazionale, Editoriale Scientifica, Napoli, 2010. CONNORTON, Tracking Terrorist Financing through SWIFT: When U.S. subpoenas and foreign privacy law collide, Fordham Law Review, Vol. 76, 2007, pp. 283-322. COOLSAET, EU counterterrorism strategy: value added or chimera?, International Affairs, Vol. 86, Issue 4, 2010, pp. 857-873. CRAIG and DE BÚRCA, EU Law: Texts, cases, materials, Oxford University Press, New York, 5th edition, 2011. CRESPI, La nuova proposta di decisione di adeguatezza della Commissione Europea riguardo agli USA: lo scudo UE/USA per la privacy, Eurojus.it, 26 April 2016, available at http://rivista.eurojus.it/la-nuova-proposta-di-decisione-di-adeguatezzadella-commissione-europea-riguardo-agli-usa-lo-scudo-ueusa-per-la-privacy/ DANIELE, Diritto dell'Unione Europea, Giuffrè, Milano, 2010. VIII DE BÚRCA, The European Court of Justice and the International Legal Order After Kadi, Harvard International Law Journal, Vol. 51, No.1, Winter 2010, pp. 1-49. DE CAPITANI, 'Foreign fighters' and EU implementation of the UNSC resolution 2178. Another case of 'legislate in haste, repent at leisure...'?, FREE Group, 6 April 2015, available at https://free-group.eu/2015/04/06/foreign-fighters-and-eu-implementationof-the-unsc-resolution-2178-another-case-of-legislate-in-haste-repent-at-leisure-1/ DE HERT, Balancing security and liberty within the European human rights framework. A critical reading of the Court's case law in the light of surveillance and criminal law enforcement strategies after 9/11, Utrecht Law Review, Vol.1, Issue 1, September 2005, pp. 68-96. DE HERT and PAPAKONSTANTINOU, The data protection framework decision of 27 November 2008 regarding police and judicial cooperation in criminal matters – A modest achievement however not the improvement some have hoped for, Computer Law & Security Review, Vol. 25, 2009, pp. 403-414. DE HERT and PAPAKONSTANTINOU, The New General Data Protection Regulation: still a sound system for the protection of individuals?, Computer Law & Security Review, Vol. 32, 2016, pp. 179-194. DE HERT and PAPAKONSTANTINOU, The EU PNR framework decision proposal: towards completion of the PNR processing scene in Europe, Computer law and security review, Vol. 26, 2010, pp. 368-376. DERSHOWITZ, Tortured Reasoning, in: LEVINSON, Torture: a collection, Oxford University Press, New York, 2004, pp. 257-280. IX DI FRANCESCO MAESA, Balance between security and fundamental rights protection: and analysis of the directive 2016/680 for data protection in the police and justice sectors and the Directive 2016/681 on the use of passenger name record, available at http://rivista.eurojus.it/balance-between-security-and-fundamental-rights-protectionan-analysis-of-the-directive-2016680-for-data-protection-in-the-police-and-justicesectors-and-the-directive-2016681-on-the-use-of-passen/, 24.05.2016. DONOHUE, Bulk metadata collection: statutory and constitutional considerations, Harvard Journal of Law and Public Policy, Vol. 37, Summer 2014, pp. 757-899. DONOHUE, Section 702 and the collection of international telephone and internet content, Harvard Journal of Law and Public Policy, Vol. 38, Winter 2015, pp. 117-265. DOSWALD-BECK, Human Rights in times of conflict and terrorism, Oxford University Press, New York, 2011. DOYLE, National Security Letters in Foreign Intelligence Investigations: Legal Background, Congressional Research Paper, Report No. RL33320, July 2015. DUMITRIU, The E.U.'s definition of terrorism: the Council Framework Decision on Combating Terrorism, German Law Journal, Vol. 5, No. 5, 2004, pp. 585-602. DWORKIN, Corte Suprema e garanzie nel