When is Mass Surveillance Justified? The CJEU Clarifies the Law in Privacy International and Other Cases

Photo by Matthew Henry

Lorna Woods, Professor of Internet Law, University of Essex

Background

This case concerns the collection of bulk communications data (BCD) from network operators by the security and intelligence agencies (SIAs).  It formed part of an action brought by Privacy International challenging the SIAs’ acquisition, use, retention, disclosure, storage and deletion of bulk personal datasets (BPDs) and BCD which started in 2015 before the Investigatory Powers Tribunal (IPT). Privacy International’s claim is based on its understanding of the safeguards required by the Court of Justice in Tele2/Watson – a 2016 CJEU judgment on UK data retention law, discussed here.

In Tele2/Watson the Court of Justice held that any data retention obligation must be targeted and limited to what is strictly necessary in terms of the persons affected, the sorts of data retained and the length of retention.  It also suggested that access to retained data should be subject to prior review by an independent body and that parties affected should be informed of the processing (unless this would compromise the investigations); and that the data should be retained within the EU.  The authorities must take steps to protect against misuse of data and any unlawful access to them.  Privacy International argued that the safeguards provided by British law are insufficient. The British government claimed that the SIAs’ activities fell outside the scope of EU law and that the rules were compliant with Article 8 ECHR. It argued that providing the safeguards as required by Tele2/Watson would undermine the ability of the SIAs. The IPT referred two questions – but only in relation to BCD not BPD – to the Court of Justice.  This was the basis for the Court’s judgment handed down yesterday.

Questions in Issue

The two questions referred were:

  • whether the activities of the SIAs fall within the scope of EU law bearing in mind Art 4 TEU and Art 1(3) of Directive 2002/58 (ePrivacy Directive);
  • if the answer is that the situation falls within EU law, do any of the “Watson Requirements” (as above) (or any other requirements) apply?

The Court of Justice decided to deal with this case with two other cases that had been referred to it: Joined cases C-511/18 and C-512/18 La Quadrature du Net & Ors and Case C-520/18 Ordre des barreaux francophones et germanphone & Ors, which were also the subject of a separate judgment yesterday. The cases also dealt with the bulk collection of communications data but in addition the court in La Quadrature du Net also asked whether real-time measures for the collection of the traffic and location data of specified individuals, which, whilst affecting the rights and obligations of the providers of an electronic communications service, do not however require them to comply with a specific obligation to retain their data are permissible. It also asked whether the Charter required persons concerned by surveillance to be informed once such information is no longer liable to jeopardise the investigations being undertaken by the competent authorities, or may other existing procedural guarantees which ensure that there is a right to a remedy suffice?   Ordre des barreaux francophones et germanphone & Ors raised the question of whether a general obligation might be justified to identify perpetrators of secual abuse of minors. If national law has not usfficiently guaranteed human rights may the effects of that law be temporarily retained in the interests of certainty and to achieve the objectives set down in the law.

The Advocate General handed down separate opinions on each of the cases (see herehere and here) but all on the same day (15 January 2020) to similar effect, that:

  • the e-privacy directive (and EU law in general) applies in this situation because of the required co-operation of private parties;
  • limitations on the obligation to guarantee the confidentiality of communications must be interpreted narrowly and with regard to the rights in the EU Charter on Fundamental Rights;
  • the case law in Tele2/Watson (summarised above) should be upheld: general and indiscriminate retention of traffic and location data of all subscribers is an interference with the fundamental rights enshrined in the Charter but real-time collection of traffic and location data of individuals suspected of being connected to a specific terrorist threat could be permissible provided it down not impose a requirement on communications service providers to retain additional data beyond that which is required for billing/marketing purposes; and that the use of such data for purposes less serious than the fight against terrorism and serious crime was incompatible with EU law.

Note that there are two more cases pending Case C-746/18 H.K. v Prokurator (Opinion handed down by AG Pitruzzella 21 Jan 2020) as well as references from Germany from 2019 and Ireland from 2020. 

Summary of Judgment

Privacy International

In its Grand Chamber judgment, the Court confirmed that requirements on communications service providers to retain data fell within the scope of EU law and specifically the e-Privacy Directive. The Court argued that the exclusion in Article 1(3) e-Privacy Directive related to “activities of the State or of State authorities and are unrelated to fields in which individuals are active” (para 35, citing Case C-207/16 Ministerio Fiscal, discussed here, para 32), whereas Art 3 makes clear that it regulates the activities of communications service providers. As held in Ministerio Fiscal, the scope of that directive extends not only to a legislative measure that requires providers of electronic communications services to retain traffic data and location data, but also to a legislative measure requiring them to grant the competent national authorities access to that data.

The legislative measures, permissible as a derogation under Article 15, “necessarily involve the processing, by those providers, of the data and cannot, to the extent that they regulate the activities of those providers, be regarded as activities characteristic of States” (para 39). given the breadth of the meaning of ‘processing’ under the GDPR, the directions made under s 94 Telecommunications Act fall within the scope of the ePrivacy Directive. The Court re-affirmed (para 43) the approach of its Advocate General in this case (and in La Quadrature du Net) that ‘activities’ in the sense of Art 1(3) cannot be interpreted as covering legislative measures under the derogation provision; to hold otherwise would deprive article 15 of any effect (following reasoning in Tele2/Watson) and Article 4(2) TEU does not disturb that conclusion (despite the Court’s reasoning in the first PNR case (Cases C-317/04 and C-318/04, paras 56 to 59). For the e-Privacy Directive (by contrast to the former Data Protection Directive in issue in the PNR case), what is important is who does the processing; it is the communications providers. The Court took the opportunity to confirm that the GDPR should not be interpreted the same way as the Data Protection Directive but in parallel with the e-Privacy Directive.

As regards the second question, the Court re-stated the scope of s. 94 orders thus:

That data includes traffic data and location data, as well as information relating to the services used, pursuant to section 21(4) and (6) of the RIPA. That provision covers, inter alia, the data necessary to (i) identify the source and destination of a communication, (ii) determine the date, time, length and type of communication, (iii) identify the hardware used, and (iv) locate the terminal equipment and the communications. That data includes, inter alia, the name and address of the user, the telephone number of the person making the call and the number called by that person, the IP addresses of the source and addressee of the communication and the addresses of the websites visited.

Such a disclosure of data by transmission concerns all users of means of electronic communication, without its being specified whether that transmission must take place in real-time or subsequently. Once transmitted, that data is, according to the information set out in the request for a preliminary ruling, retained by the security and intelligence agencies and remains available to those agencies for the purposes of their activities, as with the other databases maintained by those agencies. In particular, the data thus acquired, which is subject to bulk automated processing and analysis, may be cross-checked with other databases containing different categories of bulk personal data or be disclosed outside those agencies and to third countries. Lastly, those operations do not require prior authorisation from a court or independent administrative authority and do not involve notifying the persons concerned in any way.

Paras 51-52

The Court stated that the purpose of the e-Privacy Directive was to protect users from threats to their privacy arising from new technologies. It ‘gave concrete expression to the rights enshrined in Articles 7 and 8 of the Charter’ (para 57) and the exceptions thereto under Article 15(1), ie necessary, appropriate and proportionate in the interests of purposes listed in Art 15(1): national security, defence and public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system. The exceptions cannot permit this exception to become the rule (citing Tele2/Watson, but also the ruling in La Quadrature du Net). Restrictions must also comply with the Charter. This is the same whether the legislation requires retention of the transmission of data to third parties (citing EU-Canada PNR Agreement, discussed here, paras 122-123). Drawing on Schrems II, discussed here, the Court held:

any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned.

Para 65

It also re-iterated that derogations from the protection of personal data any restriction on  confidentiality of communications and traffic data may apply only in so far as is strictly necessary and “by properly balancing the objective of general interest against the rights at issue’ (para 67). Proportionality also requires the legislation to lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, to protect effectively against the risk of abuse. The legislation must set down conditions for the application of the measures so as to restrict them to those ‘strictly necessary’; the legislation must be binding. Automated processing gives rise to greater risks. These considerations are the more pressing in the context of sensitive data.

The Court noted that the transmission of data to SIAs constituted a breach of confidentiality in a general and indiscriminate way and thus:

has the effect of making the exception to the obligation of principle to ensure the confidentiality of data the rule, whereas the system established by Directive 2002/58 requires that that exception remain an exception.

Para 69

it also constitutes an interference with Articles 7 and 8 of the Charter, no matter how the data are subsequently used. Re-iterating its approach in EU-Canada PNR Opinion, the Court stated that:

it does not matter whether the information in question relating to persons’ private lives is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference.

Para 70

Here, given the potential to create a personal profile of individuals the intrusions was particularly serious and “no less sensitive than the actual content of communications” (para 71). The court also emphasised the impact of the feeling of being under constant surveillance, following its reasoning in Digital Rights Ireland (discussed here) and Tele2/Watson. Such surveillance may have an impact on freedom of expression, especially where users are subject to professional secrecy rules or are whistleblowers. The Court also note that given the quantity of data in issue, their “mere retention” entails a risk of abuse and unlawful access (para 73).

