Europol’s Joint and Several Liability Regime: Revolutionizing EU Fundamental Rights Responsibility?

 

Dr Joyce de Coninck, University of Ghent

Photo credit: Oseveno 

Introduction

 

The Europol Regulation introduces a system of joint and several EU liability for unlawful data processing in violation of Article 7 and 8 of the Charter of Fundamental Rights. This nascent EU liability regime features at the heart of the dispute in the Marián Kočner v Europol saga, and much like the recent WS and others v Frontex case before the General Court, highlights the urgency for clarification on joint responsibility for human rights violations as a result of shared conduct between the EU’s operational agencies and the EU Member States.

 

One of the drivers prompting this need for clarification, relates to the increased cooperation between the EU’s operational agencies on the one hand, with EU Member States on the other hand, in achieving common objectives. While Frontex is increasingly endowed with (executive) powers in the EU’s Integrated Border Management (see here, here and here), Europol is endowed with increased powers regarding the processing of large datasets, the screening of foreign direct investment in security-related cases and the acquisition of data from private companies in dealing with terrorist or child abuse material. These enhanced powers result in a multiplicity of public and private actors working together in achieving common goals, where previously such tasks fell within the exclusive purview of the Member States.  

 

The ‘crowding of the operational field’, referred to by Gkliati and McAdam as the ‘many hands’ problem, reveals a significant disconnect between the EU’s contemporary liability regime on the one hand, and the application of this liability regime in practice to situations of joint conduct that give rise to human rights harms on the other hand. In other words, the EU’s liability regime was not legally designed to accommodate questions of joint responsibility for human rights harms flowing from concerted conduct by the EU institutions, bodies, offices and agencies and the EU Member States. The incompatibility – or rather, unsuitability – of the EU’s human rights regime in dealing with joint conduct, features on two distinct levels, and on both levels, a driving force behind the unsuitability is one of legal design.

 

On the one hand, historical accounts of the constitutionalization of fundamental rights in the EU, giving rise to the Charter of Fundamental Rights in particular, explain that this process was by and large the result of constitutional concerns over EU fundamental rights protection by domestic courts. In other words, this exercise of constitutionalization came about in reaction to constitutional objections by Member States regarding the level of protection of fundamental rights provided under the EU’s chapeau. An unintended consequence of this development appears to be that the drafters of the Charter did not necessarily consider joint and inseparable operational conduct by EU entities and the EU Member States. In turn, and as predicted by Weiler, it did not bring the added clarity to how the state-centric Charter rights – many of which were inspired by and textually almost identical to state-centric international human rights treaties – would translate into enforceable negative and positive human rights obligations that give flesh to the bones of these human rights commitments. In other words, the mere fact that EU entities are bound by fundamental rights in the Charter, does not relay much on how the EU must conduct itself in order to comply with these rights, as I have discussed at length elsewhere (here, here and here).

 

On the other hand, the EU’s liability regime also was not legally designed to respond to questions of responsibility-allocation flowing from unlawful joint conduct giving rise to human rights harms. This is textually and historically supported, as the EU’s action for damages falls within the exclusive purview of the CJEU (Article 268 in juncto 340 TFEU) and case law has set out rules proclaiming that national courts shall be seized where damages are the result of the incorrect or correct implementation by Member States of EU legislative acts (for a general discussion, see here). In other words, the EU’s action for damages was not developed to consider joint non-contractual responsibility and the conditions for liability subsequently developed through the CJEU’s case law were also not developed with such liability in mind.

 

However, the increased reliance on inseparable and operational cooperation between EU entities and its Members giving rise to fundamental rights harms, brings to the fore a new dimension of liability that was not foreseen in either the normative human rights developments giving rise to the Charter, nor the liability regime that currently exists within the EU’s framework. Yet it is precisely this question of joint liability that sits at the heart of the case of Marián Kočner v Europol currently pending before the CJEU and the accompanying opinion by Advocate General Rantos as developed and discussed in what follows.

 

The Case

 

In 2018 Marián Kočner was being investigated by the Slovak criminal authorities within the context of a murder investigation. The investigation resulted in the domestic authorities taking possessing of two mobile phones and a USB drive belonging to the Applicant, which were subsequently handed over to Europol at the request of the domestic authorities in October 2018. Several months later, Europol returned the mobile phones and the USB-drive along with relevant scientific reports concerning its contents, as well as a hard-drive with encrypted data derived from the mobile phones to the Slovak authorities. The contents of the mobile phones and USB drive – transcripts of intimate conversations involving the applicant and his girlfriend, as well as the inclusion of his name on the ‘mafia lists’ – were subsequently leaked in large quantities and made public by the press. On the basis of these leaks the Applicant claimed compensation from Europol for non-material damage stemming from unlawful data processing, underscoring that the leaks by the press violated his right to a private and family life as protected under Article 7 CFR.

 

In the subsequent action for damages on the basis of Article 268 and Article 340 TFEU, the General Court dismissed the Applicant’s claims (Kočner v Europol T-528/20) holding that no causal link could be established between Europol’s conduct and the purported damages stemming from the data made public from the mobile phones, and that the Applicant had not provided any evidence demonstrating that the ‘mafia lists’ had been drawn up by Europol.

 

In his appeal, the Applicant asks the Court of Justice to set aside the General Court’s ruling on the basis of six points of law. For the purpose of the current contribution however, the focus will be on the argument raised by the Applicant concerning the nature of the EU’s liability. Specifically, the Applicant argues that the General Court erred in law for having disregarded Europol’s liability in light of recital 57 of the Europol Regulation related to joint and several liability. In other words, this claim by the Applicant juxtaposes the concept of ‘joint and several liability’ with the notion of joint responsibility more generally, contending that the implications of these different approaches to responsibility may have yielded a different outcome in the case. According to the Applicant, the fact that the General Court did not consider Europol’s liability through the standard of ‘joint and several liability’ constitutes an error depriving recital 57 of the Europol Regulation of any significance.

 

The arguments advanced by the Applicant provide the Court of Justice with the first-ever opportunity to rule on the scope and implications of the concept of joint and several liability of Europol, which – given the marginal case law on joint responsibility for human rights harms more generally – could prove very instructive in clarifying the conditions of joint responsibility and the manner in which such responsibility should be allocated between the EU and the Member States.

 

The Opinion

 

After dismissing an admissibility objection by Europol, Advocate General Rantos identifies six grounds of appeal, of which four relate to the question of whether unlawful data processing occurred by Europol. The remaining two points of appeal concern the nature of Europol’s liability and the concept of ‘joint and several liability’ specifically.

 

The question of the nature of Europol’s responsibility essentially revolves around recital 57 and Article 50 of the Europol Regulation. As aforementioned, recital 57 introduces the concept of joint and several liability where it may “…be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State”. This provision covers only liability issues relating to unlawful data processing and only insofar it is unclear to which party the (unlawful) data processing should be attributed, whereas the preceding recital 56 recalls that for all other questions of non-contractual liability, the EU’s general liability rules – as articulated in the CJEU’s Bergaderm ruling – apply.

