Friday, 25 May 2018

Right to erasure (right to be forgotten) under the GDPR – the danger of “rewriting history” or the individual’s chance to leave the past behind

Ketevan Kukava, PhD Student in Law, Tbilisi State University

In the internet age, when vast amount of information can be stored indefinitely and can be easily retrieved by means of a mouse click, controlling one’s personal data seems a particularly difficult task to do. Complete erasure of data from digital memory once it becomes publicly available is questionable from technological and practical point of view. As a result, the burden of remembering past events and behavior after they have lost their relevance and permanent digital accessibility of information can have significant implications for individuals at the present time.

While the internet and digitization has brought about huge benefits in terms of access to wide range of information, content-creation and public dissemination, its major downside is losing control on one’s personal data and the difficulties related to forgetting.  In his book “Delete: The Virtue of Forgetting in the Digital Age” Viktor Mayer-Schoenberger points out:

“Since the beginning of time, for us humans, forgetting has been the norm and remembering the exception. Because of digital technology and global networks, however, this balance has shifted. Today, with the help of widespread technology, forgetting has become the exception, and remembering the default“.

The debate over achieving a balance between privacy and freedom of expression has reached its highest level in the internet age. Some argue that removing lawfully published information from search results might pose the risk of Orwell’s dystopian history-rewriting. However, on the other hand, individual’s interest in controlling their personal data, leaving the past behind, and removing the past burden should not be underestimated.  

The General Data Protection Regulation (GDPR), which will become applicable on 25 May 2018, tries to answer the challenges emerged as a result of technological advancements in the digital age. Apart from ensuring uniform rules regarding personal data protection throughout the European Union (as the directive 95/46/EC by its nature left certain leeway to the states in terms of its implementation), the GDPR provides some additional guarantees, such as a clearer formulation of the right to erasure (right to be forgotten) which is probably one of the most controversial and hotly debated issues within the scope of the GDPR. Right to erasure (right to be forgotten) guarantees deletion of data when an individual no longer wants their data processed and there is no legitimate reason to keep it.

Although Directive 95/46/EC does not explicitly guarantee “the right to be forgotten”, in the widely known Google Spain judgment the Court interpreted legal provisions of the Directive in such way which made it possible to satisfy the data subject’s complaint. In particular, the Court relied on data subject’s right of access to data (the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive) as well as data subject’s right to object, which obliged the operator of a search engine to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.

Right to erasure (“right to be forgotten”) guaranteed by Article 17 of the GDPR empowers the data subject “to obtain from the controller the erasure of personal data concerning him or her without undue delay”, and obliges the controller “to erase personal data without undue delay”. This provision is applicable when certain grounds determined by the Regulation exist, including when the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing.

One of the basis for erasing personal data is the data subject’s objection to the processing when there are no overriding legitimate grounds for the processing (Article 17(1)(c)). Notably, in such case the obligation of demonstrating compelling legitimate grounds is imposed upon the controller. While according to the Data Protection Directive, the data subject had to demonstrate “compelling legitimate grounds relating to his particular situation” and processing should no longer involve those data in case of a justified objection (Article 14(a)), according to the GDPR, “the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims” (Article 21(1)).

Article 17 of the GDPR imposes obligations upon the controller which according to the definition provided in Article 4 “alone or jointly with others, determines the purposes and means of the processing of personal data.” Further, apart from erasing personal data, additional duties are foreseen by the Regulation when the controller has made the personal data public: “The controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data” (Article 17(2)). Notably, the GDPR foresees certain exceptions from the above mentioned provisions, including when processing is necessary for exercising the freedom of expression and information, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, etc. (Article 17(3)).

Despite the significance of the efforts aimed at ensuring the data subject’s control over their own personal data, the very nature of the internet and constantly developing technologies might still pose certain legal and practical challenges in achieving the aims of being forgotten. In Google Spain the Court itself stressed “the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation” (paragraph 84). Indeed, once information is made publicly available, tracking personal data, controlling their further replication and their subsequent total erasure might seem practically impossible. Moreover, Google Spain is also a good illustration of the so-called “Streisand effect”, as the Spanish citizen who wanted to be forgotten ended up in publicizing his personal information more widely.

Probably, the practical difficulty of total erasure is the major rationale behind the focus of the GDPR on taking reasonable steps and obliging the controller to communicate erasure of personal data “to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort” (Article 19).

One of the important issues related to the enforcement of the right to be forgotten is the territorial scope of the Regulation and its applicability to companies incorporated outside the EU. Similar to the Data Protection Directive, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller in the Union. Furthermore, the Regulation explicitly stresses that this rule is applicable “regardless of whether the processing takes place in the Union or not” (Article 3(1)).  According to Recital 22, establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Additionally, the GDPR determines that the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union are subject to the GDPR where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union (Article 3(2)).

Therefore, companies based outside the EU are not released from data protection obligations imposed by the GDPR when offering goods or services, or monitoring behavior of data subjects within the EU, which ensures significant extraterritorial reach of the GDPR.

Broad territorial scope of the GDPR together with high administrative fines in case of infringements of the Regulation (Article 83) is viewed as a strict regime by privacy sceptics and has given rise to a debate. However, on the other hand, there is no doubt that the legal framework should be adjusted in order to answer modern-day privacy challenges. In parallel with technological developments, privacy concerns increase which necessitates the emergence of appropriate safeguards and legal regulation.

Proportionality remains the significant principle which is explicitly guaranteed by the GDPR. In particular, Recital 4 declares that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” Furthermore, Article 85 of the GDPR refers to exemptions and derogations for processing carried out “for journalistic purposes and the purposes of academic, artistic or literary expression” if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.

When enforcing the right to be forgotten in the online world, important questions arise whether the information should be removed globally. Google Spain judgment and its legal implications are of particular significance in this regard. In response to the requests submitted regarding removing certain URLs, Google started to delist links from all European versions of Google Search (like,,, etc) simultaneously. Moreover, Google also started to use geolocation signals (like IP addresses) to restrict access to the delisted URL on all Google Search domains, including, when accessed from the country of the person requesting the removal. However, the French data protection authority required Google to apply the right to be forgotten to all searches on all Google domains. Following the reference by French court, the Court of Justice has to decide on the question whether the ‘right to de-referencing’ be “interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted”. It should be noted that the global removal of information might produce negative consequences worldwide. As stressed by Google, “how long will it be until other countries - perhaps less open and democratic - start demanding that their laws regulating information likewise have global reach?”

Guaranteeing the right to erasure under the GDPR cannot be considered as a silver bullet answer to the risks and challenges of the internet age, however, the value of the overall aim of the regulation – increased control of individuals of their personal data - should not be underestimated. Can we have a realistic expectation of privacy online and how much valuable information might be lost in translating legal requirements into practice? – Probably these questions gain more and more relevance, and necessitate taking due account of the very nature and the challenges of the internet age.