The Court distinguished between ‘national security’ understood in the light of Article 4(2) TEU and ‘public security’ and matters within Article 15 ePrivacy Directive.  While measures safeguarding national security must still comply with Art 52(1) of the Charter, given the seriousness of threats comprised in ‘national security’ in principle the objective of safeguarding national security is capable of justifying more intrusive measures that those would could be justified by other objectives (cross referring to its reasoning in La Quadrature du Net). 

Even in relation to national security, the underlying national legislation must also lay down the substantive and procedural conditions governing use of the data and not just provide for access. National legislation must rely on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data at issue. Here, the national legislation requiring providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society even in the interests of protecting national security.

La Quadrature du Net/Ordre des barreaux francophones et germanophone

The Court’s approach to Article 15 and the sorts of activities in the service of which surveillance may be undertaken by contrast with Article 3(1) was, unsurprisingly, the same as can be seen in Privacy International, as was its approach to interpreting the directive – emphasising the confidentiality of communications as well as Articles 7 and 8 EU Charter. Again, the Court took the approach that the exception to communications confidentiality should not become the rule and that exceptions must be strictly necessary and proportionate to their objectives. Retention of communications data is a serious interference with fundamental rights – including freedom of expression. The retention of the data constitutes such an interference whether or not the data are sensitive or whether the user was inconvenienced.

In similar terms to Privacy International, the Court again came to the conclusion that the general and indiscriminate retention of data was impermissible under the Charter and Article 15. The Court also re-stated the limitations on derogating measures made under Art 15. The point of difference in this analysis is that the Court recognised the conflicting rights that might need to be reconciled – particularly with regard to crimes against minors and the State’s positive obligation to protect them. This does not mean that the limits as regards necessity and proportionality may be overlooked.

The Court then considered the meaning of national security – approaching the matter in the same terms as it did in Privacy International.  This higher threshold meant that neither the directive nor the Charter precludes recourse to an order requiring providers of electronic communications services to retain, generally and indiscriminately, traffic data and location data. This however is only so when the Member State concerned is facing a sufficiently serious threat to national security (which includes matters more serious than those listed in Art 15), a threat that is genuine and actual or foreseeable. In such a case retention can only be for a period of time limited to that which is strictly necessary. If any such order is to be renewed it must be for a specified length of time. The retained data must be protected by strict safeguards against the risk of abuse. The decision must be  subject  to effective  review by  an  independent body (court or administrative), whose  decision  is  binding, in  order  to  verify  that  such a situation exists and that the conditions and safeguards laid down are observed.

The Court observed that general and indiscriminate surveillance refers to that which covers virtually all the population. The Court recognised the duties of the State under positive obligations and the need to balance potentially conflicting rights. It then held that in situations such as those described at paras 135-6 of its judgment, that is those falling in Article 4(2) TEU, the e-Privacy Directive and the Charter do not preclude measures for targeted retention of traffic and location data. Such measures must be limited in time to what is strictly necessary, and focused on categories of persons identified on the basis of objective and non-discriminatory factors, or by using geographical criteria.  It then relied on similar reasoning in relation to the fight against crime and the protection of public safety.

Similarly, IP addresses may be retained in a general and indiscriminate manner subject to a requirement of strict necessity. Further, the directive also does not preclude the retention of data beyond statutory data retention periods when strictly necessary to shed light on serious criminal offences or attacks on national security, when the offences or attacks have already been established, or if their existence may reasonably be suspected.  Real-time data may also be used when it is limited to people in respect of whom there is a valid reason to suppose that they are involved in terrorist activities. Such use of data must be subject to prior review by an independent body to ensure that real-time collection is limited to what is strictly necessary. The Court notes that in urgent cases that the review should take place promptly (presumably rather than after the event).

Finally, a national court may not apply a provision of national law empowering it to limit the temporal effects of a declaration of illegality which declaration the national court must make in respect of national legislation due to incompatibility with the e-Privacy Directive, and evidence obtained illegally should not be relied on in court.

Comment

The common theme across the cases was the acceptability of the retention and analysis of communications data generally. The Court has re-iterated its general approach, unsurprisingly linking – as the Advocate General also did – between the Privacy International ruling and that in La Quadrature du Net. In its approach, the Court relied generously on its previous rulings, which demonstrates that there is quite a thick rope of cases, all to broadly the same effect. While the Court based its ruling on the ePrivacy directive (which is specific to communications and communications data), it also based its ruling more generally on Articles 7 and 8 of the Charter. It is noteworthy that the Court did not just refer to its case law on communications data but also to the Canada PNR opinion, underlining that there is a similar approach no matter the type of data in issue. The Court also relied on Schrems II, implicitly confirming aspects of its approach there and embedding that decision in its jurisprudence. The underlying concern in Schrems II was the same as here: that is, data collected by private actors are accessed by state actors. In sum, even in the interests of national security, general and indiscriminate surveillance does not satisfy the test of strict necessity and proportionality. While its general approach might be similar to what has gone before, there are still some points of interest and new ground covered.

The IPT seems to have been the only court amongst those making references that still has not accepted that the retention of data falls within the scope of the e-Privacy Directive, relying on the reasoning of the Court on the Data Protection Directive in relation to passenger name records in an early case.  In addition to re-establishing the well-trodden principles regarding the impact of requiring electronic service providers to retain data bringing the entire scheme within scope of the e-Privacy Directive, and different functions of Article 1(3) (scope of directive) and Art 15 (derogation from directive), the Court took the opportunity to say something about the scope of the GDPR, the successor legislation to the Data Protection Directive. In effect, the Court has stopped the line of reasoning found in that early PNR judgment – it cannot be used to determine the scope of the GDPR which should be understood in line with Art 1(3) of the e-Privacy Directive.

The Court has emphasised a couple of aspects of the legal regime surrounding surveillance that are worth a second look. Firstly, while the Court says nothing about the form of law on which a surveillance may be based, in its analysis of Article 52(1) Charter it does say that the same law must contain the constraints. The principle then has wider application than just communications data. This raises questions about forms of surveillance rolled out by the police based on broad common law powers, or – as in the recent Bridges decision – in a mix of legislation, common law and code. These sorts of surveillance – although in public – may also give rise to a feeling of being subject to constant surveillance, though the Court’s jurisprudence on video-surveillance under the GDPR has not yet grappled with this issue. It may be, however, that the Court would take a different view on the extent to which ‘private life’ would be engaged in such circumstances. It is also worth noting that the views of the independent body must be binding on the SIAs; this reiterates the point that in principle approval must be sought in advance.

The Court also made clear that the rights in issue are not just privacy and data protection; it specifically referred here to freedom of expression and flagged the distinctive of those under professional duties of confidentiality (doctors, lawyers) and whistleblowers. It did not, however, consider whether any infringement was justified in this context. The list of possible rights affected is not limited to freedom of expression: in Schrems II the Court highlighted the right to a remedy. It is not inconceivable that the right to association could also be affected. Presumably the same points of analysis apply – that general and indiscriminate monitoring cannot be justified even in the interests of national security. The Court also recognised, in La Quadrature du Net, the positive obligations on the State in relation to Article 3 and 8 ECHR and the corresponding article in the Charter – Articles 4 and 7. The balancing of these positive obligations provided the framework for the Court’s analysis of types of surveillance that did not immediately fall foul of its prohibition of of general and indiscriminate data retention. In this context, it might almost be said that the Court is reformulating public interest objectives (such as national security or the fight against sexual abuse of children) as positive obligations and thus bringing them in a rights balancing framework.

The Court’s reasoning in both cases also gave us some insight into the meaning of national security. It is distinct from and covers more serious issues that the objectives listed in Art 15. While this in principle seems to allow more intrusive measures to be justified, it seems that the Court has limited the circumstances of when it can be used. It does not overlap seemingly with those grounds in Article 15 e Privacy Directive. So, even might be argued reading this part of the judgments that serious crime cannot be blurred with national security. The devil will be in the detail here, a tricky one for any independent body to patrol – and in terms of permitted surveillance it is not clear what the consequences in practice would be.

The headline news, however, must be the ruling of the Court relating to measures that do not fall within the prohibition as general and indiscriminate measures. This on one level is not totally novel; it is implied, for example, in Tele2/Watson, para 106. The questions relate to what level of generality of surveillance would be permissible, and in relation to what sort of objective? Para 137 seems to limit targeted retention of communications data to matters of national security (including terrorism), but the Court then wheels out the same reasoning in relation to serious crime and public safety, and seems to envisage similar safeguards in both cases. This then means that the test of ‘strict necessity’ is doing a lot of work in distinguishing between the legitimate and illegitimate use of surveillance measures. The Court has historically not been particularly strong on what it requires of a necessity test – let alone one requiring strict necessity – in other cases involving the interference with Charter rights.

The final point relates to the procedural questions. The Court was clear that striking down incompatible law cannot have suspended effect. Yet, that is precisely what the English court did in Watson when allowing the UK government several months to get its house in order. The Court of Justice also held here that illegally obtained evidence cannot be used in court, relying on the need to ensure that the rights granted by EU law are effective.  While the status of EU law in the British courts may currently be uncertain on the face of it this might mean that convictions based on data between the handing down of Tele2/Watson, or at latest its application by the English courts, until the revision of the regime might be open to challenge whatever the domestic rules on evidence might say. Of course, even if we did not have to deal with the jurisprudential consequences of Brexit, the Court of Appeal, in its approach to Tele2/Watson ignored the aspects of the judgment directed at Tele2 referring court despite the fact that element of the judgment was an interpretation of EU law having general application, so it is to be assumed that still more would it ignore a ruling in a different case altogether.