 

Chapter 7 of the Europol Regulation covers remedies and liability and Article 50 specifically, addresses liability stemming from unlawful data processing. This provision holds in its first paragraph that anyone having suffered damage from unlawful data processing will be entitled to receive compensation from either Europol in line with the general liability rules of article 340 TFEU, or from the Member State in which the unlawful data processing occurred in accordance with its domestic law. The second paragraph (Article 50(2)) holds that where a dispute arises concerning the ultimate responsibility for compensation, the Management Board of Europol shall decide by a two-thirds majority who bears the burden of ultimate responsibility for compensation. Grosso modo the relevant recitals appear to refer to modalities of responsibility allocation between Europol and the implicated Member States, whereas Article 50 is concerned with the ensuing obligation of compensation insofar responsibility has effectively been established.  

 

AG Rantos begins his opinion on the nature of the EU’s liability by pointing out that while the relevant recitals do introduce a solidarity-based responsibility mechanism, this is not mentioned explicitly in its operative counterpart. In fact, the absence of any explicit reference to joint and several liability in Article 50 led the General Court to the conclusion that liability in accordance with the general rules on liability embedded in Article 340 TFEU, could not be causally established.

 

After recalling the conditions to establish EU liability generally (para 34 – 35), AG Rantos addresses the question of the nature of Europol’s liability in a threefold manner, recalling that a provision of EU law must be interpreted mindful of its wording (1), the context in which it was drafted (2), and its objective and purpose (3), which may be inferred from its legislative history and through comparative interpretation.

 

Contrary to Europol, AG Rantos concedes that the wording of the relevant recitals (which appear to introduce new modalities of joint responsibility under EU law), and the wording of the Article 50 (which neglects any reference to joint and several liability and refers only to compensation) is not unambiguous. To this end, he underscores that the reference to joint and several liability in recital 57 suggests concurrent liability for Europol and the Member States, whereas Article 50 literally suggests responsibility for compensation as being a responsibility of either the Member State or Europol. Similarly, the generic reference to non-contractual EU liability in Article 340 TFEU, which is to be considered in line with the general principles common in the laws of the Member States, leaves room for interpretation.

 

As concerns the context of the contested provisions, the AG notes that while recitals have no legally binding force as such, they nevertheless function as an indicator of the intent of the legislator. In casu, the intent of the legislator was to favor the aggrieved parties and eliminate any questions of attribution. The AG concludes that this is not in conflict with Article 50, following which the latter must be interpreted in light of recital 57 and the concept of joint and several liability.

 

Finally, the objectives of recital 57 of the Europol Regulation may be discerned through its legislative history and a comparative interpretation of its meaning in light of general principles common to the Member States. Here, the AG recalls that the concept of ‘joint and several liability’ had been introduced in the very first Commission proposal and had been included among others to limit the difficulties encountered by aggrieved parties in attributing unlawful processing to either the Member States or the EU. Furthermore, a comparative analysis of this concept reveals that Member States make use of this mode of liability in cases where attribution of unlawful conduct may be hard to establish. The Advocate General concludes that suspending the procedure before EU courts while the concomitant domestic procedure against the Member State is pending – as typically occurs for questions of joint responsibility – would deprive Article 50 interpreted through recital 57 of any significance. It flows from this that concurrent proceedings would thus be possible. 

Analysis

 

The case deals with a situation of ‘many hands’ cooperation involving a Member State which gives rise to a question of unlawful data processing, arguably falling within the ambit of Article 7 (respect for private and family life) and 8 (protection of personal data) of the Charter. Flowing from this, the Applicant argues that Europol should be held responsible under the rules of joint and several liability, whereas Europol contends that this should be assessed under the standard rules of joint responsibility which are derived from the Bergaderm ruling. In essence, this is a question of whether the lex generalis applies or instead, whether a lex specialis applies. As aforementioned, the Advocate General recommends that the case be re-examined by the General Court, in light of the (underdeveloped) rules on joint and several liability, whereby he concurs with the Applicant that it is unclear to which party the conduct should be attributed.

 

The Francovich and Brasserie du Pêcheur judgments, spell out the conditions for Member State liability under EU law, whereas the Bergaderm judgment spells out the conditions for non-contractual responsibility of the EU institutions. These conditions require that for responsibility to arise, there must be a (sufficiently serious) breach of EU law, that causally gives rise to damage. In certain cases, the CJEU will also demand that the conduct must be attributable to the EU actor under scrutiny.

 

These rules apply to responsibility and joint responsibility between the EU and its Member States generally, but importantly do not prejudice more tailored, specific or alternative rules on (joint) liability. An alternative, bifurcated approach to liability exists in the realm of EU data processing. On the one hand, there are the data-processing specific rules for Member State liability embedded in the GDPR. On the other hand, there are specific liability rules for data processing applicable to EU institutions, bodies, offices and agencies as embedded in the Data Protection Law Enforcement Directive, as well as the Data Processing by the EU Institutions and Bodies Regulation. These data processing-specific rules apply, unless there are more specific rules that have been developed, which is the case for processing of operational data by Europol (Article 2(3) Data Processing by the EU Institutions and Bodies Regulation). In other words, more specific rules have been developed for situations involving processing of data for Europol. Accordingly, when it is clear to which actor (the Member State or Europol) unlawful data processing should be attributed, the regular rules on liability apply, in accordance with the domestic regime for Member State liability and in accordance with the action for damages concerning Europol’s liability (Article 50(1) Europol Regulation). However, when attribution is not clear, joint and several liability applies (recital 57 in juncto Article 50(2) Europol Regulation), leaving it to the Management Board to decide in case of conflict who bears the ultimate responsibility to provide compensation for the inflicted harm (Article 50(2) Europol Regulation).

 

Juxtaposing Joint Liability and Joint and Several Liability

 

This approach appears to give rise to procedural efficiency from the perspective of the Applicant and appears to relax the Bergaderm conditions for EU responsibility to arise. 

 

Choosing the Judicial Forum

 

The objective of the joint and several liability mechanism is to ensure that the Applicant’s rights are safeguarded. This means that unlike the system of joint EU-Member State responsibility, the domestic court will not necessarily be the primary forum to establish responsibility and the ensuing burden of reparations. Instead, the aggrieved individual could go through either the domestic legal system or the EU’s action for damages to have responsibility established. Upon conclusion of the legal procedures and once the Applicant has been awarded damages, these actors could subsequently settle any dispute on the duty to provide reparations in a subsequent procedure within the Management Board of Europol, the decision of which could also be subject to legal scrutiny under the annulment procedure. Under this mechanism, the Applicant enjoys a much lesser of a burden in choosing the appropriate judicial venue and is not constrained by which actor will be able to provide reparations. Instead, reparations (in case of responsibility) will be the default from the perspective of the Applicant.