trattamento dei terroristi, Quaderni costituzionali, Anno XXV, No. 4, December 2005, pp. 905-920. ECKES, EU restrictive measures against natural and legal persons: from counterterrorist to third country sanctions, 51 Common Market Law Review 2014, pp. 869-906. ECKES, Judicial Review of European anti-terrorism measures – the Yusuf and Kadi judgments of the Court of First Instance, European Law Journal, Vol. 14, No. 1, X January 2008, pp. 74-92. EDWARDS and MEYER, Introduction: Charting a contested transformation, Journal of Common Market Studies, Vol.46, No.1, 2008, pp. 1-25. EPSTEIN and WALKER, Constitutional Law for a changing America, 6th edition, CQ Press, Thousand Oaks, California, 2015. FABBRINI, The role of the judiciary in times of emergency: judicial review of counterterrorism measures in the United States Supreme Court and the European Court of Justice, Yearbook of European Law, Vol. 28, 2010, pp. 664-697. FABBRINI, Lotta al terrorismo: da Bush a Obama, passando per la Corte Suprema, Quaderni Costituzionali, Anno XXXI, No.1, March 2011, pp. 89-103. FÄGERSTEN, For EU eyes only? Intelligence and European security, European Union Institute for Security Studies Briefs, Brief No. 8, 4 March 2016. FEILER, The legality of the Data Retention Directive in light of the fundamental rights to privacy and data protection, European Journal of Law and Technology, Vol. 1, Issue 3, 2010. FICHERA, The European Arrest Warrant and the Sovereign State: a marriage of convenience?, European Law Journal, Vol. 15, No. 1, January 2009, pp. 70-97. FROMHOLZ, The European Union Data Privacy Directive, Berkeley Technology Law Journal, Vol. 15, No. 1, 2000, pp. 461-484. GALLI, Terrorism, in MITSILEGAS, BERGSTRÖM and KONSTADINIDES, Research Handbook on EU Criminal Law, Edward Elgar publishing, Cheltenham (UK), 2016. XI GARLINGER, Privacy, free speech, and the Patriot Act: first and fourth amendment limits on national security letters, New York University Law Review, Vol. 84, 2009, pp. 1105-1147. GATTINI, Case Law. Joined cases C-402/05 and C-415/05, 46 Common Market Law Review 2009, pp. 213-239. GELLMAN and POITRAS, US, British intelligence mining data from nine U.S. Internet companies in broad secret program, The Washington Post, 7 June 2013. GIATTINI, La tutela dei dati personali davanti alla Corte di Giustizia dell'UE: il caso Schrems e l'invalidità del sistema di 'approdo sicuro', Diritti Umani e Diritto Internazionale, Vol.10, No.1, 2016, pp. 247-254. GILMORE and RIJPMA, Case law. Joined Cases C-317/04 and C-318/04, European Parliament v. Council and Commission, Judgment of the Grand Chamber of 30 May 2006, 44 Common Market Law Review 2007, pp. 1081-1099. GRADONI, Raccontare “Kadi” dopo “Kadi II”: perché la Corte di Giustizia dell'Unione Europea non transige sul rispetto dei diritti umani nella lotta al terrorismo, Diritti Umani e Diritto Internazionale, Vol. 7, No. 3, 2013, pp. 587-614. GRANGER and IRION, The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection, European Law Review, Vol. 39, No. 4, 2014, pp. 835-850. GRASSO, Il trattato di Lisbona e le nuove competenze penali dell'Unione Europea”, in: Studi in onore di Mario Romano, Jovene Editore, Milano, 2011, pp. 2308-2350. XII GRASSO, La competenza penale dell'Unione Europea nel quadro del Trattato di Lisbona, in: GRASSO, PICOTTI, SICURELLA, L'evoluzione del diritto penale nei settori d'interesse europeo alla luce del trattato di Lisbona, Giuffrè, Milano, 2011, pp. 683722. GRENENWALD, NSA Prism program taps in to user data of Apple, Google and others, The Guardian, 7 June 2013. GREGORY, The EU's response to 9/11: a case study of