Adieu Dublin! But what’s next?

Introduction

On 16th September 2020, Ursula von der Leyen, the President of the European Commission, announced in a State of the Union address a New Pact on Migration and Asylum. The new pact seeks to abolish the Dublin Regulation III, in furtherance of the recommendations the Commission made in 2016, which would be replaced with an Asylum and Migration Management Regulation (‘AMR’). The pact consists of three main pillars: discouraging migration by supporting origin countries, modernising border security, and sponsoring returns procedures of asylum seekers or extending solidarity to member states experiencing exceptional migratory influx.

The Dublin Regulation III was preceded by the Dublin Regulation II (‘Dublin II’) and the Dublin Convention (‘Dublin I’). These regulations are considered the cornerstone of the EU’s harmonised system of asylum protection known as the Common European Asylum System (‘CEAS’). CEAS was established in 1999 to grant freedom, security and justice to the third-country nationals who are unable to secure legitimate protection of their state of origin. In line with the obligation of non-refoulement under the 1951 UN Refugee Convention , Article 18 of the EU Charter guarantees the right to seek asylum. For CEAS to work efficiently, a clear and workable method of state responsibility to determine asylum claims was required. To this end, Dublin II was adopted in 2003.

This blog post is divided into six parts. The first two parts focus on Dublin II, its legal framework and the irregularities that led to Dublin III. The third part is devoted to Dublin III and the problems it caused at the time of the 2015 refugee crisis. The fourth part provides a brief overview of the new pact. In the fifth and the sixth part, the author discusses the new pact and analyses the AMR in light of the normative inconsistencies in Dublin III.

Continue reading

True (Bad) Faith 2020? Part Two: Excavating the Legal Rationale for the ‘Emergency Clauses’ in the UK Internal Market Bill

Introduction: Brexit Denouement?

1 November 2020 saw the expiry of the time-limit for the United Kingdom to respond to the European Commission’s notice of infringement proceedings for breach of the EU-UK Withdrawal Agreement. On 9 November 2020, the House of Lords voted in favour of removal of the relevant clauses from the UK Internal Market Bill (UKIMB).

The denouement of this epilogic Brexit drama may be approaching. At the domestic level, the House of Commons will be faced with the decision whether or not to re-instate the ‘emergency clauses’. At the supranational level, the Commission will be faced with the choice whether to prosecute the infringement claim against the UK before the Court of Justice of the European Union (CJEU).

All of this will take place against the backdrop of attempts by the United Kingdom and the European Union to finalise a Future Relationship Agreement before the end of the transition period on 31 December 2020.

This post follows up the legal analysis of the Commission’s claim of breach of good faith on this blog. The objective is to analyse the UK government’s justifications for providing itself with a permission to breach the Withdrawal Agreement.

The hypothesis is advanced that the UK government has based its policy on an interpretation of Article 5 of the Protocol on Ireland/Northern Ireland (NIP) that would enable the EU to enforce its customs law on all goods movements from Great Britain (GB) to Northern Ireland (NI), rather than such EU law only being triggered by the limited condition of onward movement into the EU single market.Continue reading

“Schrems III”? First Thoughts on the EDPB post-Schrems II Recommendations on International Data Transfers (Part 3)

Three Scenarios for the Way Forward (and a Recommendation)

Despite the very short available time, I have tried in Part 1 and Part 2 of this article to carefully review the EEGs and Supplementary Measures guidelines. Based on my review, there are two central conclusions that emerge from the EDPB publications on November 11:

(1) Third countries might rarely if ever meet the EEG requirements. This means that, beyond the 8 sovereign States/12 entities that have the opportunity of benefiting today from an EU adequacy decision, few other countries might be considered as offering a protection “essentially equivalent” to that offered by EU law.

(2) If third countries are not considered as “adequate/essentially equivalent”, then data transfers to them are lawful only if supplemental measures are adopted by the data exporter. The EDPB Guidance seems nonetheless to prohibit almost all such transfers when the personal data is readable in the third country.

Perhaps other commentators will find ways to reach a different conclusion. If not, however, then the implications of the EDPB position in its current writing might be: regular transfers to third countries are almost always unlawful if the personal data can be read in the third country.

As the world cannot suddenly stop moving nor international trade end as a result of Schrems II and the EDPB Recommendations, there are in reality at least three possible scenarios/solutions for the future. There might also exist other scenarios. I will present here only the ones which seem more probable to me. These scenarios are not independent from one another, but could be easily combined. I will end by detailing an important first recommendation in view of the expected update of the guidelines by the EDPB after November 30, 2020.