 

Attribution and Causation Revisited

 

The system of joint and several liability suggests that as soon as a situation implicates both Europol and a Member State, and the questionable conduct cannot be definitely attributed to either entity, the requirement of attribution becomes obsolete, as the conduct will be considered attributable to both in full. Interestingly, by relaxing the requirement to establish attribution, the condition of causation will arguably also be relaxed. It is important to recall that while attribution links a particular line of conduct to an actor, causality links that actor to the damage. Relaxing the rules of attribution under the joint and several liability regime and doing away with the requirement to definitively attribute conduct to one or the other, ipso facto entails that the requirement of causality as it currently is being applied, can never be met. Causation under general EU liability law demands that there is an uninterrupted relationship between the unlawful conduct by a certain actor, giving rise to damage. Yet, in the absence of an obligation to attribute to either the Member State or the EU, the unlawful data processing will be considered attributable to both. If the unlawful conduct is considered attributable to both, it is then unclear how this impacts the causality requirement, which demands that the chain of causation linking the damage to the unlawful conduct by a particular actor, be uninterrupted by intervening acts.

 

Lingering Questions for the EU Courts

 

In light of the limited case law on EU (joint) responsibility generally, a number of questions remain unaddressed including by Advocate General Rantos either.

 

Attribution

 

A first small but pervasive question that demands further clarification concerns when Article 50 read in light of recital 57 of the Europol Regulation is triggered. The presumption appears to be that it is straightforward to distinguish between scenarios in which attribution can be definitively established, and situations in which it is unclear to which entity the unlawful data processing should be attributed. Yet, to date no clear standard of attribution can be definitely discerned under the general system of EU liability. In fact, practice by the EU institutions internally, in international relations, and across different EU policy fields, suggests that the rule of attribution differs significantly in a rather haphazard manner. This is complicated by the absence of a common legal forum to settle responsibility questions implicating the EU and Member States in unlawful data processing. The applied attribution rules under domestic regimes may very well differ from attribution rules under the EU’s liability regime for example, and to date, it is not clear which attribution rules should prevail, much less how this impacts whether Europol’s joint and several liability mechanism is triggered. Arguably, the absence of a coherent and clarified approach to attribution under EU law means that it will be easier for Applicants to trigger joint and several liability under the Europol Regulation. However, this remains to be seen, and is as always, dependent on the applicable burden, standard and method of proof required to show that it’s unclear to which actor the unlawful data processing should be attributed.

 

Joint and Several Liability Beyond Data Processing

 

The question of human rights liability for violations occurring at the hands of operational EU agencies has gained much traction in recent years. The current pending actions for damages against Frontex prompt the question whether a – CJEU clarified – system of joint and several liability may be a way forward. Anyone who has attended a conference or workshop involving Frontex representatives, has undoubtedly been confronted with the scripted answer to questions of human rights responsibility: ‘Frontex is not responsible for such actions – Frontex merely coordinates Member State actions’. Leaving aside the veracity of this response, it is undisputed the current regime of liability allocation has resulted in much blame shifting at the expense of individual rights. Conversely, the system of joint and several liability introduced by the Europol Regulation may very well be a way to circumvent this type of blame-shifting, safeguard the rights of the individual while ensuring that the burden of reparation is not circumvented by one at the expense of the other. A well-developed system of joint and several liability could thus fulfill both a remedial function – namely to protect the Applicants’ fundamental rights, as well as a deterrence function. By increasing the likelihood of legal responsibility through more relaxed rules on attribution and causation, EU institutions, bodies, offices and agencies may be disincentivized to resort to ‘many hands’ to circumvent responsibility claims in implementing their policies, or at least be incentivized to clarify their own rules on (human rights) responsibility allocation. Of course, I write this knowing full well that it is precisely these institutions that prefer to continue operating in the ‘many hands’ murkiness and that clarified rules on responsibility will receive political push-back and may disincentivize operational agencies from providing support in tackling transnational issues. Yet, once every so often, a unicorn-like development surfaces in the field of EU human rights responsibility, as evidenced by the joint and several liability mechanism in this case. Who knows – maybe this same unicorn will resurface in the EU’s responsibility acquis more generally? In any event, I await the CJEU’s perspective on this matter eagerly.  

Strengthening Europol’s Mandate: An Appraisal of the Commission’s Proposal to Amend Regulation (EU) 2016/784 (Europol Regulation)

 

Niovi Vavoula and Valsamis Mitsilegas, Queen Mary University

 

Introduction

 

The European Union Agency for Law Enforcement Cooperation (Europol), the legal basis of which is Regulation (EU) 2016/794 (Europol Regulation), has a key role in supporting EU Member States on cross-border police cooperation. Europol is described as the EU’s ‘criminal information hub’, as it facilitates information exchange between Member States, Europol, other EU bodies, international organisations and third countries, and produces criminal intelligence on the basis of information acquired from various sources, including Member States and its partners. Amongst its many tasks, Europol also supports and coordinates cooperation on cross-border police work and produces regular assessments that offer comprehensive, forward-looking analyses of crime and terrorism in the EU.

 

On 9 December 2020, the Commission presented a proposal for a Regulation amending the Europol Regulation, accompanied by a two-part Impact Assessment, aiming at enhancing the Agency’s mandate in numerous respects. From the outset, it must be emphasised that the timing of the proposal is dubious, as the Europol Regulation has not been subject to an evaluation yet and according to Article 68, such evaluation was due in May 2022. Instead, scarce information is included in the Impact Assessment accompanying the proposal and some EU documentation, which, however, cannot replace the lack of a proper evaluation. As a result, the effectiveness and impact of the agency cannot be fully and properly assessed.

The proposal encompasses widespread reforms to Europol’s tasks, which may be divided in nine themes, as follows:

 

(1) Enabling Europol to cooperate effectively with private parties;

(2) Enabling Europol to process large and complex datasets;

(3) Strengthening Europol’s role on research and innovation;

(4) Enabling Europol to enter data into the Schengen Information System (SIS);

(5) Strengthening Europol’s cooperation with third countries;

(6) Strengthening Europol’s cooperation with the European Public Prosecutor’s Office (EPPO);

(7) Enabling Europol to request the initiation of an investigation of a crime affecting a common interest covered by an EU policy;

(8) Strengthening the data protection framework applicable to Europol; and

(9) Other provisions, including enhancing political accountability and parliamentary scrutiny.

 

This blog post aims to provide a snapshot of the proposal and highlight key privacy and data protection concerns by looking in turn into the thematic blocks. It is based on a study commissioned by the LIBE Committee of the European Parliament published on 27th May 2021, which argues that the proposed Regulation, as it stands, will radically transform the nature and powers of Europol and its relationship with key stakeholders without introducing adequate safeguards.