Photo credit: PR Week

Thursday, 24 May 2018

Data Retention incompatible with EU law: Victory? Victory you say?

*Photo credit:  

Matthew White, PhD candidate Sheffield Hallam University


On 27 April 2018, the High Court in Liberty v Secretary of State for the Home Department and Others [2018] EWHC 975 (Admin) ruled that Part 4 (retention of communications data) of the Investigatory Powers Act 2016 (IPA 2016) was incompatible with the European Union’s (EU) Charter of Fundamental Rights (CFR). They did so in holding that access to retained communications data was not limited to the purpose of serious crime, and it was not subject to prior review by a court or an independent administrative body. Liberty regarded this ruling as a landmark victory for privacy rights. This blog post questions this assertion by critically analysing the High Court’s judgment with regards to the specific aspect of data retention.

Ignore the European Convention on Human Rights at your peril:

In the second paragraph of the High Court’s judgment, it was acknowledged that the judicial review proceedings concerned not only the CFR but the European Convention on Human Rights (ECHR). The High Court, however, proceeded to only consider the former. This omission will become more important throughout this post.

Does not concern the content of communications?

The High Court acknowledged that retention notices under s.87(1) of the IPA 2016 affects a wide range of private information to do with communications, but not their content e.g. emails and texts [3]. Emails and texts are of course, but one example of content, however, some argue that communications data are equally (Elisabet Fura and Mark Klamberg, ‘The Chilling Effect of Counter-Terrorism Measures: A Comparative Analysis of Electronic Surveillance Laws in Europe and the USA’ (2012) Wolf Legal Publishers, Oisterwijk 463, 467) or more revealing (Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’ (2004) Communications of the ACM 47:3 77, 82). This is precisely why the UN Office of the High Commissioner for Human Rights (OHCHR) felt such distinction is no longer tenable (para 19). It was even demonstrated by iiNet that content is embedded in communications data in sites like Twitter and Facebook.

Moreover, the High Court considered s.87(1) of the IPA 2016 in isolation to, for example, s.87(4)(d) which prevents retention notices from requiring telecommunications operators to retain data which is not used by them for any lawful purpose. Lawful purpose is not defined in the IPA 2016, but s.46(4)(a) of the IPA 2016 allows (by regulation, s.46(1) and (2)) any business to conduct interception if it constitutes a legitimate practice reasonably required for the purpose, in connection with the carrying on of any relevant activities for the purpose of record keeping. Section 46(2)(b) includes communications relating to business activities, and this could allow interception for ‘business purposes.’ This would square with the Home Office’s position in 2009 where they noted that deep packet inspection (DPI) ‘is a term used to describe the technical process whereby many communications service providers currently identify and obtain communications data from their networks for their business purposes’ (p15). DPI enables Internet Service Providers (ISPs) to access information addressed to the recipient of the communication only, this requires the interception of communications data and content (para 32). This could legitimise practices such as those that occurred in the Phrom scandal where BT, TalkTalk and Virgin Media made a deal with Phorm to covertly intercept traffic of their customers. Whether it does or does not permit Phorm-like activities, is not the pressing issue at hand, it’s the allowance of intercepted data to be retained (para 125, p1104) which would constitute a lawful purpose under s.87(4)(d) of the IPA 2016. This highlights that the High Court’s focus on s.87(1) blinds them to the realities of communications data being just as, if not more serious than content, and in any event, content could be retained.

Appropriate remedy and the potential chaos that could ensue?

The High Court highlighted the dispute between the Defendants and the Claimants as to the appropriate remedy, where the former felt no more declaratory relief was necessary [32] because it was already conceded that elements of Part 4 were inconsistent with EU law [31], [38]. There was also a dispute as to the period of suspension should the High Court disapply Part 4 [32]. Despite this acknowledgment of the Defendants, they were of the position that Part 4 should continue as it currently is until it is amended by Parliament [40-1]. The Claimants advocated for a suspended disapplication, this for the High Court:

[W]as a realistic and fair acknowledgement that, in this context, it cannot reasonably be expected that there should, immediately, be no legislation at all in place allowing retention of data that is needed to apprehend criminals or prevent terrorist attacks [42].

The High Court noted that whatever remedy it granted, it should not have the effect of ‘immediately disapplying Part 4 of the 2016 Act, with the resultant chaos and damage to the public interest which that would undoubtedly cause in this country’ [46]. The use of ‘chaos’ was in reference to the Defendants who argued that disapplication was a recipe for chaos [75].

A reason why the High Court preferred not to disapply Part 4 immediately was because there would be no data retention laws in place to aid in the fight against crime and terrorism. This is not actually true, the Budapest or Cybercrime Convention has had legal force in the UK since 1 September 2011. This mainly concerns crimes committed via computer networks, but Article 14(2)(c) allows the UK to adopt measures to collect evidence in electronic form of a criminal offence. This does not appear to limit offences to those described in Articles 2-11. Moreover, Article 16 provides for data preservation, which is the alternative to data retention. This is not the only option available to the UK as discussed below. The High Court’s position is essentially a strawman because immediate disapplication was not argued, and in any event, would not be true if Part 4 were to be disapplied.  

The High Court refers to ‘chaos’ and ‘damage’ to the public interest without explaining why and in what ways this would be possible by disapplying Part 4. The language used by the High Court needs to be critically analysed. Prior to the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014), communications data retention had been voluntary under s.102(1) of the Anti-terrorism, Crime and Security Act 2001 (ACTSA 2001), though the Data Retention (EC Directive) Regulations 2007 and 2009 required data retention to a lesser extent. Previous attempts at mandatory data retention, notably the draft Communications Data Bill (dCDB) in 2013 was halted by the then Coalition partners to the Conservatives, the Liberal Democrats. There was no chaos, or damage to the public interest prior to DRIPA 2014, when data retention was voluntary nor when the dCDB was rejected. When the High Court in Davis and Others v Secretary of State for the Home Department and Others [2015] EWHC 2092 (Admin) dispplied s.1 of DRIPA 2014, albeit delayed for eight months [122], they felt it appropriate to give Parliament enough time to scrutinise and pass new laws[121], and not because of the chaos and damage that would ensue due to immediate disapplication.   

The High Court’s position seemingly acts upon the assumption that if data retention obligations are immediately disapplied, there would be no communications data to be accessed. This is simply not the case when one considers one of the biggest telecommunications operators in the world, Google, who store ‘your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.’ The legal basis of this is questionable, but the fact remains, such communications data could still be accessed under s.61 of the IPA 2016 where a designated senior officer of a relevant public authority could obtain communications data, whether it exists at the time or not, meaning they could require a telecommunications operator to retain communications data on an forward looking basis (para 177). This authorisation process is however, subject to change, requiring authorisation by the Investigatory Powers Commissioner, but the fact remains, the power is unchanged. Moreover, Part 6, Chapter 2 of the IPA 2016 allows for the bulk collection of communications data by intelligence services.