Continue reading

“Schrems III”? First Thoughts on the EDPB post-Schrems II Recommendations on International Data Transfers (Part 2)

In the first part of this analysis, published here, I explained why a great number of third countries might not meet the “Essential European Guarantees” (EEG) as set forth by the EDPB. In the second part of this paper I will assess the important difficulties entities will face in using supplementary measures that would enable transfers to countries that lack such guarantees. Tomorrow morning the ELB will publish the final part of this article which includes a discussion of three possible scenarios for the way forward and an important first recommendation in view of the expected update of the guidelines by the EDPB after November 30, 2020.

Part 2

“Only Non-Readable Data Can Be Exported”  

Thoughts on the EDPB’s Recommendations on Supplementary Measures

On July 16, 2020 the CJEU mostly closed the door on personal data being allowed to leave Europe without an adequacy decision, but left some windows open to enable data to find their way out of the bloc. Following several letters from industry protesting that Schrems II could have a “massive negative impact” on the European and World Economy and inviting the EDPB to be flexible enough (see for instance this, this, this and this), some might have hoped that the EDPB would open more windows. In its Recommendations on Supplementary Measures, adopted on November 10, 2020, the EDPB not only did not do so, but it also closed most of the windows that might have remained open following the CJEU judgment. To sum up, the EDPB’s guidance clearly indicates that no data transfer should take place to non-adequate/non-essentially equivalent countries unless the data is so thoroughly encrypted or pseudonymised that it cannot be read by anyone in the recipient country, not even the intended recipient.

There are at least three striking features in the EDPB Recommendations on Supplementary Measures that deserve closer attention.

Continue reading

“Schrems III”? First Thoughts on the EDPB post-Schrems II Recommendations on International Data Transfers (Part 1)

No, there has been no new “Schrems” judgment from the CJEU. But the publication of the post-Schrems II “Recommendations” by the European Data Protection Board (EDPB) on November 11, 2020, is such a huge aftershock than one could mistake it for an entirely new earthquake shaking the international data transfer system.

After the Court of Justice of the EU (CJEU) in Schrems II on July 16, 2020 (analysed here, here and here in the blog) almost closed the door on personal data being allowed to leave Europe, some might have hoped that the EDPB would open several windows to enable the data to find its way out of the bloc. It did not. When one reads its “Recommendations on Supplementary Measures”, it appears that any transfer of the personal data of Europeans to countries that do not benefit from an EU adequacy decision will be extremely difficult – the principal permitted mode of export is to encrypt the data so thoroughly that it cannot be read by anyone in the recipient country, even the intended recipient. Furthermore, one wonders how many surveillance laws around the world meet the requirements of the “European Essential Guarantees for Surveillance Measures” (EEG Recommendations), also published on November 11 by the EDPB. For the thousands of companies and other data controllers or data processors around Europe faced with the herculean task of assessing whether countries to which they wish to transfer personal data meet the EEG requirements, here is some quick advice: start with the assumption that, in principle, they don’t!

I will not summarize here the two lengthy documents issued by the EDPB (54 dense pages!). This has already been carried out very well by Caitlin Fennessy here or in the EDPB’s own press release. Suffice it to explain that the EDPB adopted two complementary documents:

First, it issued the “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (“Recommendations on Supplementary Measures”). This guidance had been eagerly expected since Schrems II. In fact, the CJEU referred to the possibility that, even if the importer’s national laws do not offer an “adequate” and “equivalent” level of protection in relation to government access to data, international transfers could still take place if the data controller puts in place “additional safeguards” or “supplementary measures” to ensure the protection of the data transferred by other means. This is an absolutely key concept, as it is the only way to continue regular[1] data transfers from the EU to the US and also to a great number of other countries which, like the US, very probably do not offer what the Court would recognize as an “equivalent” level of protection. The EDPB “Recommendations on Supplementary Measures” propose a step-by-step roadmap for implementation, and include six steps[2] that all data controllers and data processors should follow before transferring data. Even more important than the description of these six steps, is the 17 page-long Annex 2 to the Recommendations which provides a “non-exhaustive” list of “examples of supplementary measures” considered by the EDPB to be acceptable sometimes for data transfers and not acceptable at other times.

The second document published by the EDPB is the “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” (“EEG Recommendations”). The objective of these (updated[3]) EEG Recommendations is to provide data exporters with a guide, based on the two European Courts’[4] jurisprudence, in order to determine whether foreign countries surveillance laws meet the European human rights requirements.

The two EDPB “Recommendations” require much more careful study. I will offer here just a few quick thoughts, as a follow-up to my previous analysis of Schrems II in this blog. Part I of this article will feature some preliminary commentary on the “EEG Recommendations” which look like a kind of “Surveillance Laws Survival Guide”. Part II, which will be published shortly, will focus on the “Recommendations on Supplementary Measures” and will argue that the EDPB’s approach appears excessively restrictive and sets the bar so high that it will be extremely difficult to reach. Lastly, a conclusion will present three possible scenarios for the way forward.

Continue reading

Access to Justice in Environmental Matters in the EU Legal Order – Too little too late?

Introduction

Access to justice in environmental matters at the EU level is significantly restricted. This is partly due to the narrow interpretation of standing requirements by the Court of Justice of the EU (CJEU) in annulment procedures under Article 263(4) TFEU, which has virtually excluded environmental NGOs, and partly due to the narrow scope of the internal administrative review procedure under Regulation (EC) 1367/2006 (the so-called ‘Aarhus Regulation’). This led the Aarhus Convention Compliance Committee (ACCC) to conclude in 2017 that the EU is not in compliance with its obligations on access to justice under Articles 9(3) and 9(4) of the Convention. Since then, the European Commission has taken multiple steps, initially to qualify the findings of the ACCC and subsequently to explore options to improve access to justice in environmental matters in the EU legal order.

This post discusses the European Commission’s most recent attempt to address these issues. Specifically, on 14 October 2020, the European Commission published (a) a proposal to amend the administrative review procedure under Regulation 1367/2006, and (b) a Communication on improving access to justice in environmental matters in the EU and the Member States. The post explains the proposed amendments to the Aarhus Regulation, highlighting which aspects of the ACCC findings it does and which ones it does not address. It also outlines the main priorities in the Commission’s Communication, which place considerable emphasis on access to justice via the national courts.Continue reading

Bulk data interception/retention judgments of the CJEU – A victory and a defeat for privacy

Introduction

On 6 October 2020, the Court of Justice of the European Union (CJEU, the Court) delivered its judgments in Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others (referred to as La Quadrature du Net and Others). Both judgments continue the long line of case-law on the secondary use of personal data by intelligence services and law enforcement agencies, in particular traffic and location data initially collected by service providers for commercial purposes (see in particular Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland, Joined Cases C-203/15 and C-698/15 Tele 2, Opinion 1/15 of the Court on the draft EU-Canada PNR Agreement, Case C-207/16 Ministerio Fiscal).

While the Court in both judgments decides on landmark cases, which have a number of commonalities, and were heard in a joint hearing in 2019, their nature and outcome are quite different. On one hand, Privacy International is an easy victory for the right to privacy and data protection. The Court unequivocally confirms that the state authorities are not allowed to intercept personal data, originating from commercial operators, in bulk. La Quadrature du Net and Others on the other hand, is a complex victory for the law enforcement community and a major step back in the Court’s data retention jurisprudence.

The two-decades-long conflict between the law enforcement and the privacy communities is still ongoing[1]. In what follows, I therefore decided to briefly present the facts of the case and then to divide the main outcomes of the two judgments in three victories for one or the other camp, without pretensions to be exhaustive on every single point of the judgments.

Continue reading

The European Commission’s Rule of Law Report: a key tile in the mosaic of rule of law protection in the EU

Will the newly launched Report strengthen the already existing toolkit of the European Union to prevent and resolve violations of the rule of law in Member States?

On the 30th of September, the European Commission released its long-awaited first EU-wide annual “Rule of Law Report” on the situation of the rule of law in the European Union. The Rule of Law Report is one of the major initiatives of the Commission’s Work Programme for 2020, and part of the comprehensive European Rule of Law Mechanism announced in the Political Guidelines of the President. The goal is to focus on improving understanding and awareness of issues and significant developments, identifying rule of law challenges and helping Member States find solutions with support from the Commission and the other Member States, as well as stakeholders including the Venice Commission. Largely as a response to the so-called democratic backsliding, the Commission assembled portfolios on every Member State, covering four main pillars: national justice systems, anti-corruption frameworks, media pluralism and freedom, and other institutional issues related to the checks and balances essential to an effective system of democratic governance.

The first Report found that the rule of law is facing important challenges in some Member States, notably Hungary and Poland where the judicial systems are under threat. The report also voiced concerns about the independence of the judiciary and corruption in Bulgaria, Croatia, the Czech Republic, Hungary, Malta, Romania and Slovakia. Unsurprisingly, Hungary immediately dismissed the report as irrelevant and biased, arguing that they are being unfairly targeted, while the European Union has been accusing both countries of violating rule of law standards for years and pursuing sanction procedures against them.

The expectations on the new Rule of Law Report have been especially high with regard to cases like Hungary and Poland. Nevertheless, sanctions and grandiose commitments for action – to which the Report admittedly falls short – are not the only tools to combat the rule of law crisis. While, indeed, intervention and problem-solving lie in the one side of rule of law protection, on the other side, rests pre-emptive monitoring. In this context, the Report should be welcomed, as a crucial tile in the monitoring effort, but also as a significant contribution to problem-solving, and as a good precedent for more initiatives, such as the preliminary agreement to tie access to EU funds to respecting the rule of law.

Continue reading

X