This post first appeared on the EU Law Analysis blog and is reproduced here with permission and thanks.

The New EU Pact on Migration and Asylum and the Global Compact on Refugees and Solutions

TabareyBarey Camp in Niger

By Geoff Gilbert, Professor of International Human Rights and Humanitarian Law, University of Essex, Chair of the Global Academic Interdisciplinary Network

The United Nations Global Compact on Refugees (GCR) of 2018 is a document that tries to embrace all aspects of forcible displacement across international borders in the 21st century. This review of the new EU Pact will focus principally on how it might facilitate solutions for displacement in relation to the GCR, but necessarily there first has to be some more general analysis.

  1. The GCR as framing the argument

The GCR may not be binding in international law (paragraph 4), but it still gives rise to commitments for the international community as a whole. Its two principal elements pertinent to this discussion relate to burden- and responsibility-sharing and its focus on solutions.

The 1951 Convention relating to the Status of Refugees (1951 Convention) and its 1967 Protocol, and the 1950 Statute of the United Nations High Commissioner for Refugees (UNHCR) are directed towards protection of refugees in the country of asylum, not so much on the inevitable burden that providing protection entails, nor the ultimate protection, a durable and sustainable solution to their displacement. Paragraph 4 of the Preamble to the 1951 Convention did call for international co-operation:

CONSIDERING that the grant of asylum may place unduly heavy burdens on certain countries, and that a satisfactory solution of a problem of which the United Nations has recognized the international scope and nature cannot therefore be achieved without international co-operation.

Nevertheless, it took until the GCR in 2018 to put “flesh” on those bare bones. As figures from UNHCR [accessed 14 September 2020] show, there are 79.5 million displaced persons of concern to UNHCR, of whom 20.4m are refugees and 4.2m are asylum seekers; 73% live in neighbouring countries to those that they have fled, often alongside the 45.7m internally displaced persons (IDPs) who are also of concern to the organisation.[1] Of the top five hosting states, only Germany is in the global north: 80% of displaced persons of concern to UNHCR live in states where there is acute food insecurity and malnutrition.

In these circumstances, where the modal average length of a situation of displacement is around eighteen years, it is little wonder that the development actors play such an important role in the GCR, while UNHCR maintains its unique protection mandate for all refugees, including asylum seekers and returnees without a durable and sustainable solution.

Some aspects of the new EU Pact have a direct impact on how the GCR’s guiding principles and objectives (paragraphs 5 and 7) are to be achieved – as the new Communication on the new Pact (COM(2020) 609 FINAL) states, the EU is the “the world’s major development donor” (p. 18).

As regards durable and sustainable solutions, the traditional three are voluntary repatriation, resettlement or local integration. The GCR recognised a fourth means for responding to displacement, complementary pathways for admission to third countries (paragraphs 94-96). There is, however, language in those paragraphs that indicates that complementary pathways are not durable and sustainable, with references to student scholarships and labour mobility. If the objective is to provide the refugee with the sustainable international protection of a state rather than that upheld by UNHCR under its mandate, then studentships and labour mobility schemes do not offer that guarantee, at least in the first instance, although they may facilitate one of the traditional durable solutions and provide the refugee with the capacity to resolve their own situation.

  1. The new EU Pact and the GCR

It is always worth mentioning that the EU’s approach of joining asylum with migration is fundamentally flawed, regardless of how long they have persisted with it. Asylum is about protection and immigration is about controlling borders.[2]

The idea that the new Pact’s focus should be “a common framework for asylum and migration management at EU level as a key contribution to the comprehensive approach and seeks to promote mutual trust between the Member States” does undermine the primacy of refugee protection (COM(2020) 610 final, 2020/0279 (COD), Proposal for a Regulation of the European Parliament and of the Council on asylum and migration management and amending Council Directive (EC) 2003/109 and the proposed Regulation (EU) [Asylum and Migration Fund] (23 September 2020), p.2).

Nevertheless, in the context of solutions, some aspects of the new Pact may be facilitative (see, C(2020) 6467 final Commission Recommendation of 23.9.2020 on legal pathways to protection in the EU: promoting resettlement, humanitarian admission and other complementary pathways (23 September 2020), Preambular paragraphs 3 and 6). Equally, those elements relating to prevention, development aid and migration as a way to end refugee status and protect the dignity of refugees could be helpful (see COM(2020) 609 final, §§6.2, 6.3, 6.5)

2.1. Prevention

The cynical view within the 1990s was that there was no such thing as post-conflict, just a pause before it was pre-conflict again. Nevertheless, the link between development assistance and prevention is well established and is even built into the responsibility to protect (UNGA Res. 60/1 (2005), paragraph 139).[3]

139 … We stress the need for the General Assembly to continue consideration of the responsibility to protect populations from genocide, war crimes, ethnic cleansing and crimes against humanity and its implications, bearing in mind the principles of the Charter and international law. We also intend to commit ourselves, as necessary and appropriate, to helping States build capacity to protect their populations from genocide, war crimes, ethnic cleansing and crimes against humanity and to assisting those which are under stress before crises and conflicts break out.

The new Pact takes this further and should be read with paragraphs 8 and 9 of the GCR:

8 … In the first instance, addressing root causes is the responsibility of countries at the origin of refugee movements. However, averting and resolving large refugee situations are also matters of serious concern to the international community as a whole, requiring early efforts to address their drivers and triggers, as well as improved cooperation among political, humanitarian, development and peace actors.

In line with the Sustainable Development Goals, the international community, including the EU, should provide development assistance. The new Pact takes a similar line in COM(2020) 609 final §6.3 when it asserts that,

Conflict prevention and resolution, as well as peace, security and governance, are often the cornerstone of these efforts. Trade and investment policies already contribute to addressing root causes by creating jobs and perspectives for millions of workers and farmers worldwide. Boosting investment through vehicles such as the External Investment Plan can make a significant contribution to economic development, growth and employment.

On the other hand, while the new Pact has some useful language regarding long-term prevention through addressing root causes, there are other references that indicate an EU-centric attitude that will not effect global fairness and reduced displacement. In COM(2020) 609 final, §2.4 of the document talks about how “[the] new Asylum and Migration Management Regulation will … improve planning, preparedness and monitoring at both national and EU level”, rather than solidarity with the states in low- or middle-income countries who host 83% of the world’s refugees (UNHCR Global Trends 2019, p.25); as such, the focus once again seems to be on averting another 2015 European asylum crisis that never was a crisis given the wealth of European Union member states and the very limited numbers they were dealing with by comparison with many other low- or middle-income countries.[4]

2.2. Burden- and responsibility-sharing/ Local Integration

Predictable and equitable burden- and responsibility-sharing is fundamental to all of the GCR (paragraph 3). In this particular context, given the protracted nature of most displacement crises and that most displaced persons only cross one border according to the World Bank (Forcibly Displaced, 2017, p.23), supporting the low- or middle-income countries who host most refugees is part of the solution to the crisis. Solutions start from the moment of protection, as human rights and the rule of law protect refugees in the country of asylum.

The traditional durable and sustainable solutions are the endpoint of an international protection framework that is based on resolving the issues to which displacement gives rise: denial of access to education, employment and healthcare, interference with the guarantees the rule of law should offer, and the upholding of human rights. Some of the new Pact targets these problems refugees face during their situations of displacement. COM(2020) 609 final §6.2 states that

… [The] EU is determined to maintain its strong commitment to providing life-saving support to millions of refugees and displaced people, as well as fostering sustainable development-oriented solutions.

Nevertheless, this is a perfect example of why the new Pact might be evidence of hope triumphing over expectation. Niger has provided incredible support to forcibly displaced persons for years,[5] but according to the UNDP Human Development Index for 2020, Niger came 189th out of 189 countries. The EU should not be ‘solving’ forced displacement and providing protection through transfer to one of the poorest countries on the planet.

What is also true, however, is that whether formally or not, lots of forcibly displaced persons remain for protracted periods in the country of asylum and settle there. As will be seen, where voluntary repatriation is not possible, refugees have few options other than to make a new life in the country giving protection. The generosity of many countries of asylum in this regard, though, cannot be abused by the international community and, thus, EU initiatives with respect to development, also indicated in the new Pact, will inevitably play a large part in solutions. According to COM(2020) 609 final §6.3:

The EU is the world’s largest provider of development assistance. This will continue to be a key feature in EU engagement with countries, including on migration issues. Work to build stable and cohesive societies, to reduce poverty and inequality and promote human development, jobs and economic opportunity, to promote democracy, good governance, peace and security, and to address the challenges of climate change can all help people feel that their future lies at home.

It may not be what low- or middle-income countries hoped for during the Formal Consultations on the GCR, but without robust engagement with the source states, which have predominantly remained the same since the 1990s (World Bank, Forcibly Displaced, 2017, p. 23), voluntary repatriation will not resolve displacement crises.

