Research Associate, Centre for Judicial Cooperation, RSC, EUI
This Blog post examines the potential loopholes resulting from the two Interoperability Regulations in the legal protection of individuals targeted of a national measure taken on the basis of data retained in EU databases. The post investigates how the transitioning status of third-country nationals across borders (e.g. from asylum seeker to EU citizen) or by legal procedure (e.g. from migrant to suspect of an offence) could affect the safeguard of their rights. It explores what kind of guarantees are attached to procedures which are neither fully administrative nor fully criminal.
In the EU AFSJ law enforcement access to information systems is functional to the exchange of raw material for police and judicial investigations, which at a later stage, could become evidence at trial. Information systems are information management arrangements or activities which establish a relatively high level of informational integration for the exchange of information between organisationally independent bodies from both Member States and the EU levels. Data are increasingly integrated into informal mechanisms of transnational governance. There are multiple horizontal interactions between authorities from different Member States as well as vertical interactions between national authorities and EU agencies.
Such interactions fall within a legal panorama which is affected by major changes.
Firstly, AFSJ databases have different purposes: some purely implement migration policies, while other police and judicial cooperation in criminal matters. Law enforcement access to information systems that do not serve law-enforcement purposes, including other state-held databases and ones held by private actors, is most controversial and inter alia contrasts with the purpose limitation principle.
As argued during the Task Force and highlighted by Carrera in his contribution to this Forum, current rules on ‘interoperability’ in combination with the new rule on existing and new EU databases have gone beyond original goals and could even make a dead letter of purpose limitation. The Commission held in the proposal that the Regulation on interoperability does not include any amendment of the original purposes of data systems, nor adds any new category of data to be stored. In fact, interoperability of information systems in the AFSJ was allegedly meant to spot individuals registered in EU databases with different identities. However, even before the enactment of the two Interoperability Regulations, the EU legislature introduced new databases and gradually extended the use and accessibility of existing databases such as Eurodac (as highlighted by Quintel in her contribution to this Forum) and the SIS. The interoperability framework could thus result in the by-passing of existing national safeguards against misuse or unlawful access to data.
Secondly, this function creep has an impact on the applicable legal regime (in terms of jurisdiction) and also in terms of legal procedure (e.g. administrative/criminal). The purpose for which data are gathered, processed and accessed is crucial, not only because of data protection rules but because it links the information/data with a different stage of a (criminal or administrative) procedure to which a set of guarantees are (or not) attached, and thus has serious consequences for the rights of individuals (including access, appeal and correction rights). Such differences also have an impact on the potential use of information both at national and EU level: information used for identification purposes (the focus of customs officers); or only for investigation purposes with no need to reach trial (the focus of intelligence actors); or for prosecution purposes (the focus of police authorities). The interoperability framework could thus result in the by-passing of existing national safeguards against misuse or unlawful access to data.
Thirdly, the concept of “law enforcement” is increasingly defined in terms of finalities with reference to the nature of their activities. It thus increasingly encompasses any authority which is competent for conducting a crime investigation or a criminal intelligence operation. This may include the exchange of information between police, customs and even immigration services. These authorities can exchange information or intelligence directly between them, as long as their activity has a link with crime and as long as they exchange the information or intelligence outside the evidence phase, which would otherwise require the authorisation of an independent judicial authority. The notion of “law enforcement” is linked to the use that is made of the information, not to the category of body exchanging the information. If there is (suspicion of) a link with a criminal offence, then the competent national authorities can exchange information for the purposes of preventing, detecting and repressing criminal offences. Such interpretation broadens the scope of information sharing, clearly involving also national security issues.
Fourthly, the concepts of territory and jurisdiction themselves are also redefined in a world of borderless data. Data are intangible and un-territorial. While data crosses borders and can be accessed and used by several persons at the same time in different places, law enforcement authorities seek to access data with reference to a specific territory. National courts can in principle review the decision making by public authorities from the same jurisdiction. Because of the horizontal data sharing enabled by increasingly interoperable EU databases, public authorities may rely in their decision making on data containing not only statements of facts (a raw description of person’s actions) but also legal assessments (the qualification of a person as posing a potential threat to public security).
Such data are provided by public authorities from different jurisdictions, whereas they might not have been amenable to judicial review in the State of origin. Moreover, it is unclear whether and to what extent public authorities of one Member State are authorized under applicable EU legislation to verify the facts and challenge legal assessments made by authorities of another Member State. What follows is a significant jurisdictional loophole impairing the right of individuals to effective legal protection and, consequently, the rule of law.