 

Enabling Europol to cooperate effectively with private parties

 

A first set of revisions concerns the enhancement of cooperation between Europol and private parties in countering criminal offences committed in abuse of the cross-border services of private parties. Currently, Europol is allowed to exchange personal data with private parties, but Article 26 of the Europol Regulation provides a series of restrictions: the traditional way for the agency to receive personal data from private parties is indirectly via competent intermediaries and Europol is prohibited from transferring personal data directly to private parties, unless one of the three exceptions applies. The proposal aims to establish the agency as a central point of contact in cases of multi-jurisdictional or non-attributable datasets,. Europol will be enabled to: (a) receive personal data directly from private parties on a more regular basis; (b) inform such private parties of missing information; and (c) ask Member States to request private parties to share further information. Additionally, Europol will be able to provide its infrastructure for the exchange of data between national authorities and private parties and support Member States in preventing large scale dissemination of terrorist content or violent extremism, on which Regulation (EU) 2021/784 was recently published.

 

These changes constitute a considerable paradigm shift for the agency, which is line with the emergence of the trend in past years, exemplified by the e-evidence legislative package, to establish direct channels of communication between law enforcement and private parties and foster a public/private partnership. Questions about the ability of private parties to undertake the role of law enforcement authorities in scrutinising fully and effectively the fundamental rights implications of transfer of personal data held by them for the purposes of law enforcement emerge, as Europol will be enabled to forward requests on behalf of Member States and proactively request information. Private parties do not enjoy equality with public authorities in terms of cooperation and the same will also apply in the case of Europol.

 

Therefore, they may find themselves in a subordinate position, being ‘cornered’ by both Europol and Member States to hand over the personal data requested. Important safeguards, in particular obtaining prior judicial authorisation and scrutiny of compliance with fundamental rights, risk being bypassed. Applying this approach to the case of Europol requires detailed rules on the duties of Europol, Member States and the private sector, e.g. when the private parties may refuse to cooperate, as well as provisions on independent authorisation of transfers and remedies for individuals, which are missing from the proposal. Even the concept of ‘private parties’ is open-ended and there are no limitations as to their nature. Whereas certain safeguards are included, e.g. the requirement for ‘absolute’ or ‘strict’ necessity, there are additional safeguards that are mentioned in the Impact Assessment, but not explicitly stated in the proposal. It is further argued that the European Data Protection Supervisor (EDPS) could be involved before the agency makes such transfers. In addition, whereas the proposal proscribes systematic, massive or structural transfers in cases where the private party is outside the EU, this is not extended to those private parties within the EU. Finally, it must be ensured that Europol’s role in supporting Member States to prevent the dissemination of online content related to terrorism and violent extremism conforms with the Europol’s role as foreseen in Regulation (EU) 2021/784 on preventing the dissemination of terrorist content online.

 

(2) Enabling Europol to process large and complex datasets

 

This reform aims to address the so-called ‘big data challenge’ following the admonishment of the agency by the EDPS on 17 September 2020. The proposal aims to enable Europol to conduct ‘pre-analyses’ of large and complex datasets received and identify whether these concern individuals whose personal data may be processed by Europol in line with Annex II of the Europol Regulation. Another proposed provision aims to enable the pre-analysis in support of a criminal investigation following transmission of an investigative case file to Europol.

 

Overall, it is welcome that the prior processing is limited to a maximum period of one year, which can be extended following authorisation by the EDPS. One suggestion is to define the terms ‘large datasets’ and ‘digital forensics’ and explicitly delimit processing when there is an objective necessity, which is not mentioned, so as to ensure that the derogation of Article 18(5a) does not become the rule. Clear criteria to determine that it is justified to extend the maximum period of pre-analysis must be laid down and it could be useful to consider that prior to each pre-analysis the EDPS must be at least informed and that the Europol Data Protection Officer must provide authorisation. The relationship between the new rules and the existing derogation under Article 18(6) of the Europol Regulation must also be clarified, as well as the relationship between the two new provisions foreseen. As these rules constitute an exception, their application must be strict and the existence of a link to an on-going investigation is crucial. In addition, the Regulation should lay down certain conditions and/or thresholds, such as scale, complexity, type or importance of investigations. Finally, the involvement of the EDPS not only in cases where an investigative case file is submitted by a third country, but in general in supervising the processing of large and complex datasets should be maintained and enhanced.

 

(3) Strengthening Europol’s role on research and innovation

 

The proposal foresees a greater role for Europol as regards processing of personal data for research and innovation matters for the development of tools, including the use of AI for law enforcement. One must be mindful though that when developing new technologies extensive processing of large quantities of personal data may be required, for example to create and test algorithms or for encryption. Therefore, the potential impact of such processing for research and innovation purposes to the principle of non-discrimination and the rights to respect for private life and protection of personal data must be guaranteed. The processing of personal data for research and innovation should take place only if needed in order to reach the objectives of the project. Furthermore, the processing of synthetic, anonymised or pseudo-anonymised personal data, as opposed to real operational data must be preferred, where possible, and the processing of special categories of personal data must be explicitly excluded or accompanied by additional safeguards. Moreover, principles of data protection law—in particular the principles of data minimisation, data quality and privacy by design and by default—must be taken into account.

 

(4) Enabling Europol to enter data into the Schengen Information System (SIS)

 

One of the thorniest aspects of the Europol reform concerns the possibility of enabling the agency to enter alerts into SIS. Currently, Europol has ‘read-only’ access to all types of alerts stored in SIS, both immigration and law enforcement related. The proposal creates a new alert category that Europol can use to enter alerts into SIS following consultation with the Member States and after authorisation by its Executive Director. A detailed process for the issuance of so-called ‘information alerts’ is foreseen in a separate proposal amending Regulation (EU) 2018/1862.

 

However, whether this power, which to an extent equates Europol with Member States, fits within Europol’s mandate, as laid down in Article 88 TFEU, is doubtful.  It is also questionable whether Europol will be able to conduct a proper quality check before issuing alerts into SIS. Importantly, the operational value of such alerts is also questionable, as the alerts will provide significant discretion to national authorities to follow up and wide divergences may arise in practice. The impact on individuals whose personal data will be inserted in SIS is significant and potential liability issues may also arise if the quality of data contained in the alert is not high. In light of the concerns voiced by a number of Member States within the Council, the Portuguese Presidency proposed an alternative to delimit these alerts to those concerning terrorism. However, it is feared that merely opening up Europol to SIS will become the gateway through which in the future Europol may acquire further powers to enter other types of alerts into the system (e.g. on missing persons).