2.3. Resettlement and Complementary Pathways

Resettlement is one of the classic durable and sustainable solutions, but it is less and less available, such that only for the most vulnerable will it provide a means of ending refugeehood. The Commission Recommendation on legal pathways to protection in the EU: promoting resettlement, humanitarian admission and other complementary pathways (C(2020) 6467 final) supports the expansion of resettlement programmes within the EU. But even so its impact on low- or middle-income countries that host so many refugees would still be minimal because the base figure is so low – 107,800 in a mere 26 countries worldwide in 2019 according to UNHCR.

The proposed Recommendation is a positive move by the EU, although the role of the European Asylum Support Office (EASO) alongside UNHCR needs to be further developed. Complementary Pathways are an additional solution listed in the GCR (paragraphs 94-96), but whether they will always be durable and sustainable like the traditional ones is open to question. The Pact deals with one very specific aspect of this in §6.6, the migration control effected through visa requirements for short-term mobility.

The remaining aspects of the proposed Recommendation apply equally to resettlement and complementary pathways. The aim of trying to ensure that forcibly displaced persons do not have to resort to irregular migration or even people smugglers is to be commended (§6.6, new Pact), but unless that reflects effective access rather than simply top slicing particular refugees based on limited skill sets that only suit EU member states (see paragraphs 19 and 21 of the Recommendation), then no noticeable change will take place. It will also reduce the skill-base in the country of nationality for when transition towards peace and stability can commence.

To start, resettlement is a humanitarian response that benefits refugees and the countries of first asylum, usually low- or middle-income countries, it is not a means by which to “match people, skills and labour market needs through legal migration” (§6.6, new Pact). That might be applicable to complementary pathways, but not resettlement as is clear from the Pact’s own description of the Union Resettlement and Humanitarian Admission Framework Regulation. The Pact also encourages broader community engagement with resettlement programmes that again reflects positive aspects of the GCR. (see paragraph 91 read in the light of paragraphs 33-44).

2.4. Voluntary repatriation

Often spoken of as the most desired solution by refugees and countries of asylum, voluntary repatriation relies on restoration of human rights and rule of law in the country of nationality, along with substantial development initiatives. UNHCR can ensure that voluntary repatriation does lead to durable and sustainable solutions for returning refugees through monitoring, but the international community as a whole will provide the framework.

The EU has a major role to play in peace building and conflict resolution, not only as regards addressing the root causes, not just vis-à-vis prevention, but also to encourage voluntary repatriation (§6.3). While there is much in the new Pact on the economic initiatives and on return programmes where people do not require protection, more on restoring human rights, rule of law and good governance would have been welcome.

  1. Conclusion

The Pact on Migration and Asylum has once again missed the opportunity to put the EU at the forefront of resolving the global displacement crisis. It focuses on internal EU concerns and aims at pushing the problem away, often with a cynical reference to how that will protect so many from the dangers they might face in trying to reach Europe. When only 17% of persons of concern to UNHCR were in high-income countries in 2019, the need to support low- or middle-income countries and to offer enhanced protection and assistance to refugees should have been the outward-looking drivers for this review. International protection standards have been sacrificed in the (vain?) hope of achieving a compromise within the EU.

This post first appeared on the website of the ASILE project and is reproduced her with permission and thanks.

Endnotes:

[1] This year’s figures include 3.6 million Venezuelans displaced abroad, alongside the 93,300 refugees and 794,500 asylum seekers – 4.5 million Venezuelans in total.

[2] For further discussion, see Gilbert, ‘Is Europe Living Up to Its Obligations to Refugees?’ 15 EJIL 963 at 968 (2004); Refer to S. Carrera, ‘Whose Pact? The Cognitive Dimensions of the New EU Pact on Migration and Asylum’, Policy Insight Kick-off Contribution to the ASILE Forum.

[3] For further discussion, see Gilbert, ‘Rights, Legitimate Expectations, Needs and Responsibilities: UNHCR and the New World Order’, 10 International Journal of Refugee Law 349 (1998), fn.1.

[4] See UNHCR Global Trends 2019, p.25, Figure 12.

[5] For further discussion, see Gilbert & Rüsch, ‘Rule of Law and UN Interoperability’, 30 IJRL 31 at 35 and fn.136, (2018)

“You Were Only Supposed to Blow the Bloody Doors Off!”: Schrems II and External Transfers of Personal Data

Photo by Joshua Sortino

Prof. Lorna Woods, Professor of Internet Law, University of Essex

The Court of Justice today handed down the much anticipated ruling on the legality of standard contractual clauses (SCCs) as a mechanism to transfer personal data outside the European Union.  It forms part of Schrems’ campaign to challenge the ‘surveillance capitalism’ model on which many online businesses operate: there are other challenges to the behavioural advertising model ongoing.  While this case is clearly significant for SCCs and Facebook’s operations, there is a larger picture that involves the Court’s stance against mass (or undifferentiated) surveillance. This formed part of the background to Schrems I (Case C-362/14, discussed here), but has also been relevant in European jurisprudence on the retention of communications data. This then brings us to a third reason why this judgment may be significant. The UK, like the US, has a system for mass surveillance and once we come to the end of the year data controllers in the EU will need to think of the mechanisms to allow personal data to flow to the UK. The approach of the Court to mass surveillance in Schrems II is therefore an indicator of the approach to a similar question in relation to the UK in 2021.

Background

The General Data Protection Regulation provides that transfer of personal data may only take place on one of the bases set out in the GDPR. The destination state may, for example, have an ‘adequacy decision’ that means that the state in question ensures an adequate (roughly equivalent) level of protection to the ensured by the GDPR (Article 45 GDPR).  The original adequacy agreement in relation to the United States (safe harbour) was struck down in Schrems I because it failed to ensure that there was adequate protection on a number of grounds, some of which related to the safe harbour system itself, but some of which related to the law in the US, specifically that which allowed mass surveillance.  While the safe harbour was replaced by the Privacy Shield under Decision 2016/1250 on the Privacy Shield (Privacy Shield Decision) which improved some of the weaknesses as regards the operation of the mechanism itself, including the introduction of an ombusdman system, little if anything has changed in relation to surveillance.

Another mechanism for transfer of personal data outside the EU is that of SCCs, which are private agreements between the transferor (data controller) and transferee. Article 46(1) GDPR states that where there is no adequacy decision “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”. Article 46(2) GDPR lists possible mechanisms including standard data protection clauses. The Commission has produced a model form of these agreements in Commission Decision 2010/87 (SCC Decision). 

Following the outcome of Schrems I, Schrems reformulated his complaint to the Irish Data Protection Commissioner (DPC) about data transfers arguing that the United States does not provide adequate protection as United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) and the data is used in a manner incompatible with the right to private life, and that therefore future transfers by Facebook should be suspended.  These transfers are currently carried out on the basis of SCCs as approved by the SCC Decision.  The DPC took the view that this complaint called into question the validity of that decision as well as the Privacy Shield Decision, which moved the issue back into the courts. The Irish High Court referred the question to the Court of Justice and it is the outcome in this ruling that we see today.

The Judgment

The Advocate General in his Opinion (discussed here) suggested to the Court that the SCC Decision was valid; the problem was the context in which it operated. He took the view that the Privacy Shield’s validity should be considered separately. Crucially, he held that data controllers need to determine the adequacy of protection in the destination state. This in practice is difficult; while a data controller might have some control over what the recipient does with the data (how processed, data security etc), it would have little control over the general legal environment. In any event, data controllers would be required to make specific country assessments on this, which could be challenged by dissatisfied data subjects.  The Court took a slightly different approach. It agreed with its Advocate General that the SCC Decision was valid, but it struck down the Privacy Shield.

The Court made a number of findings. The first relates to the scope of inquiry and to competence. Given that national security lies outside the GDPR (and outside EU competence), should questions about the processing of data for purposes of public security, defence and State security be outside the scope of the GDPR rules. Following its position in Schrems I, the Court (like its Advocate General) rejected this argument [para 83, 86, 88]: the transfers of personal data by an economic operators for commercial purposes, even if that personal data is then processed by the authorities of the destination state for national security reasons, remains within the GDPR framework. Exclusions from the regime should be interpreted narrowly (citing Jehovan todistajat (Case C-25/17), discussed here).

In determining the level of protection the GDPR requires, the Court re-iterated its stance from Schrems I and following the reasoning of its Advocate General in this case held that we are looking for a level of protection “essentially equivalent” to that in the EU- and bearing in mind that the GDPR is understood in the light of the EU Charter.  So not only must the terms of the SCCs themselves be taken into account but also the general legal environment in the destination State.  The Court summarised:

…. the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of [the GDPR].

[Para 105]

The Court noted that the national supervisory authorities are responsible for monitoring compliance with EU rules, and may check compliance with the requirements of the GDPR (following on from the position under the DPD established in Schrems I), and the national regulatory authorities have significant investigative powers. Where the SCCs are not complied with – or cannot be complied with – the national regulatory authorities must suspend or prohibit transfers and the Commission’s competence to draft SCCs does not restrict the powers of national authorities to review compliance in any way.  In this the Court’s approach is broadly similar to that of the Advocate General.  As regards an adequacy decision, a valid adequacy decision is binding, until such time as it may be declared invalid; this does not stop individuals from being able to complain.