The requirements formulated by the CJEU with reference to the principle of effective legal protection provide a framework to analyse the problems that the use of EU databases may generate in practice, with reference to effective legal protection. Firstly, do individuals have any procedural rights when their data are inserted into databases and, if so, when are these rights triggered? In particular, should individuals be heard before data are inserted and should they receive a statement of reasons supporting the decision to insert their data? Or should they benefit from such procedural rights only when a final measure affecting their legal position is adopted (e.g. as a visa refusal), possibly by the law enforcement authority of a Member State different from the one that has inserted the data?
Secondly, when should the individuals have access to judicial review: when their data are inserted into a database or only when a final decision is adopted? Thirdly, what should be the scope and intensity of judicial review? Should the Court reviewing a final measure examine the factual basis of underlying data even if they come from a foreign authority? In such a case, would the court trespass its jurisdictional limits? Can the courts of a Member State review acts seeking to affect the legal position of individuals issued by authorities of another Member State? And more broadly, what are the consequences of a national court ruling on the unlawfulness of a foreign administrative act?
The main question is whether entries to EU databases may amount to administrative acts determining the rights and obligations of individuals that should therefore trigger the application of the right of defence and good administration. In other words, should such entries be considered as acts binding upon other authorities? If not, what subsequent acts trigger the right of access to judicial review?
The regulations on interoperability do not introduce new rights to judicial protection – the relevant provisions from acts governing the individual systems apply – except for Article 48 on the Multiple Identity Detector (MID). Article 48(1) repeats the rights to judicial protection (access, correction/deletion of data, and then judicial review) guaranteed by the GDPR and the Directive on data processing for law enforcement purposes.
However, the main problems with these rights is that individuals do not even know when their data are processed by law enforcement authorities: they do not know when to challenge their processing. If SIS now becomes interoperable their data may be processed even further. Thus, individuals know even less, and their chance to exercise rights is potentially hindered.
By virtue of Article 48(2) and (3), an individual may apply to a Member State’s law enforcement authority for data correction and, in case this Member State’s competent authority is not responsible for ‘manual verification’, it contacts the responsible authority of another Member States that checks the accuracy and make corrections. Under Article 48(7), if this authority disagrees, it will adopt an ‘administrative decision’. This entails its duty to state reasons and, by virtue of Article 48(8) includes information on the right to judicial protection or appeal to a data protection authority. Could one consider that this amounts to an expressly provided right on effective judicial protection? What remains unclear is yet how individuals become aware of the processing that triggers their rights under Article 48.
There are a number of gaps in the system, the EU Charter provides for a right to effective legal remedy and judicial review is all the more integrated within the EU. However, as argued by Catanzariti in her contribution to this Forum, procedural guarantees de facto still depend on national legal systems and applicable procedures, and at times vary on a case by case basis. Will it ever be different? Does the EU even have competence in the matter for harmonisation purposes? Moreover, there is an informal (de facto) expansion of EU competence in information sharing (not only in police cooperation but also touching at the realm of intelligence), which is however not compensated by an extensive framework for the safeguard of the right for an effective legal remedy.
Finally, as the contribution by Groenendijk in this Forum highlights, one has to consider whether the position of a TCN is different from that of EU citizens with reference to legal protection, and especially effective legal remedy. Can one say that third country nationals applying for visa/asylum should not have right to effective judicial protection?
The situation is more straightforward in EU law than under the ECHR because there is no distinction similar to that between Article 6 and 13 ECHR. Article 47 of the EU Charter requires an effective remedy and a fair trial before an independent and impartial tribunal established by law. It is therefore usually assumed that Article 47 introduced a higher standard of legal protection inasmuch as it does not consider an effective remedy from a non-judicial body to be sufficient.
However, in El-Hassani Advocate General Bobek considered a possibility in interpreting the applicability of Article 47 of the EU Charter in a way resembling the restrictive applicability of Article 6(1) and 13 ECHR. The case concerned the requirement of an appeal against decisions rejecting requests for Schengen visas. The text of Article 47 of the EU Charter guarantees the right to an effective remedy and a fair trial when “right of freedoms” guaranteed by EU law may be violated. In AG Bobek’s opinion, Article 47 of the EU Charter guarantees the said right only when interested individuals can indicate a specific substantive provision of EU law conferring upon them a ‘right or freedom’, just like the right under Article 6(1) ECHR applies only when a “civil right” or a “criminal charge” is at stake and Article 13 ECHR applies when other substantive Convention rights are at stake.
The Court did not take the way suggested by AG Bobek. It simply held that for the applicability of Article 47 of the EU Charter it suffices that national authorities apply EU law, for instance the Visa Code, vis-à-vis individuals. The judgment confirms the right to effective judicial protection of third-country nationals applying for visa. The case law relating to visa cases is therefore in line with case law recognising the right to effective judicial protection for third-country nationals who are asylum seekers in the EU.