institutional roles and policy processes with special reference to issues of accountability and human rights, Terrorism and Political Violence, No. 17, 2005, pp. 105-123. GUILD, The Uses and Abuses of Counter-terrorism Policies in Europe: the case of 'terrorist lists', Journal of Common Market Studies, Vol. 46, No. 1, pp. 173-193. GUILD and CARRERA, The political and judicial life of metadata: Digital Rights Ireland and the Trail of the Data Retention Directive, CEPS Paper in Liberty and Security in Europe, No. 65, May 2014. HAN, KAMBER, PEI, “Data mining. Concepts and techniques”, Morgan Kaufmann Publishers, Waltham, 2012. HAYES and JONES, Taking stock. The evolution, adoption, implementation and evaluation of EU counter-terrorism policy, in DE LONDRAS and DOODY, The Impact, Legitimacy and Effectiveness of EU Counter-terrorism, Routledge, New York, 2014. HIJMANS, Recent developments in data protection at European Union Level, ERA Forum 11, 2010, pp. 219-231. XIII HIJMANS and SCIROCCO, Shortcomings in EU data protection in the third and the second pillars. Can the Lisbon treaty be expected to help? 46 Common Market Law Review 2009, pp. 1485-1525. HORNUNG and BOEHM, Comparative study on the 2011 draft Agreement between the USA and the EU on the use and transfer of PNR to the USA DHS, Passau/Luxembourg, 14 March 2012. HUSTINX, Data Protection in the European Union, P&I, 2005, pp. 62-65. ISIKSEL, Fundamental rights in the EU after Kadi and Al Barakaat, European Law Journal, Vol. 16, No. 5, September 2010, pp. 551-577. JACKSON, Culture, identity and hegemony: continuity and (the lack of) change in US counterterrorism policy from Bush to Obama, International Politics, Vol. 48, Nos. 2/3, pp. 390-411. JACOBSON, The west at war. US and European Counter-terrorism efforts, post-September 11, The Washington Institute for Near East Policy, Washington, 2006. JAEGER, BERTOT, MCCLURE, The impact of the USA Patriot Act on collection and analysis of personal information under the Foreign Information Surveillance Act, Government Information Quarterly, Vol. 20, 2003, pp. 295-314. JIMENO-BULNES, After September 11th: the Fight against terrorism in National and European Law. Substantive and Procedural Rules: some examples, European Law Journal, Vol. 10, No.2, March 2004, pp. 235-253. JOHNSTON, The European Union, the ongoing search for terrorists' assets and a XIV satisfactory legal framework: getting warmer or colder?, The Cambridge Law Journal, Vol. 66, No. 3, November 2007, pp. 523-525. KATYAL and CAPLAN, The surprisingly stronger case for the legality of the NSA surveillance program: the FDR precedent, Stanford Law Review, Vol. 60, 2008, pp.1023-1077. KAUNERTS and ZWOLSKI, The EU as a global security actor: a comprehensive analysis beyond CFSP and JHA, Palgrave Studies in European Union Politics, Palgrave Macmilian UK, 2013. KERR, Internet Surveillance Law after the USA Patriot Act: the Big Brother that isn't, Northwestern University Law Review, Vol. 97, pp. 607-673. KOSTA and VALCKE, The EU Data Retention Directive. Retaining the Data Retention Directive, Computer Law & Security Review, Vol. 22, Issue 5, 2006, pp. 370-380. KRIS, On the bulk collection of tangible things, Journal of National Security Law and Policy, Vol.7, 2014, pp. 209-295. KUIJPER, The Evolution of the Third Pillar from Maastricht to the European Constitution: Institutional aspects, 41 Common Market Law Review 2004, pp. 609626. LENAERTS, The contribution of the European Court of Justice to the Area of Freedom, Security and Justice, International and Comparative Law Quarterly, Vol. 59, No. 2, April 2010, pp. 255-301. LENAERTS