Applying the principles to the SCC Decision, the Court noted that the standards bind only the parties to the agreement. Consequently, although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned [para 126].

Does this possibility mean that the SCC Decision is necessarily invalid? The Court held not. Unlike an adequacy agreement which necessarily relates to a particular place, the SCC decision does not. The SCCs therefore may require supplementing to deal with issues in individual cases. Moreover, the SCC Decision includes effective mechanisms that make it possible to ensure compliance with EU standards [para 137].  Specifically, the SCC Decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected  in the third  country  concerned. The recipient of the data must inform the data controller of any inability to comply with the SCCs, at which point the data controller is obliged to suspend transfers and/or terminate the contract. The SCC Decision is therefore valid; the implications of this in practice for this case were not drawn out. The Court in the end held that:

… unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer [operative ground 3].

The existence of an adequacy decision is then key. Turning to the Privacy Shield Decision, the Court set the same analytical framework, emphasising the GDPR is understood in the light of the Charter and the rights to private life, to data protection and to an effective remedy. In assessing the decision, the Court noted that it awards primacy to the requirements of US national security, public interest and law enforcement, which the Court interpreted as condoning interference with the fundamental rights of persons whose data are transferred. In the view of the Court, access and use of personal data by US authorities are not limited in a way that is essentially equivalent to EU law – the surveillance programmes are not limited to what is strictly necessary and are disproportionate. Further, data subjects are not granted rights to take action before the courts against US authorities. The Ombudsperson mechanism, introduced by the Privacy Shield Decision as an improvement on the position under safe harbour, is insufficient. The Court therefore declared the Privacy Shield invalid.

Comment

The most obvious consequence of this ruling is that of how data transfers to the US can continue? The Privacy Shield is no more, and its demise has consequences for the operations of SCCs in practice. Given the weaknesses in the general legal system from the perspective of the Court of Justice, weaknesses over which the data controller/exporter can have little control, how can the requirements to individually assess adequacy be satisfied?  Are there, however, any other mechanism on which data transfers could be carried out?

In this context, we should note how the Court has interpreted the provisions of Chapter V to create a common baseline for standards, despite differences in wording between Arts 45 and 46 GDPR. Article 45 deals with adequacy decisions and it requires that there is “an adequate level of protection”; Article 45(2) then lists elements to be taken into account – notably respect for the rule of law and human rights and “relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”. It was this provision that was interpreted in Schrems I to require a level of protection that is ‘essentially equivalent’. Article 46(1) – which is relevant to the other mechanisms by which transfers may take place, including agreements between public authorities and binding corporate rules as well as SCCs – says something different. Article 46(1) requires “appropriate safeguards” and “enforceable data subject rights and effective legal remedies for data subject”. This is then not necessarily the same – at least in terms of simple wording – as Article 45(1). The Court however has read Articles 46 and 45 together so as to ensure that, as required by Article 44, data subjects’ rights are not undermined. This brings the essential equivalence test across to Article 46 [see para 96] and not just SCCs, but all the other mechanisms for data transfer listed in Art 46(2).  More specifically the factors to be taken into account when considering whether there are appropriate safeguards match the list set out in Article 45(2). 

The Court also emphasised that the requirements of the GDPR must be understood in the light of the EU Charter as interpreted by the Court itself [para 100].  In this context, the backdrop of the Court’s approach to fundamental rights – specifically the right to private life in Art 7 EU Charter – is significant. The Court in a number of cases involving the bulk retention of communications and location data by telecommunications operators so that those data could be accessed by law enforcement and intelligence agencies found those requirements – because they applied in an undifferentiated manner irrespective of suspicion across the population – to be disproportionate (Digital Rights Ireland and Others, Cases C-293/12 and C-594/12; Tele2/Watson (Cases C-203/15 and C-698/15), discussed here and here). The Court has also criticised the use of passenger name records (PNR) data (Opinion 1/15 (EU-Canada PNR Agreement, discussed here)) and particular the use of automated processing. The Court in its review of the facts referred to a number of surveillance programmes and that the referring court had found that these were not ‘essentially equivalent’ to the standards guaranteed by Article 7 and 8 EU Charter. This would seemingly cause a problem not just for the adequacy agreement, but for an operator seeking to rely on SCCs – or on any other mechanism listed in Art 46(2).

This brings to the forefront Article 49 GDPR, referred to by the Court as filling any ‘vacuum’ that results from its judgment, which allows derogations for external transfers in specific situations, notably that the data subject has consented or that the transfer is necessary for the performance of a contract. While these might at first glance give some comfort to data controllers a couple of words of caution should be noted. First, these reflect the grounds for lawful processing and should be interpreted accordingly. Notably ‘explicit consent’ is a high bar – and all consent must be freely given, specific informed and unambiguous – and it should be linked to a specific processing purpose (on consent generally, see EDPB Guidelines).  The ground that something is necessary for a contract does not cover all actions related to that contract – in general a rather narrow approach might be anticipated (see EDPB Guidance). 

The final point relates to the UK. The UK perhaps infamously – also has an extensive surveillance regime which has been the subject of references to the Court of Justice (as well as a number of cases before the European Court of Human Rights). Crucially, the regime does have some oversight and there is an independent tribunal which has a relaxed approach to standing. Nonetheless, bulk collection of data is permissible under the Investigatory Powers Act, and it is an open question whether the Court of Justice would accept that this is necessary or proportionate, despite the changes brought in since the Tele2/Watson ruling on the communications data rules. Further, the UK has entered into some data sharing agreements with the US which have given rise to disquiet in some parts of the EU institutions. Whilst a member of the EU it benefitted in terms of data flows from not having to prove the adequacy of its safeguards. From 2021 that will change.  In the light of the approach of the Court of Justice, which can be seen as reemphasising and embedding its stance on surveillance, obtaining an adequacy agreement may not be so easy for the UK and given the similarity in approach underpinning Articles 45 and 46 GDPR, other mechanisms for data flow may also run into problems if this is the case. For now, the jury is out.

This post originally appeared on the EU Law Analysis Blog and is reproduced here with permission and thanks.

National Courts and the Enforcement of EU Law: The Pivotal Role of National Courts in the EU Legal Order

Image by David Mark

Prof. Theodore Konstadinides, Professor of Law, University of Essex and Dr. Anastasia Karatzia, Lecturer in Law, University of Essex

Prof. Theodore Konstadinides and Dr. Anastasia Karatzia acted as the UK national rapporteurs for the Fédération Internationale Pour Le Droit Européen (FIDE) Congress 2020, one of the most significant conferences on EU law which brings together academics, advocates, judges and representatives from the EU institutions.

The Congress is an occasion to exchange views and expertise on EU law. Prof. Konstadinides and Dr. Karatzia were selected as the national rapporteurs for one of the three topics of the conference: National Courts and the Enforcement of EU Law: The Pivotal Role of National Courts in the EU Legal Order.

In their report, the authors explore pertinent questions about the interaction between UK national courts and the Court of Justice of the European Union concerning issues such as the preliminary reference procedure, the principle of supremacy, presumption of mutual trust, and the judicial independence of national courts and tribunals.

The Congress Publications, which include Prof. Konstadinides’ and Dr. Karatzia’s report, were published in July 2020 and are available digitally as Open Access resource here.

The German Constitutional Court’s Decision on PSPP: Between Mental Gymnastics and Common Sense

The Federal Constitutional Court

Professor Theodore Konstadinides, School of Law, University of Essex

The 5th of May 2020 will be remembered as a strange day for EU law and German constitutionalism. The German Constitutional Court upheld the constitutional complaints by several groups of individuals against the European Central Bank’s Public Sector Purchase Programme (PSPP). As explained in yesterday’s post by Thomas Horsley, the PSPP set up a framework that enabled the ECB to purchase government bonds or other marketable debt securities issued by the governments of Member States in the eurozone with a view to return to an appropriate level of inflation (below 2 per cent). The Constitutional Court found that the PSPP carried considerable impact on the fiscal framework in the Member States and the banking sector in general. As such, the Court concluded that both the German Government and Parliament violated the complainants’ rights under the Constitution by failing to monitor the European Central Bank’s (ECB) mandate, in particular as regards the adoption and implementation of the PSPP.

Most importantly perhaps, the Constitutional Court held that it was not bound by the preliminary ruling of the CJEU (Article 267 TFEU) on the same issue (in Weiss discussed below). Its reasoning was centred on the Luxembourg Court’s alleged failure to properly apply the proportionality principle under the Treaty (Article 5 (1) and (4) TEU). This failure was due to a lack of assessment of the possible economic policy implications of the purchase program of public debt and lack of consideration of the availability of less restrictive means. Consequently, the Constitutional Court held that the CJEU acted ultra vires.

Two immediate reactions to the judgment

The judgment reaches beyond the practical implications of policing the boundaries between monetary and economic policies. Its impact is twofold.

First, on an institutional level, questioning the monetary mandate of the European Central Bank (ECB) as a sui generis institution operating within the EU institutional system may destabilise the high degree of independence enjoyed by the ECB in the financial crisis related cases heard before the CJEU and national courts. As feared by Maduro, the ripple effect of the judgment may therefore reach beyond the credibility of the PSPP. It may further endanger the coming into fruition of similar ECB ventures such as its recent response to Covid-19 through its new Pandemic Emergency Purchase Programme (PEPP). New cases may emerge in Germany against this and future financial assistance decisions questioning the economic side effects of the ECB’s own programmes.

