Stephen K. Karanja - NCHR Schengen Cross-National Surveillance and Data Protection Erasmus/LLM Lecture 03.04.2008 Stephen K. Karanja Senior Researcher

Stephen K. Karanja - NCHR

Schengen Cross-National Surveillance and Data Protection

Erasmus/LLM Lecture03.04.2008

Stephen K. Karanja

Senior ResearcherNorwegian Centre for Human Rights (NCHR)

University of OsloFaculty of Law

[email protected]://www.folk.uio.no/stephenk/


Introduction

• Origins & Development of the Schengen Co-operation

• Objectives of the Schengen Co-operation• The Schengen Information System • Surveillance in Society• Data protection issues in the Schengen • New Legislation in the Area


Origins & Development of Schengen co-operation

• What is Schengen?– Area of free movement of persons

• Origins of Schengen– Intergovernmental co-operation

• Schengen Agreement – 1985• Schengen Convention - 1990

– Five original members– 1995 implementation of Schengen commenced– 15 members – 13 EU member States and 2 Non-EU member States

• United Kingdom and Ireland – participate partially• Switzerland admitted also

– Membership expanded to 30 with admission of new EU members

• Incorporation to EU Law– Amsterdam Treaty 1997

• Title IV TEC (1st Pillar) External borders: Immigration, visa & asylum co-operation

• Title VI TEU (3rd Pillar) police, crime and judicial co-operation • Area of Freedom, Security and Justice

• EU Constitution– Abolishes the Pillar system - Article 1-7 on legal personality


Schengen Surveillance System

• Objectives of Schengen Convention– Free movement – Removal of internal border control– Enhance Security – compensatory measures– After Amsterdam: Area of Freedom, Security and Justice

• Targets in Cross-National Border Surveillance – Persons – wanted and unwanted– Objects – lost, stolen, seized, etc.

• Surveillance and Border Control Policies– Enhancement of External Border Policy– Immigration (Visa) Policy– Asylum/Refugee Policy– Police Co-operation and exchange of information Policies– Justice and Criminal Co-operation Policy

• Implementation of Surveillance Policies– Schengen Information System - (SIS) - SIS II– Related Border Surveillance Systems


Changes in places of control

• External borders • Internal borders• Transfer of controls to the external border.

• Spreading of controls inside the Schengen area.• Transfer of controls outside Schengen area


SIS & Related Border Surveillance Systems

CIS

SIS Europol Eurodac

EVIS Interpol


Proposed New Systems

• Entry and Exit Register– Target non-European Visitors not requiring a visa to enter EU bloc

• EUROSUR– European Border Surveillance System– For all land and maritime borders– To detect unauthorized border crossing– Reduce death of illegal immigrants at sea– Increase internal security of the EU

• ETA – Electronic Travel Authorization – Applicable to TCN not subject to the visa obligation

• PNR – European Passenger Name Record– In-flying airlines required to give access upon request to data

processed by their reservations and departure control system esp. PNR

• API – Advanced Passenger Information– Pan-European system for exchanging passenger information


The Schengen Information System

• Search database (Alerts)– Persons – wanted and unwanted– Objects – lost, stolen, etc

• Purpose Art. 92– Enhancing co-operation between border control authorities: police,

immigrations and customs authorities Art. 92(1).

• Specific purpose Art. 93– Maintaining public policy, public security and national security

• Control of Crime – Controlling movement of persons

• Immigration control


Technical Aspects & FunctioningTechnical Aspects & Functioning

– CP-A – Contracting Parties A

– NSIS – National Schengen Information System

– CSIS – Central Schengen Information System

– Flow of Data

– Search

NSISCP-B

NSISCP-C

NSISCP-D

NSISCP-A

CSIS

SIRENE


Technical Aspects & FunctioningTechnical Aspects & Functioning – SIS II

Central SIS(CS-SIS)

Central SIS(CS-SIS)

Communication Infrastructure

Communication Infrastructure

National System (NS)

National System (NS)

Access Point in a Member State(NI-SIS)

Access Point in a Member State(NI-SIS)

SearchSearch


Surveillance in Society

• Definition of Surveillance and Control– Surveillance - systematic or continuous observance

• Any form of systematic attention to whether rules are obeyed, to who obeys and who does not, and to how those who deviate can be located and sanctioned. (James Rule)

– Control – not systematic but specific.• The application of concrete measures to forestall or discourage

disobedience. (James Rule)• Is Surveillance and Control Necessary?

– Protection of Society• From Criminal Elements – Terrorism 11 September 2001, 11 March 2004

and London 7 July 2005• To ensure rules are obeyed – visa, asylum rules etc.