The High Court referred to the Government swiftly enacting DRIPA 2014 [12]. What they did not mention was that following Digital Rights Ireland and the Court of Justice of the European Union’s (CJEU) invalidation of the Data Retention Directive (DRD), the Government did nothing for three months. The High Court in Davis and Others noted there was not a clear legal basis for the 2009 Regulations and thus some telecommunications operators were considering deleting retained communications data [45-6]. For three months, the Government must have known this was a possibility, but did nothing, then rushed DRIPA 2014 through Parliament with indecent haste in three days (Niklas Vainio and Samuli Miettinen, ‘Telecommunications data retention after Digital Rights Ireland: legislative and judicial reactions in the Member States’ (2015) International Journal of Law and Information Technology 23:3 290, 304).

Finally, the High Court refers to the ‘public interest’ without mentioning what aspects they mean. Is it the public interest in fighting serious crime and stopping terrorism? Even if this is what the High Court meant, they did so without acknowledging that privacy in and of itself is a public interest. This is specifically mentioned in s.2(2)(d) of the IPA 2016. Regan regards privacy as having public value because it is necessary to the proper functioning of a democratic political system (Priscilla M. Regan, ‘Legislating Privacy, Technology, Social Values and Public Policy’ (The University of North Carolina Press 1995). The then Labour Government even acknowledged that ‘that the protection of privacy is in itself a public service.’ Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967), 24). Moreover, privacy underpins freedom of expression, religion, thought and conscious and assembly/association. Furthermore, privacy is not just an individual right nor does data retention just affects individuals. In Riddick v Board Mills Ltd [1977] QB 881, Lord Denning succinctly put it that:

The memorandum was obtained by compulsion. Compulsion is an invasion of the private right to keep one’s documents to oneself. The public interest in privacy and confidence demands that this compulsion should not be pressed further than the course of justice requires [p896].   

This acknowledges the public interest privacy serves, and to assume this only applies to the objectives such as fighting serious crime and terrorism is to underestimate the fundamental nature and importance of privacy.

Not general and indiscriminate data retention?

The High Court when considering whether Part 4 of the IPA 2016 permitted general and indiscriminate data retention referred to the Court of Appeal’s refusal in to apply Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 [22-6]. The Court of Appeal’s reasoning remains unconvincing and their semantic reasoning indicates what they would have held. The Claimants before the High Court argued that Part 4 permitted general and indiscriminate data retention, and thus should be referred to the CJEU, however the Defendants argued that reading the IPA 2016 as a whole, this is not the case [120].

The High Court towed the same line as the Court of Appeal in Tom Watson and Others where they noted that the CJEU were specifically referring to Swedish law [121]. The High Court then summarises their view of the CJEU’s ruling noting that Member States:

[M]ay adopt legislation which permits decisions to be taken for the targeted retention of data which is (a) sufficiently connected with the objective being pursued, (b) is strictly necessary and (c) proportionate [124].

The High Court were of the opinion that CJEU’s judgment did not require more detailed factors which may be relevant as to the application of those tests [124]. For the High Court, it would be impracticable and unnecessary to set out in detail in legislation the range of factors to be applied with matters such as national security, public safety and serious crime [124]. It must be noted that the issue of national security is a matter that will be dealt with by the CJEU based upon the Investigatory Powers Tribunal’s preliminary reference (analysis here).

Public safety, however, is not an objective that CJEU’s considers to be capable of justifying data retention, only serious crime [102], so it is unclear why the High Court even mentions this. The CJEU does refer to serious threats to public security, but this is in regards to the links between the measure and objective evidence [111]. The High Court also does not explain why it would be impracticable and unnecessary to set out in detail the range of factors to be applied, when the CJEU themselves observed that national law must be clear and precise [109]. Not only does this raise issues with the EU law, because the Part 4 does not provide clear and precise rules (Jennifer Cobbe, ‘Casting the dragnet- communications data retention under the Investigatory Powers Act’ (2018) Public Law 10, 19), but also with the ECHR. The ECtHR have ruled that it is essential to have clear, binding [60] and detailed rules, especially as the technology available for use is continually becoming more sophisticated [229]. The reason for the ECtHR’s position is explained in Szabo and Vissy v Hungary [2016] ECHR 579:

Given the technological advances since the Klass and Others case, the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely [53].

What the High Court regards as unnecessary and impracticable are actually requirements of both European Courts, with the ECtHR taking that step furthering in explaining why.

The High Court then notes that the combination of the scope and application of data retention measures and the minimum safeguards are designed to achieve effective protection against the risk of misuse of personal data [125]. Granted, the High Court are repeating points made by the CJEU [109], this approach overlooks what the ECtHR have held:

The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8…The subsequent use of the stored information has no bearing on that finding [67].

The misuse of personal data is secondary to it actually being retained (and generated, see s.87(9)(b) of the IPA 2016). The High Court then distinguishes Swedish law from the IPA 2016 in that it does not require a blanket requirement requiring the general retention of communications data, because it relies upon the discretion of the Secretary of State [127]. This has already been argued to be a semantic argument ‘of distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing.’ The High Court also relies on the description that the Secretary of State will only exercise this power if it is considered necessary and proportionate, which for them, is in line with EU law [128]. But this position betrays their previous reasoning on DRIPA 2014, which had the same requirements of necessity and proportionality [47], with both parties and the High Court accepting this permitted a ‘general retention regime [65].’ A reason for this position was because the contents of a retention notice cannot be verified due to disclosure not being permitted, unless the Secretary of State permits it (see s.95(2)-(4) of the IPA 2016).

The High Court then argues that it would be difficult to conceive how the tests of necessity and proportionality could require the retention of all communications data due to the wording of ‘all data’ in the IPA 2016 [129]. This reasoning is problematic, because it relies upon the ‘surely the UK would not?’ position. As Lord Kerr observed in Beghal v Director of Public Prosecutions [2015] UKSC 49 that ‘is the potential reach of the power rather than its actual use by which its legality must be judged [102].’ This is precisely why Cobbe argues:

Retention notices may be tailored to an extent, including by requiring that only data which meets a certain description or is from a certain time period is retained. But s.87 does allow for ISPs to be required to retain "all data" indiscriminately, without differentiation, limitation, or exception, and without clear safeguards for data subject to professional confidentiality (Jennifer Cobbe, see above, 19).

As others and myself have argued, s.87(2)(a) and (b) theoretically allows for the possibility ‘all operators in the UK to be required to retain all data of users and subscribers’ (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy, and Practice 2:1, 26) and should be treated as a blanket and indiscriminate power (Matthew White, see above, 25; Jennifer Cobbe, see above, 18; ; Andrew D. Murray, ‘Data transfers between the EU and UK post Brexit?’ (2017) International Data Privacy Law 7:3 149, 161).