Second, constitutionally the judgment poses questions of an existential nature in the midst of the Covid-19 crisis concerning the balancing between the authority and primacy of EU law, and national competences and sovereignty beyond budget matters. It also questions the current stability of the preliminary reference procedure under Article 267 TFEU as the main communication channel fostering dialogue between the national and EU legal orders. This post will consider the judgment’s constitutional implications by criticising what the judgment means for the limits of the transfer of sovereign powers to the EU, and for judicial dialogue between national courts and the CJEU, but also between the three branches of government in Germany.

Constitutional confrontations prior to the PSPP judgment

While the judgment has attracted a great deal of attention in the blogosphere, little is mentioned of the fact that the PSPP judgment is not the first instance where the German Constitutional Court has challenged the validity of the decisions of the ECB. A few years back the same Court established that its powers of review may extend outside the context of Treaty revision or secondary law implementation qua an act of an EU institution, such as the ECB, that has its own legal personality and decision-making bodies. In the seminal Gauweiler judgment of 2015 (the first ever preliminary reference from the German Constitutional Court to the CJEU) the German Constitutional Court contested the validity of the Decision of the Governing Council of the ECB on features of the ECB’s government bond buying programme (Outright Monetary Transactions – OMT) arguing that it violates EU rules on monetary policy and the Protocol on the Statute of the European System of Central Banks and of the ECB. Its reasoning was purely constructed on legal grounds – i.e. whether the OMT programme marked an important shift in the delimitation of competence to the Member States’ detriment.

In its OMT judgment, the BVerfG placed the ECB’s Decision under the scrutiny of German constitutional law due to the fact that it operated without any express judicial or parliamentary approval. It was in this regard that its constitutional identity review power kicked in as a means to reinstate the default constitutional position that fiscal policy is only to be exercised according to the principles of representation and of distribution of powers. Equally, the Bundestag was responsible for the overall budgetary responsibility. As such, the Constitutional Court’s reasoning was predicated on the condition that the balance of competence would only be restored once the CJEU provided assurances that the OMT Programme merely consists of a supporting mechanism for the EU economic policies and not one concerning the stability of the EMU. Indeed, the CJEU provided such assurances and, despite its reservations, the Constitutional Court nodded to its satisfaction.

Shortly after Gauweiler, the German Constitutional Court made another request for a preliminary ruling in Weiss, this time on the validity of the ECB’s Decision on PSPP and its subsequent amendments as a means to maintain price stability. The applicants in Weiss asked similar questions to Gauweiler in relation to ECB’s monetary mandate and its potential ultra vires acts by venturing into economic policy reserved by the Member States. The CJEU rejected this claim and ruled in 2018 that the PSPP is a proportionate measure for mitigating the risks to the outlook on price developments and that it falls within the ambit of the ECB’s competences. It is worth mentioning that compared to OMT, the CJEU’s judgment in Weiss received little wider publicity, perhaps because one could almost predict another positive nod from the German Constitutional Court.

The constitutional dimension of the PSPP judgment

This brings us to the current judgment of the Constitutional Court of 5 May 2020 vis-a-vis the refusal of the German Constitutional Court to implement the above judgment of the CJEU. This refusal was based on the grounds that the CJEU manifestly failed to give consideration to the principle of proportionality which applies under the Treaty to the division of competences between the EU and national legal orders (Article 5 (1) and (4) TEU). The judgment is reminiscent of the scenario that the Constitutional Court has been rehearsing for years (since its Maastricht decision in 1993) in its collective mind: that when push comes to shove it will be competent to decide whether an act of EU secondary law is ultra vires. It is a scenario that we have been teaching our students with the caveat that this had never materialised in Germany. As mentioned elsewhere, our syllabi might have to be revised for next year, given that the judgment signals the first time that the BVerfG directly diverges from the ruling of the CJEU in a case that it has initiated through the preliminary reference procedure (Article 267 TFEU).

But the PSPP judgment goes beyond a declaration of ultra vires of EU secondary legislation. The Constitutional Court extends its ultra vires review to the interpretation of proportionality undertaken by the CJEU as exceeding its mandate as conferred by the Treaty (Article 19 (1) TEU). It confronts the CJEU as acting ultra vires because its standard of review is not conducive to restricting the scope of competences conferred by the Treaty upon the ECB. The Constitutional Court declares that it is the final arbiter and thus not bound by the CJEU’s judgment in Weiss because it does not agree with its reasoning which it describes as ‘simply not comprehensible’ (see for instance paras 116 and 153). By holding that the Weiss judgment exceeded the mandate conferred upon the CJEU, the Constitutional Court disregards the principle that rulings of the CJEU are binding on all national courts. The Constitutional Court also seems to take no notice of Article 344 TFEU which provides that ‘Member States undertake not to submit a dispute concerning the interpretation or application of the Treaties to any method of settlement other than those provided therein’. It both hinders any future communication between the two courts on the matter and oversteps the boundaries of its powers by acting ultra vires itself.

Yet, despite its bravado, the PSPP decision does not provide any assurances that the BVerfG has finally adopted a unified and coherent approach when it comes to exercising its power to impose constitutional locks upon EU competence. A careful review of the Constitutional Court’s previous record of decisions reveals that its constitutional review has been purely theoretical and consisted of a means of getting assurances from both the EU and domestic institutions that the balance of competence between the EU and the Member States has not been transgressed. We cannot, however, overlook the possibility that in the present case this may be a gamble too far for the credibility of the German Constitutional Court. If the Court, for instance, accepts the Bundesbank’s stronger justification for why the ECB program, and decisions implementing it, are proportional the PSPP judgment may be remembered as some of the most scathing satire to scrape across the Karlsruhe courtroom since the days of Lisbon Urteil. There, the Constitutional Court took it upon itself to scrutinise the exercise of EU competences through an intra vires identity review (even when the EU is acting within its bounds of competence) in order to preserve the inviolable core content of Germany’s constitutional identity.

Throughout Germany’s history of EU membership, the Constitutional Court’s ultra vires competence review has been constructed on a ‘so-long-as’ presumption of equivalence of constitutional standards which were never deemed to be deficient at the EU level by the judges of the Constitutional Court. The current decision, however, is different because the same judges placed an additional caveat on the judicial interpretation of EU law by the CJEU. They boldly declare that:

As long as the CJEU applies recognised methodological principles and the decision it renders is not objectively arbitrary from an objective perspective, the Federal Constitutional Court must respect the decision of the CJEU even when it adopts a view against which weighty arguments could be made (para. 112)

Hence there are two important dimensions of the case where the Constitutional Court interferes with the current EU rulebook. On the one hand, the Constitutional Court appears unequivocal about imposing external controls upon the ECB’s economic assessment, seeking more transparency and proportionality as to its measures. It throws the ball aggressively into the Bundesbank’s court hoping that it will bounce in the right direction and strike at the ECB’s headquarters. There is a silver lining to this dimension of the judgment given the growth of the ECB’s competence in recent years. However, the Court’s economic analysis is hardly so convincing as to make a bulletproof argument.

On the other hand, the PSPP judgment establishes an ultra vires test that is insensitive to the CJEU’s jurisdiction conferred under the Treaty. There is a surprise element here given that the CJEU has been consistent in its last two preliminary rulings about proportionality. Of course, one can argue that the CJEU’s proportionality control over the acts of the ECB has always been based on the wrong footing. But for the above reasons, unlike the Constitutional Court’s previous theoretical Kompetenz-Kompetenz challenges, the current decision seems to allow little scope for putting the reverse gear in place (unless the Court is prepared to accept any proportionality justification). But even if the judgment is about principle and the Court runs with just about any Bundesbank proportionality justification thrown at it, some damage is too severe to handle on its own without causing further harm to Germany’s EU membership.

By disregarding the CJEU’s exclusive powers of treaty interpretation the Constitutional Court endangers Germany’s duty of sincere cooperation (under Article 4(3) TEU) to the EU against the wishes of the other two branches of government. Even if the judgment is about principle, the price is too high to pay as an ultra vires act is not to be applied in Germany. This means effectively that the German Government is put on the spot and asked to choose between its EU membership obligations and its allegiance to the Constitution as interpreted by the Constitutional Court. At the same time, the judgment raises a question about the extent to which the duty of sincere cooperation under EU law applies in the internal tensions of a Member State.

While, therefore, protecting individual rights under the Constitution, the PSPP judgment questions the principle of separation of powers under the German Constitution and the unity between the three branches of government and people to respond to external pressure from the ECB. The judgment is, however, more than an attempt of the German Constitutional Court to revert to a long-standing statement of intention to review EU law and show its real teeth to the EU Institutions. As such we must be careful in attributing it a veneer of constitutional patriotism. By holding that both the German Government and Parliament violated the Constitution, judges turn in effect against all parties involved in the materialisation of the PSPP, albeit them sitting in Frankfurt, Luxembourg or in Berlin. One can hardly interpret as healthy national dialogue the 3-month ultimatum given by the Constitutional Court to the German Government and Parliament to secure a new evaluation of the PSSP from the Governing Council of the ECB that complies with the proportionality test set by the Court as regards its economic and fiscal policy implications. The ECB needs, in particular, to provide authorisation to the Bundesbank to send to the Constitutional Court all relevant documentation both published and unpublished providing the necessary proof that all possible consequences of the purchase program were considered. Failure to do so means that the Deutsche Bundesbank will have to withdraw from the implementation and enforcement of the PSPP.