• What Level of Surveillance and Control is Acceptable?– Total Surveillance and Control

• Big Brother - George Orwell -1984 ? • Panaopticon – Jeremy Bentham & Michel Foucault?• No or no adequate safeguards

– Democratic Control and Surveillance?• Democratic Society• Control & safeguards


Surveillance in a Democratic Society

• The Concept of “Democratic Society”– Human Rights Understanding of “Democratic Society” – Art. 29 (2)

UDHR– By a democratic society is meant a state governed by rule of law and

respect for human and individual rights. i.e there is a democratically elected parliament that makes laws that respect human rights and judicial institutions that supervise the respect for rule of law. (Karanja)

• Klass & Others v. Germany (1983) 18 EHRR 305 § 49– the European Court of Human Rights (ECtHR) stated that, “a law may

pose danger of undermining or even destroying democracy on the ground of defending it”.

– The mere existence of a measure is enough for a violation of the Convention. The implementation of the measure is not necessary. Amann v. Switzerland Judgment 16.02.2002

– It affirmed that “the Contracting Parties may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate.

– the Court further observed, “the Court must be satisfied that, whatever system of surveillance is adopted, there exist adequate and effective guarantees against abuse.”


Safeguards in Klass & Others v. Germany

• Safeguards are relative and depend on all the circumstances of the case such as:-

– The nature, scope and duration of the possible measure;– The grounds required for ordering such measures;– The authorities competent to permit, carry out and supervise

such measure; and– The kind of remedy provided by the national law.

• Other Cases– Leander v. Sweden (1987) Series B, No. 99– Amman v. Switzerland (above)

• The authorities did not destroy the information when it emerged that no charge was being prepared against the applicant.

– Rotaru v. Romania ( judgment of 04.05.2000)• Information affecting national security may be gathered,

recorded and archived in secret files– There was no limit on the exercise of those powers

– i.e. What kind of information that may be recorded, the kind of people targeted.

– Circumstances in which the measures may be taken and the procedure to be followed.

– No limits on the age of information held or the length of time for which it may be kept (Deletion).


Schengen Safeguards Against Surveillance - I

• Minimum Data Protection Level– National Data Protection Law– 1981 Council of Europe Convention– Recommendation R (87) 15 for exchange of data on police work– EC Directive 95/46 – not applicable - But SIS II partially

• Data Registered in the SIS– Strict categories of data stated

• On Persons – Art. 94 (3)• On Objects – Art. 99 (4) & 100

– SIS II – to expand on data to be entered • Photographs,and Fingerprints• Linking of Alerts• Visa database for visas used (granted & refused) (VIS)

– Visa to contain biometric data• Consequences – increase of registered data & number of

persons registered – increase of surveillance in society


Safeguards Against Surveillance - II

• Principles of Data Protection in the Schengen– Purpose Limitation Principle – Arts. 95 -100 & 102– Data Quality Principle

• Duration for Storage of Data – Arts. 112 & 113• Correctness, up-to- datedness, lawfulness of data Art. 105

– Security Principle – Arts. 101, 102, 103 & 118– Data Subject Participation

• Right of Access – Art. 109• Rights of Correction & Deletion – Article 110• Right to Request Verification of Data – Art. 114 (2)

– Sensitive Data• Registration prohibited Article 94

• External Control– Supervision – National & Joint (JSA) – Judicial Control – National courts, ECJ & ECHR

• ECJ - Judgement 31 January 006 in Case C-503/03, Commission v. Spain

– Parliamentary Control – National & EP


Finalities (purpose) for Recording Personal Data Arts. 95 - 100

• arrest in view of extradition - Art. 95 • foreign nationals to be refused entry - Art. 96

SIS – expansion to include Registers on all foreign nationals & protestors

• search in case of disappearance Art. 97• arrest in view of appearance in court of

justice e.g. witnesses - Art. 98 • Discreet surveillance - Art. 99• Objects sought for purposes of seizure or

evidence in criminal proceedings - Art. 100 • New alerts under SIS II


Recent Database Statistics 01.01.2008

Type Number of valid records (not expired)

BK (banknotes) 177 327

DB (blank documents) 390 306

FA (firearms) 314 897

ID (issued documents) 17 876 227

VE (vehicles) Main 3 012 856

VE (alias) 2 984

WP (wanted persons) Main 859 300

WP Alias 299 473

Total 22 933 370


Distribution of WP Main Records by Article – 01.01.2008

Article of the Convention Number of Valid Records (Not Expired)

95 Wanted for arrest/extradition 19 119

96 Unwanted alien 696 419

97 Adult missing person 24 594

97 Minor missing person 22 907

98 Localization 64 684

99.2 Check/observation 31 568

99.3 Check/observation 9


Adequacy and Effectiveness of safeguards I

• Finalities wide & vague – arts. 96 & 99– Lack of clear criteria & guidance for registration

• Stephanie Mills’ case - Art. 96• Mrs Forabosco case – refusal of asylum• EU citizens registered under Art. 96 – Feb. 2006 figures 503 persons

– Lack of clear criteria & guidance for search• Tribunal Administratif de Paris v. Saïd 1996 Art. 96

– Art. 99 (3) can be used for political reasons • e.g. surveillance on trade unionists, demonstrators, political opponents

etc.• Esp. EU summits & International meetings in Europe• Need for harmonization in use of Article 99 at national level