 

(5) Strengthening Europol’s cooperation with third countries

 

Another important reform of the proposal concerns cooperation with third countries. Under the current legal framework, as laid down in Article 25(1) of the Europol Regulation, the agency may receive personal data from third countries based on: a) adequacy decisions under Directive (EU) 2016/680; b) international agreements under the current Regulation concluded in accordance with Article 218 TFEU; and c) cooperation agreements concluded between Europol and third countries under the previous Europol Council Decision (for the agreements, see here). Finally, the Executive Director can authorise the transfer of personal data to third countries and international organisations on a case-by-case basis for certain exceptional––but arguably broadly worded––reasons. With no adequacy decisions adopted and the negotiations for eight international agreements stalled, the calls for a less cumbersome regime for the exchange of personal data with third countries have proliferated. To that end, the proposal foresees a (seemingly minor) change enabling the Executive Director to authorise not only transfers, but also categories of transfers of personal data to third countries or international organisations in specific situations and on a case-by-case basis. However, it is not clear what exactly is meant by ‘categories of transfers’ and this reform may broaden the remit of such transfers from criminal investigations on specific suspects to surveillance activities in general, thus changing Europol’s powers.

 

That said, within the Council Member States have expressed their wish to further expand Europol’s capabilities to exchange personal data with third countries by transplanting the wording of Directive (EU) 2016/680 (Law Enforcement Directive) and Regulation (EU) 2018/1727 (Eurojust Regulation) to the Europol legal framework, and creating a new legal ground for exchanges of personal data on the basis of appropriate safeguards outside the three already prescribed grounds. This reform poses significant legal challenges as it bypasses existing institutional safeguards and undermines the importance of an adequacy decision, the procedure for assessing the data protection framework of a third country as adequate in violation of the constitutional limits placed by the Court of Justice of the EU (CJEU) in Schrems, as well as the institutional framework for adopting international agreements. The possibility of using bilateral agreements as the legal basis for such exchanges may result in divergences and different standards applied.

 

(6) Strengthening Europol’s cooperation with the European Public Prosecutor’s Office (EPPO)

 

This reform concerns the reinforcement of Europol’s cooperation with the EPPO in the aftermath of the adoption of Regulation (EU) 2017/1939 (EPPO Regulation) on the establishment of the EPPO. However, the proposal is not fully aligned with the rules of the EPPO Regulation and minor modifications to the text are necessary.

 

(7) Enabling Europol to request the initiation of an investigation of a crime affecting a common interest covered by an EU policy

 

The proposal aims to enable Europol to request competent authorities of a Member State to initiate, conduct or coordinate an investigation of a crime which affects a common interest covered by an EU policy regardless of the cross-border nature of the crime, for example in high profile sensitive cases such as the murder of Daphne Caruana Galizia in Malta. However, the necessity of this reform has not been substantiated and effectively removes control from judicial authorities over the opening of their investigations in cases affecting one Member State only.

 

(8) Strengthening the data protection framework applicable to Europol

 

A positive development of the proposal is the enhancement of Europol’s data protection framework by extending the reach of Article 3 and Chapter IX of Regulation (EU) 2018/1725 concerning the data protection framework applicable to the processing of personal data by EU institutions, bodies and agencies, to the work of Europol and explicitly adding biometric data within special categories of personal data, which was not the case. Whereas this is a welcomed reform, further alignment is necessary, not least because the EDPS’s general powers are still not aligned with the prescriptions of Article 58 of Regulation (EU) 2018/1725.

 

(9) Other provisions, including enhancing political accountability and parliamentary scrutiny

 

In addition to other minor reforms further expanding and clarifying Europol’s tasks, the proposal aims to enhance political accountability and parliamentary scrutiny by enabling the Joint Parliamentary Scrutiny Group (JPSG) to receive information regarding the matters falling under themes (1)-(4), as discussed above. Whereas this is a welcome development the proposal is a missed opportunity to further enhance political accountability and parliamentary scrutiny. Despite the establishment of the JPSG and the proposed amendments, parliamentary scrutiny and oversight remain weak. Shortcomings concern the structure and work of the JPSG, including the weak powers of the Group in the participation to and appointment of Europol’s Management Board. With the addition of new tasks to Europol, the need to ensure a better framework for parliamentary oversight and political scrutiny must be emphasised and therefore there is significant scope for improving the proposal in that respect.

 

Concluding remarks

 

The analysis above aimed to highlight that the proposal entails widespread reforms to Europol’s mandate, which transform the nature of the agency and its relationship with the Member States. The large majority of these reforms that enhance the data processing capacities of the agency have been met positively by the Council, which refined some provisions when it agreed its position on the proposal in June 2021. This massive expansion of Europol’s powers is explained; Europol’s ability to bring about results is tightly related to Member States’ input and participation and research shows the reluctance of national authorities that were, and are, sometimes not very keen to share their data with the agency. As a result, the proposal wishes to bypass such reluctance, by enabling the agency to directly ‘deal the cards’ and centralise information processing. At the same time, certain operational reforms, particularly the SIS-related ones, have been met with greater scepticism, albeit without an outright dismissal. At the time of writing, the Council is still scrutinising the proposal but a significant amount of work has already been conducted. It remains to be seen whether the Parliament will success in adding further safeguards to circumscribe these additional powers and enhance its own role.

 

Barnard & Peers: chapter 25

Photo credit: OSeveno, via Wikimedia Commons

 

EU Migration Agencies: the Operation and Cooperation of Frontex, EASO and Europol

 

 

Dr. David Fernández-Rojo, Universidad de Deusto - davidfrojo@deusto.es

 

The so-called “refugee crisis” revealed the urge to ensure the functioning of the Schengen area and the Common European Asylum System (CEAS), the desire to operationally assist those Member States most affected by the sudden and extraordinary arrival of mixed migratory flows, and the need to implement effectively and uniformly the EU measures adopted in regard to migration, asylum and border management matters. Against this background, the decentralized EU Agencies, Frontex, EASO and Europol, have emerged as key actors, not only in providing emergency operational assistance to the frontline Member States, but also in implementing the hotspot approach. The expansion of the operational role, multilateral cooperation, presence on the ground and institutional significance within the Area of Freedom, Security and Justice (AFSJ) of Frontex, EASO and Europol, is now unquestionable.

 

Hence, my book entitled “EU Migration Agencies: The Operation and Cooperation of Frontex, EASO and Europol”, published by Edward Elgar Publishing, comparatively analyzes the evolution of the operational tasks and cooperation of Frontex, EASO and Europol. Special attention is paid to the expansion of the legal mandates of these AFSJ agencies, the reinforcement of the activities they undertake in practice on the ground and to what extent a gap exists between these two dimensions.

 

The evolution of the operational tasks of Frontex, EASO and Europol is analyzed and two trends are highlighted. Firstly, while the Regulations of these AFSJ agencies continue to stress that their operational role is limited to providing the competent national authorities with the technical assistance they may require, the tasks of Frontex, EASO, and to a more limited extent, Europol, have an operational nature on the ground. Secondly, Frontex, EASO and Europol are increasingly involved in guaranteeing the effective and uniform implementation of EU migration, asylum and border management measures, as well as ensuring that the concerned Member States do not jeopardize the functioning of the Schengen area or the CEAS. These two emerging trends are discussed in turn.