In Liberty v UK [2008] ECHR 568 the then UK Government accepted that s.3(2) of the Interception of Communications Act 1985 allowed:

[I]n principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had such a communication intercepted [64].

For the ECtHR, such a power was virtually unfettered [64], and violated Article 8 for not being in accordance with the law [70]. Furthermore, the High Court’s reasoning acts on the assumption that the only way Part 4 could be unlawful is if it did permit or made it possible for the retention of all communications data. This is simply not true as seen in the case of Liberty above, where this did not even concern communications within the UK, moreover in S and Marper [2008] ECHR 1581 the GC ‘ruled that general data retention, even on a specific group of individuals (suspects and convicts) violated Article 8.’

The High Court then also incorrectly claims that s.87(2)(b) of the IPA 2016 relates to a ‘description of data’ and not just to ‘all data’ [129] when the actual words are ‘any description of data’ which simply means any and/or all data could be retained. The High Court makes the same mistake with regards to telecommunications operators in that a retention notice may relate to a particular operator or to a description of operators [129] when, again the operative word in s.87(2)(a) is any description of operators. The suggestion here is that if a retention notice is issued on one telecommunications operator (because s.87(2) ‘list[s] the elements which may be used when delineating the content and scope of a retention notice so as to satisfy the necessity and proportionality tests in any particular case [129]’, this would be alright. If one uses BT as an example, with over nine million broadband subscribers, would a retention notice on BT to retain all this communications data sit well with the High Court? After all, BT is but one telecommunications operator, has a large subscriber base, but crucially not all of them, and the subscriber’s communications data does not amount to all the communications data that could be retained in the UK. In fairness, this is as much of the CJEU’s problem as it is the High Court’s, as this is where S and Marper makes a crucial distinction, that being, data retention measures that are general and indiscriminate within a group can still be unlawful.

The High Court then refers to the 12-month retention limit [130], but this only serves to highlight the constant interference with fundamental rights as retention notices will be renewed on a yearly basis. The High Court also refers to matters to which the Secretary of State must have regard to in s.88(1) of the IPA 2016 such as the benefits of the notice, number of users affected, costs etc and must also take reasonable steps to consult the relevant telecommunications operator (see s.88(2)). Regarding the former, the Secretary of State could still issue the intended retention notice irrespective of what has been regarded, and with the latter, there is no obligation to actually consult a telecommunications operator.    

The High Court then refers to the Judicial Commissioner’s (JC) role in the approval of retention notices based on the Secretary of State’s conclusions [133]. This is problematic because there ‘is no obligation on the Secretary of State to make a full and frank disclosure and therefore, the JC and IPC could be misled (accidently or deliberately) (30)’ and could ‘be given a summary a summary of a summary of a summary of a summary of the original intelligence case (30-1).’ The GC have noted that it is essential that the supervisory body has ‘access to all relevant documents, including closed materials and that all those involved in interception activities have a duty to disclose to it any material it required [281].’ This is currently not possible under the IPA 2016. The High Court then refers to the JC’s applying principles of judicial review to authorisations [133]. The question as to whether the Wednesbury principles would apply has been subject to debate (29), but the Investigatory Powers Commissioner (IPC) themselves have noted that when human rights issues arise, the necessity and proportionality tests of the ECHR and EU law will be applied instead of Wednesbury (para 17, 19). However, this statement is only advisory and admits it is not binding (para 1), thus is not a real safeguard.

The High Court then refers to the JC’s general duties under s.2 of the IPA 2016 [133]. The first of which concerns the JC having regard to whether there are less intrusive measures to achieve the objective. There is, data preservation, but this isn’t in the IPA 2016 (unless one considers s.61 to be form of data preservation). The second concerns the level of protection to sensitive information, which is much narrower than sensitive personal data in data projection instruments as it only includes legally privileged material, journalistic sources, communications with Members of Parliament etc. The JC’s cannot have regard to sensitive information because as the Bar Council and Law Society have highlighted that the problem bulk communications data retention is that it does not prevent legally privileged data from entering the ‘pool’ in the first place (para 32). With regards to journalistic sources, United Nations Educational, Scientific and Cultural Organization (UNESCO) noted that even when journalists encrypt the content, they may neglect to encrypt the communications data which means they still leave behind a digital trail when they communicate with their sources, making them identifiable (26).

The High Court then refers to the fact that a telecommunications operator can refer a retention notice back to the Secretary of State, which again would require approval by the IPC [134]. And if the IPC approves a notice on BT to retain all the communications data of their subscribers, then what? The High Court summarises Part 4 by noting that they ‘do not think it could possibly be said that the legislation requires, or even permits, a’ general retention regime [135]. However, it was never the argument that the IPA 2016 requires a general retention regime, but that it permits the Secretary of State and JC to require a general retention regime. As the ECtHR have maintained ‘it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power [230].’ The question is not ‘will they’ but ‘can they.’

The High Court continues that Part 4 and s.2 requires a range of factors to be taken into account before a retention notice is issued [135]. Although it was already argued that ‘catch all’ power is not necessary for Part 4 to be deemed unlawful, it is useful to play Devil’s Advocate. Can the Secretary of State issue a retention notice on all telecommunications operators to retain all communications data if they deem it necessary and proportionate? Can a JC approve this? Can this still be the case if the telecommunications operator refers this back to the Secretary of State subject to approval by the IPC? If the answer is yes, then this highlights that all the factors that the High Court refers to does not change the operation of the power itself. If the answer is no, then the High Court is ignoring the glaringly obvious implications of a power that can be applied to all or any telecommunications operator to retain any or all communications data.

The High Court then puts its previous judgment to one side (where they agreed DRIPA 2014 permitted a general retention regime) by arguing that:

Even if that assumption were to be applied in this case, it is plain from the analysis set out above, that the 2016 Act does not permit the general and indiscriminate retention of communications data. In any event, we would add that the issue of whether a UK enactment is inconsistent with EU legislation is not to be determined by evidence from either party as to how the domestic scheme is operated in practice or might be operated. Instead, the issue is an objective question of law which turns on the proper interpretation of the two pieces of legislation [136]. 

Essentially, the High Court are saying, even if the previous judgment was correct, IPA 2016 is somehow different, despite the wording of the power in DRIPA 2014 being identical. In amazing fashion, the High Court decided that it does not really matter how the law is or might be operated, but relies upon the notion of an ‘objection question of law’ and how it is interpreted. And this is why ignoring the ECHR, if it was not made clear above is problematic because the ECtHR have consistently held that:

[T]hat the mere existence of laws and practices which permitted and established a system for effecting secret surveillance of communications entailed a threat of surveillance for all those to whom the legislation might be applied. This threat necessarily affected freedom of communication between users of the telecommunications services and thereby amounted in itself to an interference with the exercise of the applicants’ rights under Article 8, irrespective of any measures actually taken against them [168].