and GUTIÉRREZ-FONS, The European Court of Justice and fundamental rights in the field of criminal law, in MITSILEGAS, BERGSTRÖM and KONSTADINIDES, XV Research Handbook on EU Criminal Law, Edward Elgar publishing, Cheltenham (UK), 2016. LICTBLAU and RISEN, Bank data is sifted by U.S. in secret to block terror, New York Times, 23 June 2006. LYON, Surveillance, Snowden, and Big Data: Capacities, consequences, critique, Big Data & Society, July-December 2014, pp. 1-13. LYNSKEY, The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland, 51 Common Market Law Review 2014, pp. 1789-1812. MAGRO, Manipolazione dei mercati finanziari e Diritto Penale, Giuffrè, Milano, 2012. MALMSTRÖM, “Taking on the Data Retention Directive”, European Commission conference in Brussels, Brussels, 3 December 2010, SPEECH/10/723. MARCHETTI, Rapporti giurisdizionali con autorità straniere, in CONSO, GREVVI, BARGIS, Compendio di Procedura Penale, CEDAM, Padova, 7th edition, 2014. MARIN, The fate of the Data Retention Directive: about mass surveillance and fundamental rights in the EU legal order, in MITSILEGAS, BERGSTRÖM and KONSTADINIDES, Research Handbook on EU Criminal Law, Edward Elgar publishing, Cheltenham (UK), 2016. MAYER, Executive Orders and Presidential Power, The Journal of Politics, Vol. 61, No. 2, May 1999, pp. 445-466. MCCRISKEN, Ten years on: Obama's war on terrorism in rhetoric and practice, XVI International Affairs, Vol. 87, Issue 4, pp. 781-801. MCDONNELL, The United States, International Law, and the struggle against terrorism, Routledge research in terrorism and the law, Routledge, New York, 2009. MENDES DE LEON, The Fight Against Terrorism trough Aviation: Data Protection versus Data Production, Air & Space Law, Vol. 31, Nos. 4-5, 2006, pp. 320-330. MIRAGLIA, La tutela processuale dei diritti dopo l'11 Settembre negli Stati Uniti, in CAVINO, LOSANO, TRIPODINA, Lotta al terrorismo e tutela dei dirtti costituzionali, Giappichelli Editore, Torino, 2009. MITSILEGAS, EU Criminal Law, Hart Publishing, Oxford, 2009. MITSILEGAS, The New EU-USA cooperation on Extradition, Mutual Legal Assistance and the Exchange of Police Data, European Foreign Affairs Review, Vol. 8, 2003, pp. 523-533. MITSILEGAS and GILMORE, The EU legislative framework against money laundering and terrorist finance: a critical analysis in the light of evolving global standards, International Comparative Law Quarterly, Vol. 56, Jan. 2007, pp. 119-141. MONAR, Common Threat and Common Response? The European Union's Counterterrorism Strategy and its problems, Government and Opposition, Vol. 42, No.3, 2007, pp. 292-313. MONAR, The Institutional dimension of the European Union's Area of Freedom, Security and Justice, P.I.E. Peter Lang, Brussels, 2010. MONAR, The EU as an International Counter-terrorism actor: progress and constraints, XVII Intelligence and National Security, Vol. 30, Nos. 2-3, 2015, pp. 333-356. MONAR, The rejection of the EU-US SWIFT Interim Agreement by the European Parliament: a historic vote and its implications, European Foreign Affairs Review, Vol. 15, 2010, pp. 143-151. MÜLLER-RAPPARD, The European Response to International Terrorism, in CHERIF BASSIOUNI, Legal Responses to International Terrorism – U.S. Procedural aspects, Martinus Nijhoff Publishers, Dordrecht, 1988. MURPHY, EU counter-terrorism law: pre-emption and the rule of law, Hart Publishing, Oxford, 2012. MURPHY, Counter-terrorism and Judicial Review: the challenge for the court of justice of the European Union, in DAVID and DE LONDRAS, Critical Debates on Counter- terrorism Judicial Review, Cambridge University Press, Cambridge, 2016, pp. 