• Sensitive Data to be recorded Art. 93 para. 2 • Individual Participation

– Few exercise the right – • Lack of information • Administrative obstacles• Difficult to know whether one is registered• No means of exercising it from the country of origin• Difficulty to obtain reasons• Lack of prior notification of an entry


Adequacy and Effectiveness of safeguards II

• Security of data– Access to data

• Appr. 125,000 terminals in 2004 (18 Members States)– To increase with new EU Members admission (12 more

Member States)• Number of persons with access authority enormous • The lists of national authorities differ • Belgian scandal

• Regulation left to national law where the Convention is silent

• Clear source for divergence

• Supervision inadequate– National supervisory authorities have different rules, budgets and

powers– Joint Supervisory authority lacks independent budget and investigative

powers– International Judicial control

• ECJ - lack of individual complaint• ECHR exhaustion of national remedies required

• supplementary data exchange – SIRENE– Legal basis doubtful

• Clearer under SIS II legislation– National law


Enhancing Safeguards in Schengen - I• SIS II Proposed Legislation -2005

– Regulation – Decision

Strength

- New legal basis for immigration

data

- Keeping of all data logs

- Data dealing with misidentifi- cations of persons

- New Supervisory authority

(EDPS)

- Right of information

- Right of access to data no exception

Weakness

Dual legal basis: Council of Europe

Convention 1981 applicable

- Extension of data retention periods

- New data categories

- Linking of alerts

- Copying of data to the NS

- Omission of ban on sensitive data

- Data access given to new authorities

- Vague and wide data entry criteria

- Transfer of personal data to third parties

- Right of information vague and with exceptions


Enhancing Safeguards in Schengen - II• Proposal of a Council Framework Decision on the protection

of personal data in the framework of police and judicial cooperation in criminal matters – 2005

– The protection of personal data in Title VI of the EU-Treaty – Third Pillar– In many aspects, the revised proposal even falls below the level of protection afforded by

Convention -108– The text is vague. It is not drafted clearly, simply and precisely, which makes it difficult for the

citizens to identify their rights and obligations unambiguously– The exchange of personal data between pillars. From first pillar to third pillar (PNR) and vice

versa e.g. ‘no fly lists’, common visa. Consequently, data protection principles in the first pillar must apply also to the third pillar

– Member States' given full discretion in the application of uniform data protection principles.– Article 3 is far too broad and does not cover an appropriate limitation of the purposes for

storage.– Article 12 of the proposal lays down a very broad and not clearly defined series of derogations

to the purpose limitation principle in the context of personal data received from or made available by another Member State.

– The need to ensure an adequate level of protection when personal data are transferred to third countries or international organizations, and that mechanisms ensuring common standards and coordinated decisions with regard to adequacy are put in place.

– Transfer of personal data to private parties or non law enforcement authorities - has no specific guarantees.

– The current proposal does not provide for any specific guarantees on access and further use by law enforcement authorities of personal data collected by private parties.

– The current proposal fails to comply with the principles of Recommendations No R (87) 15 and to address the fundamental issue of access and further use by law enforcement authorities of personal data controlled by private parties.

– It does not provide for specific safeguards with regard to biometric data and DNA-profiles.


Effects of Cross-border Surveillance • Increase in surveillance

– Presences of many personal information databases• Sharing of data possible• Interpol and SIS share motor vehicle data • Call for more data sharing

– New technologies for collecting personal information – biometrics• Face recognition – passports and visas• Fingerprints – passports and visas• Iris recognition - airports

– New laws that allow for increased processing of personal data • 9/11 Report calls for data sharing• After 11/4 Madrid

– calls for data sharing legislation– Interoperability of databases (SIS, Eurodac, Interpol & VIS)

• Schengen III (Prum) – Convention for sharing police data among CP.• The Hague Program – Availability of data principle – calls for intense exchange

of personal data among Member States

• Must be justified– In accordance with the law– Legitimate aims– Necessary in a democratic society


Conclusion

• Schengen and cross-border surveillance system should be brought under stringent democratic control, data protection and human rights compliance, in order to avoid the pitfalls of total surveillance and maintain an acceptable level of surveillance in society


References • Stephen Kabera Karanja: The Schengen Co-

operation: Consequences for the Rights of EU Citizens. Published in "Mennesker og rettigheter Årgang 18 Nr. 3 2000." 215 - 222.

• Stephen Kabera Karanja: The Schengen Information System in Austria: An Essential Tool in Day to Day Police and Border Control Work? Published in Journal of Information, Law and Technology (JILT) 20 March 2002 Issue 1. http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2002_1/karanja/

• Stephen Kabera Karanja: SIS II Legislative Proposals 2005: Gains and Losses! Published in George Philip Krog og Anne Gunn B. Bekken (Red.): Yulex 2005 (ISBN 82-7226-094-8) Institutt for rettsinformatikk og Unipub forlag. 2005: 81-103.

• http://folk.uio.no/stephenk/pub/

Documents

Stephen K. Karanja - NCHR Schengen Cross-National Surveillance and Data Protection Erasmus/LLM Lecture 03.04.2008 Stephen K. Karanja Senior Researcher