 

In this book I point out that Frontex, EASO and Europol closely accompany the frontline Member States in the implementation of EU migration, border management and asylum policies. These agencies focus on operationally supporting the competent border, asylum and law enforcement national authorities in effectively implementing EU law. The expansion of EU competences in AFSJ matters has gone hand-in-hand with the reinforcement of their administration, which no longer falls exclusively on the Member States, but rather, on a conundrum of diverse actors, among which Frontex, EASO and Europol play a prominent operational role.

 

The growing integration that the AFSJ is experiencing has led to a Europeanization of its administration. It is necessary to ensure a uniform and effective implementation of EU border management, asylum and migration laws. The long-standing notion of administrative and implementation power in AFSJ matters is therefore progressively shifting. The deepening of the operational powers and cooperation of Frontex, EASO and Europol is eroding the exclusive procedural autonomy that Member States previously enjoyed, when implementing EU law. These AFSJ agencies increasingly steer and shape the effective and uniform implementation of EU migration, asylum and border management laws and policies at the national level.

 

Furthermore, the extent of the operational functions of Frontex, EASO and Europol may theoretically range from merely coordinating and providing technical assistance to the Member States, to developing full-fledged enforcement and coercive powers. Since Frontex, EASO and Europol do not have independent executive competences, their tasks can no longer be described as merely technical or supportive. Despite the lack of transparency and the vague legal provisions regulating the activities that Frontex, EASO and Europol undertake in practice on the ground, their tasks do have an operational nature. The issue is that the legal frameworks of Frontex, EASO and Europol lag behind the real operational powers that these agencies exercise on the ground, which creates legal uncertainty.

 

The reinforcement of the legal mandates and inter-agency operational cooperation of Frontex, EASO and Europol thus reveal a trend, under which these AFSJ agencies are mandated to increasingly develop operational and implementation activities. The operational and implementation role of Frontex, EASO and Europol has followed a constant and linear progression since their respective establishment. While Europol, due to its still markedly intergovernmental nature, is starting to operationally assist the national law enforcement authorities in their national investigations about illegal migrant smuggling, Frontex and EASO already conduct significant operational tasks on the ground and ensure the implementation of the adopted European Union measures at the national level. Whereas the current tasks already represent an erosion of the operational powers and implementation prerogatives of the Member States, none of these AFSJ agencies have been bestowed centralized, fully autonomous operational and enforcement powers on the ground.

 

The reinforcement of the operational tasks and implementation role of Frontex, EASO and Europol is not in itself an issue. What is problematic is the broad formulation of these AFSJ agencies’ legal bases and the lack of transparency surrounding their operational activities and cooperation, rendering the task of determining the degree of discretion they enjoy difficult. The key challenge involves determining the degree of discretion that Frontex, EASO and Europol enjoy and whether the institutional balance in the EU is respected. In this light, and despite the fact that Frontex, EASO and Europol have not been vested with strictly delegated powers, this book followed the CJEU’s non-delegation doctrine as useful guidance to analyze the legality of these AFSJ agencies’ operational functions under EU constitutional law.

 

The CJEU, in its Short-Selling judgment (discussed here), updated and relaxed its initial Meroni doctrine, by no longer confining delegation to clearly defined executive powers, but rather to powers precisely delineated and amenable to judicial review in the light of the objectives established by the delegating authority.

Unlike in the case of Short-Selling, the operational powers of Frontex, EASO and Europol are neither circumscribed by well-detailed conditions that limit their discretion, nor clearly detailed in a legal framework or their Regulations. These AFSJ agencies’ operational tasks are not restricted to merely providing technical support to the frontline Member States, but rather, they develop expanding cross-agency operational cooperation and activities on the ground. These agencies’ tasks entail the exercise of discretional prerogatives that are not narrowly delineated or clearly conditioned in any national or EU legal instrument. For instance, Frontex and EASO played a strong recommendatory role in the hotspots, which in principle, is compatible with the non-delegation doctrine, since the concerned Member States are not bound by Frontex and EASO’s recommendations.

 

Nonetheless, the national authorities, subject to extraordinary migratory pressure, may decide to rubber-stamp the recommendations put forward by the agencies. Frontex’s influence over the Greek officials in determining the nationality of the arriving migrants, Europol’s advice and operational support to the national enforcement authorities to dismantle migrant smuggling networks, and EASO’s admissibility assessment of the asylum applications or the detection of vulnerable applicants encompass in practice discretional and political choices. In these cases, the responsibilities of the agencies are blurred, since the national authorities adopt a final decision based on the assessment of the agencies.

 

Although fully autonomous enforcement and coercive powers are not possible under the current Treaties and would breach the non-delegation doctrine, the ambiguity and lack of transparency surrounding the operational tasks that Frontex, EASO and Europol undertake on the ground challenge the determination of their discretion and whether they actually make policy choices. In the author’s view, the main limitation and control of Frontex, EASO and Europol’s distinctive operational and implementation role comes from the Member States. While it is true that Frontex, EASO and Europol assist the Member States in matters closely linked to their national sovereignty prerogatives, the competent national authorities that vote at the management boards tightly control their recently reinforced operational, implementation and supervisory functions. Only two representatives of the European Commission have voting rights in Frontex and EASO’s management boards and this figure falls to just one representative in the case of Europol. The presence of the European Parliament in Frontex, EASO and Europol’s management boards is non-existent. Member States also exert their influence over the appointment and supervision of the executive directors, who lead the governance, management and daily administration of Frontex, EASO and Europol.

 

Member States’ reluctance to fully abandon their well-established bilateral practices, share information and operationally cooperate with Frontex, EASO and Europol in core national sovereign matters, like border management, asylum or migration, is especially reflected in these AFSJ agencies’ management boards. The Member States will thus maintain control of the strategic decisions and the daily management of Frontex, EASO and Europol. While centralizing on the executive, decisional and enforcement powers of Frontex, EASO and Europol will ensure a fully effective and harmonized implementation, it is important to bear in mind that these agencies represent an institutional trade-off or a common ground between intergovernmentalism and communitarization in the AFSJ. That is, Member States do not wish to relinquish further sensitive competences to the EU Institutions; but at the same time, they increasingly need supranational operational assistance regarding matters that can only be effectively managed in an integrated manner at the EU level. For this reason, whereas Europol, Frontex and EASO have been conferred upon significant operational tasks, none of these agencies are vested with full decisional, enforcement or coercive powers, which remain as an exclusive competence of the competent national authorities.