283301. NIELAND, National Security Letters and the Amended Patriot Act, Cornell Law Review, Vol. 92, 2007, pp. 1207-1237. NINO, Il caso Datagate: i problemi di compatibilità del programma di sorveglianza PRISM con la normativa europea sulla protezione dei dati personali, Diritti umani e diritto internazionale, Vol.3, 2013, pp. 727-746. NINO, La Corte di giustizia UE dichiara l'invalidità del sistema di Safe Harbor: la sentenza Schrems, SIDIblog, 24 October 2015. NINO, Terrorismo internazionale, privacy e protezione dei dati personali, Editoriale XVIII Scientifica, Napoli, 2012. NINO, The Protection of personal data in the fight against terrorism. New perspectives of PNR European Union instruments in the light of the Treaty of Lisbon, Utrecht Law Review, Vol. 6, Issue 1, January 2010, pp. 62-85. OBAMA, Renewing American leadership, Foreign Affairs, July-August 2007, pp. 2-32. PAGALLO, La tutela della privacy negli Stati Uniti d'America e in Europa. Modelli giuridici a confronto, Giuffrè, Milano, 2008. PAPAKONSTANTINOU and DE HERT, The PNR Agreement and Transatlantic anti-terrorism co-operation: no firm human rights framework on either side of the Atlantic, 46 Common Market Law Review 2009, pp. 885-919. PASQUERO, Mutuo riconoscimento delle decisioni penale: prove di federalismo, Giuffrè, Milano 2007. PAYE, Les transactions fiancières internationales sous contrôle américain, Diritti Umani e Diritto Internazionale, Vol. 3, 2008, pp. 587-600. PEERS, EU responses to terrorism, The International and Comparative Law Quarterly, Vol. 52, No.1, January 2003, pp. 227-243. PEERS, Mission accomplished? EU Justice and Home Affairs Law after the Treaty of Lisbon, 48 Common Market Law Review 2011, pp. 661-693. PEERS, Salvation outside the church: judicial protection in the third pillar after the Pupino and Segi judgments, 44 Common Market Law Review 2007, pp. 883-929. XIX PFISTERER, The Second SWIFT Agreement between the EU and the USA - An overview, German Law Journal, Vol. 11, No. 10, 2010, pp. 1173-1188. POSNER, Not a suicide pact: the Constitution in a time of national emergency, Oxford University Press, New York, 2006. PROUST, A historic week for EU privacy law, 19 April 2016, availabe at http://privacylawblog.fieldfisher.com/2016/a-historic-week-for-eu-privacy-law REES, US-EU 'Homeland Security' Cooperation, in EDER and SENN, Europe and Transnational Terrorism: Assessing threats and countermeasures, Nomos, BadenBaden, 2009, pp. 129- 144. REES and ALDRICH, Contending cultures of counterterrorism: transatlantic divergence or convergence?, International Affairs, Vol. 81, No.5, 2005, pp. 905-923. RIJKEN, Re-balancing security and justice: protection of fundamental rights in police and judicial cooperation in criminal matters, 47 Common Market Law Review 2010, pp. 1455-1492. RINOLDI, Il pilastro resistente. Contrasto al terrorismo e competenze dell'Unione Europea in materia di Politica estera e sicurrezza comune: Liste nere e spazio di libertà, sicurezza, giustizia, in: GRASSO, PICOTTI, SICURELLA, L'evoluzione del diritto penale nei settori d'interesse europeo alla luce del trattato di Lisbona, Giuffrè, Milano, 2011. RUBINSTEIN, LEE, and SCHWARTZ, Data mining and internet profiling: emerging regulatory and technological approaches, The University of Chicago Law Review, Vol.75, No.1, pp. 261-285. XX RYAN, the 9/11 Terror Cases. Constitutional challenges in the war against Al Qaeda, University Press of Kansas, Lawrence, 2015. SAFIRE, You are a suspect, The New York Times, 14 November 2002. SALAZAR, Misure di contrasto alla criminalità organizzata elaborate dall'Unione Europea, in BASSIOUNI, La