Conclusion

While EU Institutions are far from being infallible and Member States can and should confront their counterparts in the EU, the current decision sets a dangerous course because it allows no room for internal dialogue to be fostered between the Constitutional Court, the Government, and Parliament so that a uniform national approach can be adopted against ECB policies, whether this means accepting them or challenging them before the CJEU as a Member State. The Constitutional Court’s judgment shall not therefore be only interpreted as an act of defiance against the EU but also as a decision that jeopardises the Constitutional Court’s own reputation (which, as explained yesterday, has been envied by last instance courts across Europe) and, depending on the EU’s reaction, Germany’s good record of membership in the EU.

The ECB’s and CJEU’s responses to the judgment, as well as the Commission’s issuing of a Press Release warning of the possibility of bringing infringement proceedings against Germany (if  the Bundesbank fails to implement its obligations under the Eurosystem) are proof that the judgment is more than a storm in a teacup and that the current mutiny in Karlsruhe may have to be resolved by using formal EU dispute resolution mechanisms. Any fears that the PSPP judgment is emblematic of the wider rule of law crisis (in the form of defiance towards EU membership obligations) that has been brewing for the last half decade at the heart of the EU are indeed legitimate. Responding to such a crisis during an extraordinary period of disruption, ill health and economic hardship is perhaps the biggest challenge that the EU has been confronted with since its very inception. This is tenfold when faced with a founding Member State questioning, through its judiciary, the integrity of EU Institutions. Let us hope that both the EU institutions and the German Constitutional Court will measure the cost of this episode and common sense will prevail.

The author wishes to thank Mike Gordon and his colleagues Anastasia Karatzia and Nikos Vogiatzis for their useful suggestions. This post was originally published on the UKCLA Blog and is reproduced here with permission and thanks.

Weimar-on-Danube: on the Hungarian Enabling Act, the European Response, and the Future of the Union

Image by Hans Hansen

Dr. Tom Flynn, Lecturer in Law, University of Essex

The current pandemic is testing political, legal, and social systems in significant ways. Europe has faced, among other things, strains regarding the notion of solidarity within the Union, questions as to the ability of economic and financial systems to co-ordinate responses, and now, in Hungary, challenges to the claimed democratic values of the Union itself.

The Hungarian Fundamental Law of 2011 regularly contemplates its own negation: Articles 48–54 establish a total of six ‘special legal orders’. These are the ‘state of national crisis’, the ‘state of emergency’, the ‘state of preventative defence’, the ‘terror-threat situation’, ‘unexpected attacks’, and the ‘state of danger’. It is through this last provision, defined as ‘a natural disaster or industrial accident endangering life and property’ that Viktor Orbán’s Fidesz party initially channelled its legal response to the Covid-19 pandemic. However, chafing under Article 53 (3)’s imposition of a 15-day limit on decrees under the ‘state of danger’, Orbán last week used his two-thirds parliamentary majority to pass what we can rightly call an Enabling Act, allowing him to rule by decree for an indefinite period. Others have written cogently of the Act as a ‘constitutional moment’of how it fits perfectly with Orbán’s long-established patterns of behaviour; and of the dim prospects of EU law being any use against it, at least in the short- to medium-term. The purpose of this short piece is to accept and adopt these critiques, and to contrast the brilliant opportunism of Orbán’s move with the lumpen foolishness of the European response. What emerges from such a study paints a grim picture: the chancelleries of Europe full of little Neros, fiddling while the Hungarian Rechtsstaat burns.

The response from the Commission and from the Member States has been pathetic. On 31 March, Commission President Ursula von der Leyen tweeted that:

‘[i]t’s of outmost importance that emergency measures are not at the expense of our fundamental principles and values. Democracy cannot work without free and independent media. Respect of freedom of expression and legal certainty are essential in these uncertain times.’

She added that the Commission:

‘will closely monitor, in a spirit of cooperation, the application of emergency measures in all Member States. We all need to work together to master this crisis. On this path, we’ll uphold our European values & human rights. This is who we are & what we stand for.’

Such dishwater platitudes are to be expected from a President who owes her position to the votes of MEPs from Fidesz and from Poland’s ideologically-related ruling PiS party, and who thought it a clever idea to try to appoint a Commissioner for ‘Protecting Our European Way of Life’, (a post later made no less nonsensical and insulting by being changed to one of ‘promoting’ this alleged ‘way of life’).

Only very slightly less disappointing was the following day’s joint statement from Belgium, Bulgaria, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Lithuania, Luxembourg, the Netherlands, Portugal, Spain and Sweden. These 17 Member States expressed ‘deep concern’ about ‘the risk of violations of the principles of rule of law, democracy and fundamental rights arising from the adoption of certain emergency measures’.

A striking aspect of both these responses was their unwillingness—their seeming inability—to name Hungary, and to specifically state that Orbán’s power grab would be resisted and challenged. The consequences of this diplomatic squeamishness soon became clear: just a day later, on 2 April, in an act of the purest, most distilled chutzpah, the Hungarian government had the gall to join in adopting the statement issued by the ‘deeply concerned’ 17 Member States. Whatever his other flaws, we can credit Viktor Orbán with being a master of comic timing. Of course he joined the statement! Why wouldn’t he? After all, the statement did not identify any particular Member State as being the reason for the ‘deep concerns’ expressed, and by claiming to echo the Member States’ concerns, Orbán can continue to assert that his is an entirely mainstream—just very conservative—political project. This is in keeping with Fidesz’s continuing membership of the European People’s Party, which affords political cover to Orbán’s project of remaking Hungary in his image.

Meanwhile, the decrees are coming in thick and fast. The plan to build a ‘museum quarter’ in Budapest’s City Park, held up by the unexpected victory of the opposition in last year’s mayoral elections, will go ahead. A person’s legal sex will now be fixed at birth, and cannot be legally altered. Municipal theatres—rare islands of intellectual independence and the possibility of artistic and political dissent—will be brought under central government control. Quite what these measures have to do with stopping the spread of the coronavirus and managing the current crisis is not clear. What is clear is the Enabling Act is mere opportunism, seizing on a deadly threat to permit the government to go about its agenda with the very minimum of political, legal, and press scrutiny.

The idea of ‘naming and shaming’ as an enforcement method only works if you actually name offenders, and if the offenders are actually capable of feeling shame. Hungary’s mocking adoption of the joint statement demonstrates the sheer shamelessness of the Orbán government. The refusal of the Commission and the Member States to name Hungary and to specifically condemn Orbán’s behaviour illustrates the extent to which senior figures in Europe are beholden to a kind of comity of idiots, where each is afraid of being undiplomatic to the other, just in case the other might one day be undiplomatic to them.

The apparent reluctance of European heads of state and government to ‘interfere’ in one another’s ‘domestic’ affairs is a relic of a bygone age, a time when we really could draw such bright lines between the ‘national’ and the ‘European’. Our political leaders know this, but they maintain the pretence because it is a useful insulator: it preserves ‘the national’ as a kind of petty fiefdom, which will brook no criticism from outside, despite the fact that domestic action is influenced by, and in turn influences, action at the Union level and in every other Member State. The Enabling Act does not just endanger Hungary and Hungarians, but Europe and Europeans: the rot can spread from the Member States to the Union, from the Union to the Member States, and from one Member State to another. Orbán’s pollution of the Hungarian body politic; PiS’s degradation of Poland; and the murders of Daphne Caruana Galizia and Ján Kuciak are not directly related, but taken together they are all indicative of a Union sliding ever further into the mire, where the appearance of unity is more important than any actual substantive commonality of democratic standards, or those beloved ‘values’ of which we hear so much.

There has recently been at least some movement in terms of legal sanction for Orbán and those like him. AG Kokott last month argued that the CJEU should find Orbán’s ‘lex CEU’, by which the Central European University was hounded out of Budapest, in breach of EU and WTO law. This month, the CJEU held that Poland, Hungary, and Czechia had failed in their obligations under Union law to join in the EU’s relocation programme for the distribution of asylum-seekers across the Union. But these victories are partial, reactive, and belated, and have met with scorn from Fidesz. Union law in general, and the Treaties in particular, are simply not geared towards the rectification of the kind of authoritarian opportunism of which Orbán is the standard-bearer.

In the present state of Union law, the solution must be, and can only be, political. But the Hungarian Enabling Act exposes the idea that European conservatives can curb the excesses of their most obviously authoritarian bedfellows as the delusion it has always been. Nor are the EPP alone in sheltering undesirables: the Social Democrats and the Liberals are both happy to rely on the votes of members with questionable records and intentions.