 

Hence, this book makes four main contributions. First, it maps Frontex, EASO and Europol as EU decentralized agencies, which are clearly distinguished by their operational powers and by the possibility to directly assist the competent national authorities on the ground. In particular, the establishment and early operational functions conferred on Frontex, EASO and Europol are studied. Second, it comparatively analyzes the reinforcement of the operational tasks vested on Frontex, EASO and Europol, as well as the extent of their assistance on the ground and influence on the implementation prerogatives of the national authorities in the aftermath of the “refugee crisis”. Third, it explores the bilateral and multilateral inter-agency cooperation between Frontex, EASO and Europol. Specifically, the expanded multilateral and operational cooperation that takes place in the hotspots is studied. Fourth, the limitations to the reinforced operational activities and cooperation of Frontex, EASO and Europol is analyzed. The constitutionality and legal bases of these AFSJ agencies, as well as the degree of discretion that they enjoy according to the Court of Justice of the European Union (CJEU) non-delegation doctrine, is examined. The internal administrative organization and governance of Frontex, EASO and Europol is also studied as to determine the influence and real control that the Member States and civil society may exert over the increasing operational powers these AFSJ agencies have been conferred.

 

Barnard & Peers: chapter 26

JHA4: chapter II:4

Photo credit: Rock Cohen, via wikimedia commons

Denmark and EU Justice and Home Affairs Law: Details of the planned referendum

 

 

Steve Peers

Danish participation in cross-border criminal law measures is symbolised by 'The Bridge', the 'Nordic Noir' series about cross-border cooperation in criminal matters between Denmark and Sweden. But due to the changes in EU law in this field, that cooperation might soon be jeopardised. As a result, in the near future, Denmark will in principle be voting on whether to replace the current nearly complete opt-out on EU Justice and Home Affairs (JHA) law with a partial, selective opt-out. I have previously blogged on the implications of this plan in general terms, but it’s now clear exactly what this vote will be about.

First of all, a short recap of the overall framework (for more detail, see that previous blog post). Back in 1992, Denmark obtained an opt-out from the single currency, defence and aspects of JHA law (it’s widely believed that it also obtained an opt-out from EU citizenship, but this is a ‘Euromyth’). These opt-outs were formalised in the form of a Protocol attached to the EU Treaties as part of the Treaty of Amsterdam. The JHA opt-out was then amended by the Treaty of Lisbon.

At present, Denmark participates in: the EU policing and criminal law measures adopted before the entry into force of the Treaty of Lisbon; measures relating to the Schengen border control system (as  matter of international law, not EU law); the EU rules on visa lists (as a matter of EU law); and the EU’s Dublin rules on allocation of asylum applications, ‘Brussels’ rules on civil jurisdiction and legislation on service of documents (in the form of treaties with the EU). In contrast, Denmark does not – and cannot – participate in other EU rules on immigration and asylum law or cross-border civil law, or policing and criminal law rules adopted since the entry into force of the Treaty of Lisbon.

The Protocol on Denmark’s legal position either allows it to repeal its JHA opt-out entirely, or selectively. If it chooses to repeal the opt-out selectively, it would then be able to opt in to JHA measures on a case-by-case basis, like the UK and Ireland, although (unlike those states) it would remain fully bound by the Schengen rules. Indeed, those rules will then apply as a matter of EU law in Denmark, not as a matter of international law.

In practice, while Danish governments have promised for a while to hold a referendum on the JHA opt-out, the concrete plans to hold one in the near future were triggered in light of the planned EU legislation to replace the current rules establishing Europol, the EU police agency, with new legislation (on that proposal, see here).  This led to an agreement between the government parties and several opposition parties (excluding the far-right Danish Peoples’ Party) known as the ‘Agreement on Denmark in Europol’ (for the text, see here). This agreement states that the referendum will take place after the next general election (which must be held by September 2015), and no later than 31 March 2016. The ‘main reason’ for the referendum is to allow Denmark to opt in to the new Europol rules, but the parties also agreed to study whether Denmark should opt in to other EU civil, criminal and policing laws which currently don’t apply. However, the parties agreed that Denmark should not opt in to any EU immigration or asylum law (besides Schengen, which already applies).

This analysis has now been completed (see the text in Danish here), and the parties have agreed that Denmark would apply to opt in to 22 EU laws if the referendum is successful. Conversely, they have agreed not to opt in to 10 other EU laws.

As regards civil cooperation, the parties have agreed to opt in to large majority of EU measures, as regards: insolvency; payment orders; small claims; the European enforcement order; mediation; the Rome Regulation (on conflicts of law concerning contract); the Rome II Regulation (on conflicts of law concerning non-contractual liability); external relations; protection orders; inheritance; maintenance proceedings; parental responsibility; and account preservation orders. It should be noted that changes to the insolvency proceedings regulation are about to be formally adopted, and changes to the small claims rules will likely be agreed later this year; presumably the agreement also entails opt-ins to the existing legislation as amended.

In contrast, the parties agreed not to opt in to legislation on legal aid in cross-border proceedings, or to the Rome III Regulation on conflicts of law in divorce cases. Nor have they agreed yet on whether to opt in to the pending proposals relating to jurisdiction and choice of law over marital property, and the property of civil partnerships, in the event of relationship breakdown. In general, the recent agreement states that decisions to opt in to measures which have not yet been adopted depend on a future consensus of the relevant parties, or endorsement in a general election.

As for policing and criminal law, the parties agree to opt in to all measures concerning substantive criminal law and most measures concerning EU agencies and mutual recognition. In particular, they agree to opt into seven Directives, regarding: the European Investigation Order; protection orders; trafficking in persons; sexual abuse of children; cyber-crime; market abuse; and counterfeiting the euro. Conversely, they rule out opting in to the legislation on crime victims’ rights, the three Directives on suspects’ rights (concerning interpretation and translation, access to a lawyer and the right to information) and the rules on confiscation of criminal assets. They also rule out opting in to the legislation on EU funding in JHA matters.

They have partly agreed on future measures in this field, agreeing to opt in to the Regulations now under discussion on Europol and Eurojust (the EU prosecutors’ agency) and the Directive on passenger name records, but to opt out of the legislation establishing the European Public Prosecutor. The Commission has also proposed legislation on the European Police College, fraud against EU funds and drug trafficking, along with three more suspects’ rights measures (concerning childrens’ rights, the presumption of innocence and legal aid). Decisions on those measures will again depend upon on a future consensus of the relevant parties, or endorsement in a general election.

The parties’ clarification of their intentions provides useful certainty for the Danish public when it has the opportunity to vote on these issues. In general, in criminal matters Denmark would be participating in the EU measures assisting the prosecution, without any counterbalance by means of recent legislation regarding the rights of victims or suspects. Similarly it would still be participating in the Schengen rules on external border controls and the abolition of internal border checks, without any of the accompanying harmonisation of immigration and asylum law that applies to other Schengen States which are EU members. On the whole, Denmark would also be participating in more JHA legislation than the UK and Ireland – not just as regards full participation in Schengen (as is already the case), but also as regards the EU legislation on inheritance, account preservation, investigation orders, market abuse, currency counterfeiting and Eurojust, all of which one or both of the UK and Ireland have opted out of. On the other hand, the UK and Ireland have opted in to the EU legislation on crime victims’ rights, some of the legislation on suspects’ rights and the first phase of EU asylum law. Given that Ireland participates in the single currency, a Danish 'yes' to selective participation in JHA law would cement the UK's position as the chief non-participant in EU laws which bind most other Member States.