The High Court’s position is in contrast to the position of the ECtHR in that secret surveillance can be judged in abstracto or where an individual can claim to actually be subject of a surveillance measure. All that is required is that one is able to show that they are ‘potentially at risk of being subjected to such measures [171].’ Whether retention notices apply to all telecommunications operators to retain all communications data, or to one telecommunications operator to retain all (or even some) communications data, this allows for the ‘automatic storage for six months of clearly irrelevant data’ and ‘ cannot be considered justified under Article 8 [255].’ Even six months is unacceptable to the ECtHR (which raises serious questions as to the 12-month retention limit), this position is strengthened by Advocate General Øe, who noted that:

The disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime [252].


This blog post has highlighted many flaws in the approach of the High Court with regards data retention. Part 4 of the IPA 2016 is neither consistent with the ECHR or EU law. The High Court have fallen into the same trap as the Court of Appeal did earlier this year when distinguishing a catch all power, and a power that can catch all. This post only partially deals with the judgment as the aspects of entity data and serious crime deserve posts of their own. What is just as disappointing as this judgment is the claim that it was a landmark victory, when in actual fact, the rulings against the Defendants were concessions they already made, leaving the crucial aspect of Part 4 unscathed. A wise little green man might say ‘Victory? Victory you say? Master Liberty, not victory. The shroud of data retention persists. Continue the mass surveillance will.’

Tuesday, 8 May 2018

Expelling EU citizen war criminals: no sympathy from the ECJ

Professor Steve Peers, University of Essex

If an EU citizen (or his or her family member) has been excluded from being a refugee, in what circumstances can he or she be expelled from a Member State? The ECJ clarified this issue in its K and HF judgment last week: its first ruling that touches on the relationship between EU (and international) refugee law and EU free movement law.

There’s a good reason why these two areas of law haven’t interacted previously in the Court’s case law: EU law itself tries to keep them apart. A Protocol attached to the EU Treaties, aiming to facilitate the extradition of alleged terrorists between Member States, says that in principle EU citizens cannot apply for asylum in another Member State, due to the presumption in that Protocol that each Member State ensures sufficient human rights protection.

However, there are exceptions to that general rule, and there are people it doesn’t cover. The exceptions in the Protocol are: a) the asylum seeker’s Member State of nationality invokes the “emergency” derogation from parts of the European Convention of Human Rights (ECHR); b) if the EU Council is considering whether to sanction the asylum seeker’s Member State of nationality for breaches of EU values; c) if the EU has already sanctioned the asylum seeker’s Member State of nationality for breaches of EU values; or d) if a Member State decides to do so unilaterally for another Member State’s national, in which case it must inform the EU Council and presume that the application is manifestly unfounded, without prejudice to the final decision on the application.

The people not covered by the Protocol include: EU citizens who obtained refugee status before they became EU citizens (for instance, because their State of nationality joined the EU); non-EU family members of EU citizens; those who apply for or obtain subsidiary protection status, as distinct from refugee status; and the citizens of some non-EU countries associated with the EU (Norway, Iceland, Switzerland and Liechtenstein), who have free movement rights but are not EU citizens. The recent ECJ ruling concerned people from the first two of these categories.

Exclusion from being a refugee

Some asylum seekers fail to satisfy the authorities that they meet the definition of “refugee” set out in the UN (Geneva) Refugee Convention. Quite apart from that, some asylum seekers are excluded from being a refugee under that Convention (and under the corresponding provisions of the EU’s qualification Directive), because their behaviour is considered so reprehensible that they do not deserve fully-fledged international protection, even if they are facing persecution on one of the grounds set out in the Convention. More precisely, Article 1.F of the Convention excludes:

any person with respect to whom there are serious reasons for considering that:

(a) he has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) he has committed a serious non-political crime outside the country of refuge prior to his admission to that country as a refugee;

(c) he has been guilty of acts contrary to the purposes and principles of the United Nations.

The ECJ has interpreted the exclusion clause in the EU qualification Directive in its judgments in B and D and Lounani (discussed here), ruling inter alia that the second and third exclusion clauses can apply to terrorist offences, although exclusion must be assessed in each individual case, meaning that membership of a group listed as “terrorist” in EU foreign policy sanctions against terrorists does not automatically trigger the exclusion clause. Similarly, participating in a terrorist group, as defined by EU criminal law on terrorism, does not automatically trigger the exclusion clause either. Instead, there must be direct involvement by the person concerned in such offences, as further explained by the Court. Furthermore, there is no additional “proportionality” or “present danger” test for exclusion, and the exclusion clause is mandatory: ie Member States cannot assert a right to apply higher standards and give someone refugee status if they fall within the exclusion criteria. Finally, assisting with recruitment, organisation or transport of “foreign fighters” can also lead to exclusion, as it constitutes a form of “participation” in the terrorist acts covered by the exclusion clause.

However, it should be noted that even if a person is excluded from being a refugee, they are still protected against being removed to a country where they would face a real risk of torture or other inhuman or degrading treatment, according to the case law on Article 3 ECHR and the corresponding Article 4 of the EU Charter of Fundamental Rights. The ECJ reaffirmed as much recently in its judgment in MP (discussed here). But this non-removal obligation falls short of refugee status (which usually follows from recognition as a refugee) because it does not entail a fully-fledged immigration status including rights like access to employment and benefits.

Expelling EU citizens and their family members

The grounds for restricting free movement rights for reasons of “public policy or public security” are set out in the EU citizens’ Directive. The basic rule is that restrictions “shall comply with the principle of proportionality and shall be based exclusively on the personal conduct of the individual concerned. Previous criminal convictions shall not in themselves constitute grounds for taking such measures.” Furthermore, “[t]he personal conduct of the individual concerned must represent a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society.”

Before expelling a person covered by the Directive on such grounds, Member States are obliged to “take account of considerations such as how long the individual concerned has resided on its territory, his/her age, state of health, family and economic situation, social and cultural integration into the host Member State and the extent of his/her links with the country of origin.” For those with permanent residence, there is a higher threshold to justify expulsion: “serious grounds of public policy or public security”. And for those who have resided in that Member State for the previous ten years, or who are minors, the threshold for expulsion is higher still: “imperative grounds of public security”.

The judgment

The Court’s judgment brought together two separate cases. In the first case, K, a dual citizen of Croatia and Bosnia-Herzegovina, had arrived in the Netherlands and applied for asylum in 2001 and 2011. Both applications were rejected. Subsequently, after Croatia joined the EU in 2013, the applicant was declared (in light of his EU citizenship) to be an “undesirable immigrant”, in light of the prior finding that he knew about and participated in war crimes and crimes against humanity in the Bosnian army. Since over twenty years had passed since that time, the issue was whether such conduct was a “genuine, present and sufficiently serious threat affecting one of the fundamental interests of society” within the meaning of the EU citizens’ Directive, taking account of the other factors referred to in the Directive.