cooperazione internazionale per la prevenzione e la repressione della criminalità organizzata e del terrorismo, Giuffrè, Milano, 2005. SALUZZO, Tutela dei dati personali e deroghe in materia di sicurezza nazionale dopo l'entrata in vigore del Privacy Shield, SIDIblog, 13 September 2016. SALINAS DE FRÍAS, Counter-terrorism and human rights in the case law of the European Court of Human Rights, Council of Europe Publishing, November 2012. SANTOLLI, The Terrorist Finance Tracking Program: Illuminating the shortcomings of the European Union's antiquated data privacy directive, George Washington International Law Review, Vol. 40, 2008, pp. 553-582. SANTOSUOSSO, Diritto, scienze, nuove tecnologie, CEDAM, Padova, 2016. SAVINO, Kadi II, ultimo atto: un modello globale per la prevenzione amministrativa?, Giornale di diritto amministrativo, Vol.11, 2013, pp. 1052-1059. SAUL, Defining terrorism in international law, Oxford University Press, New York, 2006. SCHULHOFER, Rethinking the Patriot Act. Keeping America safe and free, The Century Foundation Press, New York, 2005. SCHULHOFER, An international right to privacy? Be careful what you wish for, XXI International Journal of Constitutional Law, Vol.14, Issue 1, January 2016, pp. 238260 SEIFERT, Data mining and Homeland Security: an overview, Congressional Research Service No. RL31798, April 2008. SELVAGGI, Il mandato di arresto europeo: l'esperienza giurisprudenziale e l'uso del canone di interpretazione conforme, in RAFARACI, La cooperazione di polizia e giudiziaria in materia penale nell'Unione Europea dopo il trattato di Lisbona, Giuffrè, Milano, 2011. SHAFFER, Globalization and social protection: the impact of EU and international rules in the ratcheting up of U.S. privacy standards, The Yale Journal of International Law, Vol. 25, 2000, pp. 2-86. SGUEO, Counter-terrorism funding in the EU budget, European Parliamentary Research Service Briefing, April 2016. SHERWOOD, The enforcement of administrative subpoenas, Columbia Law Review, Vol. 44 No. 4, July 1944, pp. 531-547. SOLOVE, Reconstructing Electronic Surveillance Law, The George Washington Law Review, Vol. 72, No. 6, 2004, pp. 1701-1747. SOLOVE, Data mining and the security- liberty debate, The University of Chicago Law Review, Vol.75, No.1, 2008, pp. 343-362. STERN, Obama and Terrorism: like it or not, the war goes on, Foreign Affairs, November-December 2015, pp. 62-70. XXII SVENSON et al., Social network analysis and information fusion for anti-terrorism, in Proceedings of the Conference on Civil and Military Readiness, Sweden, 2006. SWIRE, The System of Foreign Intelligence Surveillance Law, The George Washington Law Review, Vol. 72, No.6, 2004, pp. 1306-1374. SWIRE, US surveillance law, safe harbor, and reforms since 2013, Georgia Tech Scheller College of Business Research Paper No. 36, December 2015. TERRASI, SWIFT Program e tutela della riservatezza: ancora sul trasferimento di dati dall'Unione Europea agli Stati Uniti, Diritti Umani e Diritto Internazionale, Vol. 3, 2008, pp. 601-621. TERRASI, Lotta al terrorismo e flussi trasnfrontalieri di dati personali, in GARGIULO and VITUCCI, La tutela dei diritti umani nella lotta e nella guerra al terrorismo, Editoriale Scientifica, Napoli, 2009. TERRASI, Trasmissione dei dati personali e tutela della riservatezza: l'accordo tra Unione Europea e Stati Uniti del 2007, Rivista di Diritto Internazionale, Vol. 2, 2008, pp. 375-419. THURAISINGHAM, Data mining for counter-terrorism, in: KARGUPTA, JOSHI, SIVAKUMAR, YESHA, Data Mining: Next Generation Challenge and Future Directions, AAAI Press, 2004. TRIDIMAS and GUTIERREZ FONS, EU Law, international law, and economic sanctions against terrorism: the judiciary in distress?, Fordham International Law Journal, Vol. 32, Issue 2, January 2009, pp. 660-730. VERVAELE, The anti-terrorist legislation in the US: inter arma silent leges?, European XXIII Journal of Crime, Criminal Law and Criminal Justice, Vol. 13, 2005, pp. 201-254. VERVAELE, The anti-terrorist legislation in the US: criminal law for the enemies?, European Journal of Law Reform, Vol. 8, No.1, 2007, pp. 137-171. VORONOVA, Combating Terrorism, EPRS Briefing on EU legislation in progress, Members' Research Service, July 2016. WARREN and BRANDEIS, The right to privacy, Harvard Law Review, Vol. 4, No.5, 1890, pp. 193-220. WEISS and ARCHICK, US-EU Data Privacy: From Safe Harbor to Privacy Shield, Congressional Research Service Report, R44257, 19 May 2016. WESSELING, An EU Terrorist Finance Tracking System, Royal United Services Institute for Defence and Security Studies, Occasional Paper, September 2016. WEYEMBERGH and SANTAMARIA, Lutte contre le Terorrisme et droits fondamentaux dans la cadre du troisième piler, in RIDEAU, Les droits fondamentaux dans l'Unione européenne, Bruylant, Bruxelles, 2009. WHITE, Counter terrorism: weighing the price of liberty, J Socialomics 5:143, 2015. WHITEHEAD and ADEN, Forfeiting “Enduring Freedom” for “Homeland Security”: a constitutional analysis of the USA Patriot Act and the justice department's antiterrorism initiatives, American University Law Review, Vol. 51, 2002, pp. 1083-1133. WHITMAN, The two western cultures of privacy: dignity versus liberty, The Yale Law Journal, Vol. 113, No. 6, April 2004, pp. 1151-1221. XXIV WILSON, Gone with the wind? The inherent conflict between API/PNR and Privacy Rights in an increasingly security-conscious world, Air & Space Law, Vol. 41, No. 3, 2016, pp. 229-264. WOUTERS and NAERT, Of Arrest Warrants, Terrorist Offences and Extraditional deals: an appraisal of the EU's main criminal law measures against terrorism after 11 September, 41 Common Market Law Review 2004, pp. 909-935. XXV TABLE OF CASES I. Court of Justice of the European Union (CJUE) Court of Justice C-4/73, Nold KG v. Commission, 14 May 1974. C-84/95, Bosphorus Hava Yollari Turizm ve Ticaret AS v. Minister for Transport, Energy and Communication and others, 30 July 1996. C-177/95, Ebony Maritime and Loten Navigation v. Prefetto della Provincia di Brindisi and others, 27 February 1997. Joined cases C-465/00, C-138/01, C-139/01, Rechnungshof v. Österreichischer Rundfunk et al., 20 May 2003. C-101/01, Bodil Lindqvist, 6 November 2003. C-105/03, Pupino, 16 June 2005. Joined cases C-317/04, European Parliament v. Council, and C-318/04, European Parliament v. Commission, 30 May 2006. C-354/04P, Gestoras Pro Amnistía, Juan Mari Olano Olano and Julen Zelarain Errasti v Council of the European Union, 27 February 2007. C-355/04P, Segi, Araitz Zubimendi Izaga and Aritza Galarraga v. Council of the European Union, 27 February 2007. Joined cases C-402/05P and C-415/05P, Kadi and Al Barakaat International foundation v. Council and Commission, 3 September 2008. Joined cases C-399/06P, Faraj Hassan v. Council of the European Union and European Commission, and C-403/06 P, Chafiq Ayadi v. Council of the European Union, 3 December 2009. Joined cases C-92/09 Volker und Markus Schecke v. Land Hessen, and C-93/09 Hartmut Eifert v. Land Hessen, 9 November 2010. C-236/09, Association Belge des Consommateurs Test-Achats ASBL et al. v. Council, 1 March 2011. XXVI C-548/09P, Bank Melli Iran v Council, 16 November 2011. Joined cases C-584/10P, C-593/10P and C-595/10P, European Commission