 

Barnard & Peers: chapter 26

Childhood’s End: EU criminal law in 2014

 

Steve Peers

With the elections to the European Parliament, the installation of a new European Commission, and a number of important legislative and case-law developments, 2014 was an important year for the European Union. This is the first in a series of blog posts reviewing the year in selected fields of EU law.  

The most significant change to EU criminal law came on December 1^, when the five-year transitional period relating to EU criminal law measures adopted before the entry into force of the Lisbon Treaty (‘pre-Lisbon EU criminal law measures’, also known in practice as the ‘third pillar’) came to an end. From this date on, pre-Lisbon EU criminal law measures are subject to the normal rules of EU law (except that they maintain their previous limited legal effect, in particular the lack of direct effect). More specifically, this change (discussed generally here) has three main impacts.

Firstly, the UK was entitled to opt out of all pre-Lisbon EU criminal law measures, and then apply to opt back in to some of them again. The UK indeed exercised these possibilities, opting back in to 35 such measures as of 1 December 2014 (see discussion of the details here), following an unnecessarily convoluted process in the House of Commons (discussed here). In a nutshell, since the UK has opted back into a large majority of the pre-Lisbon measures which have any significant importance, the whole process has had barely reduced the UK’s actual degree of participation in EU criminal law.

Secondly, the end of the transitional period means that the EU Commission can now bring infringement actions against Member States that failed to correctly implement pre-Lisbon EU criminal law measures - or that failed to implement such measures at all. The relevance of this is obvious in light of the Commission reports issued this year, regarding: legislation on the transfer of prisoners, probation and parole and supervision orders (discussed here); hate crime and Holocaust denial (discussed here); and conflicts of jurisdiction and the recognition of prior convictions (discussed here).  

Thirdly, all courts in all Member States can now send references to the CJEU on the interpretation pre-Lisbon EU criminal law. For the EU as a whole, the impact of this change will probably be limited in practice, because (a) two-thirds of Member States allowed such references anyway, and (b) there were no such limits regarding EU criminal law adopted after the entry into force of the Lisbon Treaty. On the former point, the CJEU decided two cases this spring on the EU’s double jeopardy rules (discussed here), in which it finally developed the relationship between those rules and the double jeopardy provisions of the ECHR and the EU Charter of Fundamental Rights. A final reference to the CJEU on the basis of the old rules, sent just a month before the end of the transitional period (Kossowski), now asks the Court to clarify whether Member States’ derogations from the Schengen rules violate the EU Charter.

On the second point, the first reference from national courts on post-Lisbon EU criminal law was referred this year: the Covaci case, on the Directive on interpretation and translation in criminal law proceedings and the Directive on the ‘letter of rights’. So far, there is no sign of the predicted avalanche of cases on EU suspects’ rights legislation (the deadline to apply the letter of rights Directive passed in June). Of course, there could still be an increase of such cases in future, perhaps after the 2016 deadline to apply the third suspects’ rights Directive (on access to a lawyer). And in the meantime, Member States must apply the victims’ rights Directive towards the end of 2015. Hopefully the CJEU’s case law on that measure will be more convincing than its ruling earlier this year (criticised here) on the scope of the Directive on compensation for crime victims.

Another important CJEU judgment in the criminal law field this year (discussed here) ruled that policing information measure actually fell within the scope of EU transport law. The immediate impact of this judgment was a rush to adopt replacement legislation (the text of which is already agreed), which will apply to all Member States (the UK, Ireland and Denmark had opted out of the prior measure). More broadly, the judgment shows that the CJEU is not inclined to interpret the EU’s criminal law powers broadly – at least as compared to the EU’s other powers.

The end of the transitional period did not lead to a general review of pre-Lisbon EU criminal law measures, with the Commission proposing only a very limited repeal of some obsolete measures (I’ll blog on these proposals in the new year). In particular, the new Justice Commissioner appears to have no significant agenda to suggest criminal law proposals, whether to amend prior measures or to adopt new ones (for an argument as to what the Commission should do, see here).

However, some of the pre-Lisbon criminal law measures have been amended or replaced, or will be amended or replaced by proposed legislation now under discussion. In particular, during 2014, the EU adopted legislation concerning: the European Investigation Order (discussed here); the counterfeiting of the euro (discussed here); the confiscation of criminal assets; and the European Police College (moving its seat from the UK to Hungary). The EU also adopted legislation on criminal sanctions for market abuse (discussed here).

There are also proposals under discussion to replace pre-Lisbon EU criminal law measures concerning: fraud against the EU (see the state of play here); the police agency, Europol (see discussion of negotiations here); the prosecutors’ agency, Eurojust (there was a partial agreement on this proposal); and data protection in criminal law cases (see the state of play here). The latter issue is increasingly important, as indicated by the related CJEU judgment invalidating the data retention directive (discussed here), which gave rise to questions as to whether Member States could adopt or retain their own data retention laws (on this point, see generally here, and here as regards the UK in particular).

In fact, the CJEU will soon be ruling on data protection and criminal law issues as such, since the European Parliament has asked it to rule on the validity of the EU/Canada draft treaty on passenger name records (see discussion here). The pending Europe v Facebook case (discussed here) raises questions about the impact of the Snowden revelations upon the EU and US arrangements on data protection. In the meantime, the proposed Directive on passenger name records still remains on ice (having been put there by the European Parliament), with EU leaders’ attempt to set a deadline to adopt this proposal by the end of 2014 proving futile.

 

Other proposals are also under discussion: a more general overhaul of the European Police College; the creation of a European Public Prosecutors’ Office (see the state of play here); and the adoption of three more suspects’ rights measures, concerning child suspects (agreed by the Council), presumption of innocence (also agreed by the Council) and legal aid (see the state of play here). However, the Commission’s proposal for new rules relating to the EU’s anti-fraud body, OLAF, soon melted in the heat of Council opposition. 

 

Conclusion

Taken as a whole, the year 2014 showed how the European Parliament, the CJEU and the Commission are already playing a significant role in the development of EU criminal law. Following the final demise of the third pillar, the year 2015 is likely to see further important developments in this area, which will make the pre-Lisbon measures even less important: the adoption of new legislation on Europol, the European Police College and possibly Eurojust, as well as revised legislation on fraud against the EU budget. There will likely be two or three further Directives on suspects’ rights and the victims’ rights Directive will begin to apply. The rules on the new European Public Prosecutors’ Office might also be agreed, and there could be significant developments in the area of data protection. Overall, the longer-term trends toward greater parliamentary and judicial control and greater focus on individual rights in this area accelerated significantly in 2014 and could well do so again next year.

 

Barnard & Peers: chapter 25