In the second case, HF, an Afghan citizen excluded from being a refugee in the Netherlands, applied for a residence card in Belgium as the family member of an EU citizen (his Dutch daughter). His application was refused on the basis that the information about his exclusion, which the Dutch authorities had shared with their Belgian counterparts, showed that he could be denied free movement rights.

The Court first examined whether exclusion from being a refugee necessarily met the standard for restriction of free movement rights. It recalled its prior case law, holding that “public security” could include both internal security (including “a direct threat to the peace of mind and physical security of the population of the Member State concerned”) and external security (including “the risk of a serious disturbance to the foreign relations of that Member State or to the peaceful coexistence of nations”). Applying these principles to the facts, the Court accepted that Member States could consider that damage to international relations, the risk of contacting EU citizens who had been victims of war crimes could be considered threats to public policy and public security. Restricting those persons’ free movement rights could also contribute to ensuring “protection of the fundamental values of society in a Member State and of the international legal order and to maintaining social cohesion, public confidence in the justice and immigration systems of the Member States and the credibility of their commitment to protect the fundamental values enshrined in Articles 2 and 3 TEU”.  The Court added that the acts and crimes which led to exclusion from being a refugee “seriously undermine both fundamental values such as respect for human dignity and human rights, on which, as stated in Article 2 TEU, the European Union is founded, and the peace which it is the Union’s aim to promote, under Article 3 TEU”.

Nevertheless, the Court ruled that exclusion from being a refugee should not always lead to restriction on free movement rights. There must still be a “case-by-case assessment” which shows that “the personal conduct of the individual concerned currently constitutes a genuine and sufficiently serious threat to a fundamental interest of society”. This assessment must “take into account the findings of fact made in the decision of exclusion from refugee status taken with respect to the individual concerned and the factors on which that decision was based, in particular the nature and gravity of the crimes or acts that that individual is alleged to have committed, the degree of his individual involvement in them and the possible existence of grounds for excluding criminal liability such as duress or self-defence.” Furthermore, that examination “is all the more necessary” if, such as in these cases, “the person concerned has not been convicted of the crimes or acts that were relied on to justify the rejection, in the past, of his asylum application”.

The Court showed willingness to relax its usual insistence of looking closely at the EU citizen’s present threat, noting that in some cases “it is also possible that past conduct alone may constitute such a threat to the requirements of public policy”. In the case of war crimes, although “the time that has elapsed since the assumed commission of those acts is, indeed, a relevant factor….the possible exceptional gravity of the acts in question may be such as to require, even after a relatively long period of time, that the genuine, present and sufficiently serious threat affecting one of the fundamental interests of society be classified as persistent”. Equally, the Court de-emphasised the requirement that the person concerned was likely to reoffend, ruling that:

…however improbable it may appear that such crimes or acts may recur outside their specific historical and social context, conduct of the individual concerned that shows the persistence in him of a disposition hostile to the fundamental values enshrined in Articles 2 and 3 TEU, such as human dignity and human rights, as revealed by those crimes or those acts, is, for its part, capable of constituting a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society...

Yet the person’s rights to private and family life and the principle of proportionality still had to be weighed against such threats.

Next, the Court reiterated that an expulsion decision has to consider with due regard to the principle of proportionality…inter alia, the nature and gravity of the alleged conduct of the individual concerned, the duration and, when appropriate, the legality of his residence in the host Member State, the period of time that has elapsed since that conduct, the individual’s behaviour during that period, the extent to which he currently poses a danger to society, and the solidity of social, cultural and family links with the host Member State.”
Yet the lengthy period of time spent on the territory in the Dutch case was not enough to qualify for the especially high level of protection against expulsion for EU citizens resident for ten years (“imperative grounds of public security”). For as the Court had recently ruled in B and Vomero, such special status was only attainable if the person concerned had already qualified for permanent residence (based on five years’ legal residence); and residence on national law grounds other than those set out in the citizens’ Directive or its predecessor laws did not count to that end (see Ziolkowski). It appeared that K could not show residence on an EU law basis, but only a national law basis, and therefore was not going to qualify for any extra degree of protection against expulsion.


The Court’s judgment is focussed on those excluded from refugee status on the basis of Article 1.F of the Refugee Convention. The wording of the ruling does not confine itself to the “war criminal” ground of exclusion, and so it applies to persons excluded from being a refugee on any of the Article 1.F grounds. It should logically be relevant if any EU law issues are raised about handing over any person to the International Criminal Court, or any ad hoc UN criminal tribunal, for prosecution for war crimes et al. But does it have any broader application?

First of all, it definitely applies to those who might apply for refugee status on what might be called the “Palestinian track” set out in Article 1.D of the Convention, since the general rules on exclusion also apply to such cases: see the ECJ’s El Kott judgment (para 76).

Secondly, it is questionable whether it applies to all cases of exclusion from subsidiary protection status, given that such exclusion is also possible for less serious behaviour than as regards refugee recognition. In particular, the qualification Directive allows for exclusion from subsidiary protection status on grounds of a “serious crime”, or in fact any crime which would be punishable by imprisonment in the Member State concerned.

Thirdly, it may be arguable whether the judgment is relevant by analogy to revoking refugee status due to criminal behaviour or a security risk (relevant in pending ECJ cases, discussed here), or to refusing a residence permit or travel document on national security or public order grounds, where the ECJ has ruled that a lower threshold applies (see the ruling in HT, discussed here).

Next, the judgment might be relevant to cases where a Member State seeks to revoke its nationality (and therefore EU citizenship) from a person, for instance due to their activities as a “foreign fighter”. (On the reviewability of such decisions as a matter of EU law, see Rottmann and the pending case of Tjebbes).

Could the judgment even be relevant by analogy to “ordinary” EU citizens, where there is no link to refugee law issues? At first sight no, because the Court’s focus is on the Refugee Convention’s exclusion clause. However, its willingness to consider that especially vile prior behaviour can outweigh an assessment of present threat and likely future conduct could arguably be relevant where an EU citizen has been convicted of crimes such as child abuse, rape, murder, or terrorism.

The judgment continues the Court’s established trend of disdain for criminality by EU citizens or their family members. In this case, its concern for crime victims is particularly striking; but here it strikes a discordant note in referring only to the victims of war criminals who are EU criminals living in EU Member States. For this overlooks the likely existence also of non-EU victims, both those who sought protection in a Member State and those in the war criminal’s state of origin, if he or she is referred there. Or rather, the surviving victims: the returning war criminals will likely cast a long shadow over the graves of those whom they murdered.