and others v. Yassin Abdullah Kadi. 18 July 2013. C-131/12, Google Spain v. Agencia Española de Protección de datos, 13 May 2014. Case C-293/12, Digital Rights Ireland, 8 April 2014. Case C-362/14, Max Schrems v. Data Protection Commissioner, 6 October 2015. Joined cases C-203/15, Tele2 Sverige AB v Post-och telestyrelsen, and C-698/15, Secretary of State for the Home Department v. Watson, Brice, and Lewis, pending. General Court – former Court of First Instance (CFI) T-306/01, Yusuf and Al Barakaat International Foundation v. Council and Commission, 21 September 2005. T-315/01, Kadi v. Council and Commission, 21 September 2005. T-333/02, Gestoras pro-amnistía and others v. Council, 7 June 2004. T-338/02, Segi, Araitz Zubimendi Izaga and Aritza Galarraga v. Council of the European Union, 7 June 2004. T-228/02, Organisation des Modjahedines du pueple d'Iran v. Council, 12 December 2006. T-85/09, Yassin Abdullah Kadi v. European Commission, 30 September 2010. II. European Court of Human Rights Klass and others v.. Germany, 6 September 1978, app. no. 5029/71. The Sunday Times v. UK, 26 April 1979, app. no. 6538/74. Airey v. Ireland, 9 October 1979, app. no. 6289/73. Malone v. UK, 2 August 1987, app. no 8691/79. Leander v Sweden, 26 March 1987, app. no.9248/81. XXVII Rotaru v. Romania, 4 May 2000, app. no. 28341/95. Copland v. UK, 3 April 2007, app. no. 62617/00. S. and Marper v. UK, 4 December 2008, combined applications 30562/04 and 30566/04. Leroy v. France, 6 April 2009, app. no. 36109/03. III. United States case law United States Supreme Court 277 U.S. 438 (1928), Olmstead v. United States 316 U.S. 129 (1942), Goldman v. United States 339 U.S. 763 (1950), Johnson v. Eisentrager 381 U.S. 479 (1965), Griswold v. Connecticut 389 U.S. 347 (1967), Katz v. US 407 U.S. 297 (1972), United States v. United States District Court for the Eastern District of Michigan 410 U.S. 113 (1973), Roe v. Wade 425 U.S. 435 (1976), United States v. Miller 429 U.S. 589 (1977), Whalen v. Roe 442 U.S. 735 (1979), Smith v. Maryland 497 U.S. 261 (1990), Cruzan v. Director, Missoury Department of Health 533 U.S. 27 (2001), Kyllo v. United States 539 U.S. 558 (2003), Lawrence v. Texas 542 U.S. 426 (2004), Rumsfeld v Padilla XXVIII 542 U.S. 466 (2004), Rasul v. Bush 542 U.S. 507 (2004), Hamdi v. Rumsfeld 548 U.S. 557 (2006), Hamdan v. Rumsfeld 553 U.S. 723 (2008), Boumedine v. Bush 569 U.S. __ (2013), Maryland v King 569 U.S. 1 (2013), Florida v. Jordines United States lower courts 255 F.3d 325 (6th Circuit, 2001), Guest v. Leis 334 F. Supp.2d 471 (S.D.N.Y. 2004), Doe v. Ashcroft 500 F. Supp.2d 379 (S.D.N.Y. 2007), Doe v. Gonzales 631 F.3d 266 (6th Circuit, 2010) United States v. Warshak 785 F.3d 787 (2nd Circuit, 2015) ACLU v. Clapper 957 F. Supp.2d 1 (D.D.C. 2013) Klayman v. Obama Foreign Intelligence Surveillance Court Docket number BR 08-13, 2 March 2009, In re production of tangible things IV. Other case law Bundesverfassungsgericht, 73, 339, 2 BvR 197/83, 22 October 1986. Bundesverfassungsgericht, 1 Bvr 256/08, 1 BvR 586/08, 1 BvR 263/08, 2 March 2010. Bulgarian Supreme Administrative Court, decision no. 13627, 11 December 2008. Romanian Constitutional Court, decision no. 1258, 8 October 2009. XXIX Cyprus Supreme Court, app. no. 15/2010, 1 February 2011. Czech Constitutional Court, Pl. ÚS 24/10, 22 March 2011. XXX

RELATED PAPERS

RELATED TOPICS

Log In

THE USE OF PERSONAL DATA IN POST 9/11 COUNTER-TERRORISM European and American approaches compared

THE USE OF PERSONAL DATA IN POST 9/11 COUNTER-TERRORISM European and American approaches compared

Related Papers

RELATED PAPERS

RELATED TOPICS