The tension between ‘capital Europe’ and ‘social Europe’ is as longstanding as the disconnect between ‘economic Europe’ and ‘political Europe’, but the current crisis is bringing these tensions to boiling point. Most notable is the issue of ‘solidarity’, a word frequently on the lips of European leaders but only rarely evident in their actions. The crisis exposes the EU’s historical baggage about what it is, what it does, and what it’s meant to be. From bailouts to borders to non-interference in ‘domestic’ politics, we must stop pretending that the EU can exist as a kind of rarefied space of apolitical technocracy. In this sense, we can learn a valuable lesson from Orbán: opportunities ought not to be wasted. The homeless can be housed. Private healthcare systems can be nationalised. The Union can—and must—take action in defence of its claimed fundamental values.

A young democracy in an old nation at the very heart of Europe is being snuffed out before our eyes, and our leaders are doing nothing.

At least Nero could play the fiddle.

This post first appeared on the DCU Brexit Institute Blog and is reproduced here with permission and thanks.

Whose Autonomy is it Anyway? Freedom of Contract, the Right to Work and the General Principles of EU Law

Dr Niall O’Connor, Lecturer in Law at the University of Essex, has authored an article exploring the significance, in the employment context, of freedom of contract as a fundamental right in article 16 of the EU Charter of Fundamental Rights (the Charter).

For the first half of its existence, few could have foreseen that article 16 would soon be at the centre of debates surrounding the precise place of business freedoms within EU employment law. This has changed following a number of controversial decisions in which the Court of Justice of the EU (CJEU) relied on article 16 to undermine the effectiveness of employee-protective legislation.

This article examines the nature of freedom of contract as both a fundamental right and a general principle of EU law and its effects in the employment context. Critical Legal Studies (CLS) is relied on to show that existing arguments as to the use of Article 16 as a radical tool in the employment context have been both exaggerated and underplayed.

Finally, the article explores potential counterweights to freedom of contract as a fundamental right, notably the right to work found in article 15 of the Charter.

The article was published as an Advance Article on 6 November 2019 in the Industrial Law Journal and is currently free to access here.

Exit Britain Enter the Stakeholders: Could Brexit End the Cultural Wars within the EU Company Law and Give Birth to a Truly “European Company”?

Dr. Marios Koutsias, Senior Lecturer in Law at the University of Essex, has a new publication in the European Business Law Review entitled ‘Exit Britain Enter the Stakeholders: Could Brexit End the Cultural Wars within the European Union Company Law and Give Birth to a Truly “European Company”?’

The history of European Union company law is a very troubled one. It is a history of national conflicts and debates which resulted in the inability of the EU to create a common body of EU company law. The article argues that national company laws are deeply rooted in national culture.

Corporate governance in particular evolved into an arena where fierce corporate culture wars were fought for decades. This is why the European Company – the so-called Societas Europea – failed to evolve into a truly supranational corporate form. While all member states have their own distinctive systems of corporate governance, the failure in question has been mostly fuelled by the conflict between the two widely-opposed corporate governance systems of the UK and Germany.

The UK endorses the so-called contractual model of corporate governance. Germany on the other hand employs the so-called stakeholder system of corporate governance. The rest of the member states of the EU lie between those two opposing poles. The conflict between the two European pillars of widely opposed corporate philosophies and consequently laws – the UK and Germany – has been so intense that it undermined any attempt to create a single European company.

The article argues that Brexit can change that. The exit of one of the two main pillars of the conflict may pave the way for the dominance of the stakeholder model of corporate governance in the EU. A post-Brexit EU would lack the most vocal and influential supporter of contractualism. This should allow the remaining member states to converge into a standard that would be closer to the stakeholder model.

The article appears in Volume 30, Issue 6, pp. 881-907 of the European Business Law Review.

Reporting as a Means to Protect and Promote Human Rights? The EU Non- Financial Reporting Directive

Dr Johanna Hoekstra, Lecturer in Law at the University of Essex, published an article with Professor Olga Martin-Ortega, Director of the Business, Human Rights and Environment Research Group at the University of Greenwich, entitled Reporting as a Means to Protect and Promote Human Rights? The EU Non- Financial Reporting Directive. The article was published in November 2019 in Vol 44 of the European Law Review.

The paper analyses the adoption and content of the EU Non-Financial Reporting Directive 2014/95 (NFR Directive) in the context of current developments to protect and respect human rights through corporate human rights due diligence and transparency legislation and considers the potential role of the reporting obligations of the Directive in the wider debate regarding human rights reporting. The analysis presented in this article makes clear that the NFR Directive is not designed to protect and promote human rights.

The NFR-Directive entered into force in 2014 and was transposed by all Member States in December 2016. Non-financial reporting builds on corporate financial reporting and requires corporations that meet certain criteria with regards to income and size to publish a statement on policies and procedures regarding environmental protection, social responsibility and employee protection, anti-corruption and bribery, diversity on boards, and human rights protection. The Directive leaves it to the company to decide on the format of the report, the extent of the information that is disclosed, and the specific issues that are included in the report. The flexible criteria on what should be reported will make it more difficult to understand the company’s impact on society in an objective manner.

The Directive includes the possibility for Member States to require integrated reporting (the financial information is published alongside non-financial information) which creates a more holistic understanding of corporate activities and for Member States to require the information in the report to be independently verified by a designed institution. Most Member States choose not to transpose this second option because of worry that the additional costs would damage the competitiveness of their companies. The NFR Directive can be placed in the developing mandatory legal framework on corporate human rights responsibilities which include reporting laws such as the UK Modern Slavery Act and human rights due diligence laws such as the French Duty of Vigilance Law.

While reporting is advocated as a measure to further corporate accountability with regards to human rights, the NFR-Directive is primarily framed as an accounting measure that is intended to stimulate economic investment through furthering transparency. The requirements in the NFR-Directive are framed in a way that they reduce the potential effectiveness of the reporting because of the flexible and general criteria and the lack of verification by an overseeing body in most Member States. This is aggravated by the divergence between the requirements of the NFR-Directive and the UN Guiding Principles of Business and Human Rights (UNGP). The 2011 UNGP are the main reference in the definition of corporate responsibilities regarding human rights and propose a three-pillar framework to address the actual and potential impact of companies on human rights: (1) the state’s duty to protect; (2) the corporate responsibility to respect; and (3) the victims’ access to remedies. As the NFR Directive was published later than the UNGP it is regrettable it did not take the reporting requirements of the UNGP as a starting point to further develop the law.

The NFR Directive differentiates between who should report and who should not report, based on the type of company and the number of employees whilst the UNGP acknowledge that all companies have a reporting obligation, although this obligation can differ depending on the sector in which the company operates. It adds that this process should draw on human rights expertise and involve meaningful consultation with stakeholders which is not part of the NFR Directive. The NFR Directive contains specific requirements as to environmental and social factors that the company should report on but uses the word “could” in relation to human rights reporting and only suggests this could include: “information on the prevention of human rights abuses.” The limited requirements mean that it is up to the company to decide on how they approach the issue. There is therefore a risk that reporting will be a mere box ticking exercise that does not involve any meaningful reporting, which to have a significant effect needs to be closely linked to due diligence.

Reporting cannot be equated with a meaningful due diligence process that identifies, prevents, mitigates and accounts for corporate impact on human rights. Reporting as the main legislative tool leaves in the hands of civil society organisations, shareholders, and consumers the task of monitoring the veracity of the information. This does not sit well with the substantive, far reaching and right holder centred concept of due diligence proposed in the UNGPs. The Directive does not recognise the consolidated approach to human rights responsibilities of businesses and there is a concern that it may limit existing social expectations expressed in soft law, including the UNGPs. This has led to a call for European legislation on corporate human rights due diligence.

Analysing the character of the Memoranda of Understanding signed by the European Central Bank

European Central Bank

In recent years the use of instruments characterised as “atypical acts” or “soft law” has proliferated in EU law. Memoranda of Understanding (MoUs) provide a good case in point as they comprise a convenient way to conclude what are perceived as non-binding agreements negotiated and adopted bilaterally by EU Institutions and third parties.

Dr Anastasia Karatzia, Lecturer in Law and Prof Theodore Konstadinides, Professor of Law have recently published an article on the nature, characteristics, and legal effects of MoUs signed between the European Central Bank (ECB) and third parties.

The article explores the practice of the ECB for two reasons: first, owing to historically making active use of MoUs, and secondly, owing to its new role of banking supervisor for the Euro area and the specific role accorded to MoUs in banking supervision. For instance, the ECB’s central role within the EU Banking Union, which requires a high level of co-operation between the ECB and national supervisory authorities, has increased the use of MoUs as co-operation tools. Taking stock of these developments, the article provides the first comprehensive mapping-out exercise of the legal nature and character of MoUs as instruments used by the ECB. It offers an empirical analysis of the respective MoUs and establishes a legal framework that should assist our understanding of their nature, operation, and legal consequences.

The authors’ full paper was published under the title ‘The Legal Nature and Character of Memoranda of Understanding as Instruments used by the European Central Bank’ in 2019 in Vol. 44 Issue 4 of the European Law Review pp. 447 – 467. It was prepared under the Legal Research Programme sponsored by the ECB. It is one of the first articles looking at the ECB’s role in signing Memoranda of Understanding beyond the context of financial assistance provided to EU Member States. Any views expressed are only those of the authors and do not necessarily represent the views of the ECB or the Eurosystem.