Barnard & Peers: chapter 26

JHA4: chapter I:5

Photo credit: Human Rights Watch

Thursday, 26 April 2018

Brave new world? the new EU law on travel authorisation for non-EU citizens

Professor Steve Peers, University of Essex


Yesterday it was announced that a new EU law on travel authorisation for non-EU citizens to visit the EU had been agreed. This will affect millions of travellers a year, probably including British citizens after Brexit. In fact, as a UK citizen who often travels to the continent, it’s the first EU law on non-EU immigration that will have a direct impact on me. The law won’t apply for awhile, but in light of its future significant impact and some public confusion about who it will apply to and how it works, it’s worth explaining in detail.

Basics of the system

First of all, a travel authorisation is not a visa. While it is similar to a short-term travel visa in the sense that it is a process for deciding in advance whether a person can enter the territory, it will be much simpler and less costly to apply, and be valid for much longer.

The second key issue is: which countries are covered? This has two dimensions: the countries which will apply the travel authorisation law and the countries whose citizens will be subject to travel authorisation.

Taking these points in turn, the countries which will apply the travel authorisation law are the countries fully applying the Schengen system. This means all the EU Member States except the UK, Ireland, Cyprus, Romania, Bulgaria and Croatia – although those States all except the UK and Ireland are obliged to take part in Schengen eventually. It also means non-EU countries associated with Schengen: Norway, Iceland, Liechtenstein and Switzerland.

As for the countries whose citizens will be subject to travel authorisation, that’s all non-EU countries which are a) not subject to a visa obligation for their citizens to visit the EU and b) do not have a free movement arrangement with the EU. So it follows that the new travel authorisation law will apply to British citizens who visit the EU after Brexit – unless they are visiting Ireland or the other EU countries not yet fully applying the Schengen rules. As an exception, though, the law will not apply (even if the new system is ready) to the UK during the post-Brexit transition period, because (as discussed here) it will be applying free movement with the EU during that time.  (Despite the weird claim in one newspaper, this has nothing to do with whether the UK has some form of customs union with the eU).

This new development fits into the broader framework of UK/EU immigration arrangements after Brexit, as I discussed in an earlier post. While UK citizens will very likely not be subject to short-term travel visas (that would be inconsistent with EU visa policy on wealthy and/or nearby countries), they will be conversely (on the basis of the law as it stands) be subject to the new travel authorisation law and other EU border control laws as non-EU citizens without free movement rights, including the loss of fast-track lanes at external borders. It would be possible for the UK and EU to negotiate a reciprocal exception to this, but that depends on the willingness of both sides to do so. It’s not clear if the UK is interested yet, or whether the EU would be willing to talk if it were.

It is absurd to argue that the application of the new law to UK citizens is a form of “punishment” by the EU. The UK government wants the UK to be a non-EU country without a free movement relationship, and the EU (as it stands) will therefore treat the UK like any other non-EU country without a free movement relationship. In fact the UK will be treated better than the many non-EU countries whose citizens are subjected to a visa requirement. Some Leavers should apologise for previously claiming that the likely application of the ETIAS to the UK after Brexit was “scaremongering”; likewise some Remainers should retract their assertion that tourist visas will definitely be required for UK citizens after Brexit. (Spoiler: neither will).

Remember, though, that the new law is not just relevant to the UK, but also to many other non-EU countries, including the USA, Canada, Australia, New Zealand, Japan, South Korea, Israel, and many States in the Caribbean, Latin America and neighbouring the EU to the east. A full list of non-visa countries can be found in Annex II to the EU visa list Regulation.

The new law will also apply to non-EU citizens subject to an optional visa exemption by Member States, namely re school pupils, refugees and armed forces’ members under certain conditions, along with non-EU family members of EU citizens who do not have residence cards on the basis of EU free movement law.

On the other hand, it will not apply to some other non-EU citizens:  refugees and stateless persons in a Member State; non-EU family members of EU citizens with a residence card; persons with residence permits from a Schengen state, uniform (Schengen) visas or national long-stay visas; nationals of European micro-states (Andorra, Monaco and San Marino and holders of a passport issued by the Vatican State or the Holy See); those who hold a border traffic permit subject to EU law when they travel within the local border traffic area; those subject to the optional visa requirement or exemption for holders of diplomatic or other official passports or travel documents issued by international organisations or certain international transport or emergency workers; those subject to the optional visa requirement because they are carrying out paid work; and non-EU citizens moving between Member States on the basis of EU law on intra-corporate transferees (discussed here) or on students and researchers (discussed here).

For UK citizens living in the EU27 states before Brexit, their rights on the basis of the Brexit withdrawal agreement (discussed here) will need to be evidenced by a residence permit from a Schengen states if they want to take advantage of these exemptions when coming back to the Schengen countries.

When will the new travel authorisation system apply?

The new Regulation will likely be formally adopted in a couple of months’ time.  While it will technically come into force twenty days after its formal adoption, the database needed to run the system take time to set up. So it will only begin operations when the Commission decides that other proposed EU laws on the interoperability of databases have entered into force, various implementing measures have been adopted, and there has been a successful comprehensive test of the system. It’s too early to say when this will be, but experience shows that several years may be necessary.

For the first six months after the system starts operations, its use will be optional and there will be no need to have a travel authorisation. The Commission may extend that for a further period of six months, renewable once. After that point, there will be a six months’ grace period when border guards may exceptionally allow people to enter without a valid travel authorisation. The Commission may extend this for another six months.

Process for the applicant

An applicant for travel authorisation must apply via a website or a mobile app “sufficiently in advance of any intended travel”, or, if they are already present in a Schengen State, “before the expiry of the validity of the travel authorisation”. If they already have a valid travel authorisation, they can apply for the next such authorisation as from 120 days (about four months) before it expires.  The system must “automatically inform” holders of travel authorisation via e-mail about the upcoming expiry of their authorisation, and the prospect of applying for a new one. Applications won’t have to be lodged by the potential traveller, but can instead be lodged by a company authorised to act on his or her behalf.

The application form has to include the applicant’s name, date of birth, place and country of birth, sex, nationality, parents’ names, travel document information, home address, e-mail and phone number, education level, occupation (which may be followed by a further request for information about an employer or where a student is studying), and Member State of first intended stay. Applicants must also answer whether they have: been convicted of a specified criminal offence over the last ten years (or the last twenty years, in the case of terrorist offences), and in which country; or “stayed in a specific war or conflict zone over the previous ten years and the reasons for the stay”; or been required to leave the territory of a Member State or any country on the EU visa whitelist over the last ten years.  If they answer yes to any of those questions, they will have to answer a further set of questions (yet to be determined). Each application will cost €7, but that fee will be waived for those under 18 or over 70, and applicants who are family members of EU citizens.

After the application is made, the data will be compared automatically to data in databases including the Schengen Information System (SIS), the planned Entry/Exit System (EES), the Visa Information System (VIS), the Eurodac database (which concerns asylum seekers and some irregular migrants), Europol data, and Interpol databases. The purpose of these checks is to determine whether: the travel document has been stolen, lost, misappropriated or invalidated; the person is listed in the SIS to be denied entry or wanted for arrest for extradition or as a missing person, potential witness or person subject to surveillance; a travel authorisation has been refused, revoked or annulled or there is a refusal based on the EES or the VIS; the travel document matches an application with different identity data; the applicant is a current or previous overstayer (ie did not leave on time when the permitted period of stay expired); there are matching data in Interpol, Europol or Eurodac files; or whether there are extradition or entry refusal data on the parent of a minor.  The application will also be checked against a watchlist and risk indicators. A number of these rules are waived for family members of EU citizens, in light of their rights under free movement law.

If this process does not result in any “hit”, then the travel authorisation will be issued automatically. If there is a hit, then the application is further examined to see if the hit was false. If it was genuine, then national authorities must examine the application further and decide on whether to issue the travel authorisation. This might entail asking the applicant further questions or consulting other Member States or Europol. The deadline for deciding on each application is 96 hours (four days), unless further information or an interview is required; in that case the deadline is extended to 96 hours after the further information is provided, or 48 hours after the interview is held.

When assessing applications, there will be profiling of applicants based on screening rules to be determined, which will be based on statistics indicating: “abnormal rates of overstayers and refusals of entry for a specific group of travellers”; “abnormal rates of refusals of travel authorisations due to a security, illegal immigration or high epidemic risk associated with a specific group of travellers”; “correlations between information collected through the application form and overstay or refusals of entry”; “specific security risk indicators or threats identified by” or “abnormal rates of overstayers and refusals of entry for a specific group of travellers” concerning a Member State, which must be “substantiated by factual and evidence-based elements”; or “information concerning specific high epidemic risks provided by Member States” along with “epidemiological surveillance information and risk assessments” produced by the WHO or the EU disease prevention agency.

These rules will be set out in Commission acts implemented by Frontex, which shall then “establish the specific risk indicators” based on: age range, sex, nationality; country and city of residence; level of education; and current occupation. However, these “specific risk indicators” must be “targeted and proportionate”, never based solely on sex or age nor on “information revealing a person’s colour, race, ethnic or social origin, genetic features, language, political or any other opinion, religion or philosophical belief, trade union membership, membership of a national minority, property, birth, disability or sexual orientation”.

Furthermore, there will be a “watchlist” of those “who are suspected of having committed or taken part in a terrorist offence or other serious criminal offence” or of those who may commit such offences in future, where there are “factual indications or reasonable grounds, based on an overall assessment of a person”, to believe that. (Note that “serious criminal offences” is defined as the 32 crimes listed in the EU law establishing the European Arrest Warrant, if they could be punished by at least three years in jail). The watchlist information shall be entered by either Europol or Member States, and shall consist of names, birth date, travel documents, home address, e-mail address, phone number, information on an organisation, or IP address. Listings in the watchlist cannot duplicate an alert that has already been issued in the SIS. The listings must be reviewed at least once a year.

Granting or refusing a travel authorisation

If there are “no factual indications or reasonable grounds based on factual indications” to believe that the applicant “poses a security, illegal immigration or high epidemic risk”, then a travel authorisation will have to be issued. It will be possible to issue an authorisation but with a flag to recommend that the traveller is interviewed by border guards at the border. The travel authorisation will be valid for three years, unless the travel document expires before that date.

Conversely, a travel authorisation application will have to be refused if the applicant: “used a travel document which is reported as lost, stolen, misappropriated or invalidated in the SIS”; “poses a security risk”; “poses an illegal immigration risk”; “poses a high epidemic risk”; is subject to a SIS alert to refuse entry; failed to reply to a request for additional information or attend an interview. It will also have to be refused if “there are reasonable and serious doubts as to the authenticity of the data, the reliability of the statements made by the applicant, the supporting documents provided by the applicant or the veracity of their contents”.

In that case, applicants will have the right to appeal, against the Member State that decided on their application in accordance with its national law. Furthermore, a previous refusal will not necessarily lead to a refusal of the next application, which will have to be considered separately on its own merits.

In either case, the applicant must be notified of either the positive or negative decision on the application, with information on either the conditions for travel to the EU or the grounds for refusal and information on the appeal process. Details of the decision will be added to the ETIAS database.

It will be possible to annul or revoke a travel authorisation. The basis for annulment is that “it becomes evident that the conditions for issuing it were not met at the time it was issued”, while an authorisation must be revoked “where it becomes evident that the conditions for issuing it are no longer met”. In either case, the decision must be taken on the basis of the usual grounds for refusal, the applicant must be notified of the grounds, there will again be an appeal right for the person concerned, and details will be added to the ETIAS database. An applicant may also ask for the authorisation to be revoked.

As with Schengen visas, there will be a possibility to issue a a travel authorisation with limited territorial validity, “when that Member State considers it necessary on humanitarian grounds in accordance with national law, for reasons of national interest or because of international obligations” even if the travel authorisation has not yet finished or has been refused, annulled or revoked. It will only be valid for 90 days, not the usual three years.

Given that transport companies have obligations if they carry passengers without immigration authorisation, the new law will give them the power to check the ETIAS database, to see if their passengers who need it have a valid travel authorisation. The database will also be available to border guards, to immigration authorities, national law enforcement bodies and Europol.

The ETIAS data will be kept in the database for the period of validity if an authorisation is granted, or five years from the last failed application if not. An applicant can consent to another three years of retaining the data in order to facilitate later applications. The general EU rules on data protection will apply to the processing of personal data in the system. Data cannot be transferred to non-EU countries, except to Interpol or for the purposes of facilitation of expulsion or where there is an imminent security risk, subject to detailed conditions.  


The new law will, if applied as planned, become a regular feature in the lives of those travelling to the EU, from the UK and many other States besides. For those who spend ten or twenty minutes making an application every three years and get travel authorisation after paying a €7 fee, there is limited hassle factor.  For those who fail to apply on time, or whose application is rejected, the hassle will be vastly greater, particularly if the refusal complicates their family or professional life.

On that point, the grounds for refusal are rather murky. The refusal of travel authorisation due to prior convictions for serious crimes, well-evidenced security risks or prior significant breaches of immigration law is reasonable, but the new law also refers vaguely to several levels of algorithms and profiling which have yet to be developed.  Recent events have called into question such use of “big data” more than ever; and “computer says nah” is not a good enough answer to an applicant, in particular for citizens of the UK or other neighbouring States who are more likely to have strong personal and professional links with the EU.

Barnard & Peers: chapter 26, chapter 27

Photo credit: GTP headlines

*This blog post was supported by an ESRC Priority Brexit Grant on 'Brexit and UK and EU Immigration Policy'