Category: Uncategorized

By Juliette, Ahmed, Katrin and Tom

(Source: European Commission, Migration and Home Affairs, available at: https://home-affairs.ec.europa.eu/agencies_en)

The shared administration, intended as the division of tasks between national authorities and Frontex regarding the protection of the European external borders, has changed over time with the enlargement of Frontex’s powers. This has raised issues of responsibility when a Fundamental Right (hereinafter FR) violation occurs. One possible solution for Frontex to escape this issue is the use of Article 46 of Regulation 2019/1896 (hereinafter the Regulation). We argue that this Regulation lacks a real distinction of responsibility between Frontex and the national authorities. This lack is then profitable to violations of FR because it is hard to sanction and prevent violations if it is not possible to correctly identify a “guilty party”.

Evolution of Frontex’s enforcement powers and shared administration

The recent evolution of Frontex, the European and Coast Guard Agency (EBCG) by the most recent Regulation illustrates a remarkable development in the EU’s institutional landscape with the transformation of Frontex into a new type of organisation equipped with direct decision-making powers. In fact, while the original operational mandate was limited to the planning, coordinating and evaluating the operations, this all changed with the new Regulation which created the permanent staff of the Agency whose executive powers are exercised under the command and control of the Member State hosting the operation. The permanent new staff of Frontex is a new resource to support national border management authorities in exceptional circumstances and in day-to-day operations. This novelty changed the very basic principle and former division of tasks between the Agency and the Member States, according to which the implementation of EU policies, such as the application of the Schengen Borders Code rules, was strictly the responsibility of national border guards or border police.

This increase in Frontex’s mandate and the modified shared administration do not include a specific accountability system between the national authorities and Frontex when the operations are wrongly conducted. The only important addition of the new Regulation is the Article 46 which provides Frontex with the possibility to suspend, terminate or not launch activities especially when there is a risk of a FR violation. This possibility exists when the dignity of its own actions, in the sense of upholding FR, cannot be guaranteed adequately. Frontex has already invoked Article 46 once in the case of Hungary in 2021. While this was an important step, the invocation only occurred after five years of pressure from the Fundamental Rights Officer and a CJEU ruling. This phenomenon clearly shows that Frontex is not prone to withdraw its actions by invoking Article 46.

Fundamental Rights violations

Frontex is required by law to ensure that human rights are upheld during operations under both EU and international law. Nevertheless, OLAF discovered that Frontex repeatedly took active actions to ensure that the human rights crimes that were occurring would not be seen, documented, investigated, or accounted for. More specifically, it demonstrates how Frontex misled the European Commission and Parliament as well as how the Fundamental Rights Officer was side-lined and internal reports on human rights abuses were distorted. Frontex was aware of FR violations by the national authorities and sometimes even participated in it. The EU Agency failed to address and effectively follow up on these violations as to prevent similar foreseeable violations in the future.

Some authors have proposed that Frontex should be held responsible both directly and indirectly, especially concerning the misuse of Article 46 when FR are violated. However, the CJEU has not ruled on this matter yet.

Lack of effective responsibility mechanism under the Regulation of 2019

Hence, while direct enforcement powers of Frontex have grown, methods for holding Frontex accountable and responsible for its actions and violations of FR have not. In the existing system, any wrongdoing by Frontex can effectively be concealed due to its reliance on national authorities who oversee the actions of Frontex’s staff during ground operations.

However, even if Frontex is dependent on the command of national authorities, this does not alleviate the European and Coast Guard Agency from the obligation to respect FR as prescribed in Article 3, paragraph 2 of the Regulation.

Also, as stated above, Article 46 gives the possibility for Frontex to suspend, terminate or not launch activities especially when there is a risk of FR violation. Nevertheless, notwithstanding the numerous reports filed by the Fundamental Rights officer, Frontex did not make use of Article 46 in the 2021 crises affecting the eastern borders of the EU. Frontex was aware of the ground-breaking legislative amendments of the alien’s laws in Lithuania at the time of their deployment. As a matter of fact, these amendments were in complete breach of the European Convention of Human Rights (ECHR) considering that they introduced limitations on accessing asylum procedures; extended the use of detention (up to six months); and restricted individuals’ access to information, interpretation, medical care and legal aid. It is only in July 2022, following a CJEU’s decision which concluded that the above-mentioned amended Lithuanian migration and asylum laws were in breach of EU law, that Frontex decided to terminate its operations when it could have triggered Article 46 much earlier.

It can thus be argued that the lack of real distinction of responsibilities between Frontex and the national authorities, combined with the practice of Frontex to not rely on Article 46, further worsens the underlying tension between the protection of FR and the protection of the external borders of the EU.

 

Blog post by Nicole, Thirza, Enes

As reiterated by President von der Leyen in her 2021 State of the Union speech: “The EU needs to ensure that every euro and every cent is spent for its proper purpose and in line with rule of law principles. EU funds are not allowed to seep away into dark channels”. If you have wondered which EU bodies are at the forefront of the protection of the Union’s financial interests (PIF) and how their cooperation works, you have come to the right place. In the almost two years the EPPO has been operational, the two Offices have had the first chance to interact and cooperate, as prescribed by their respective Regulations. In this blogpost, we outline the current updated EPPO and OLAF operational cooperation and its future possibilities to find out if teamwork can make the dream work.

PIF: A new player in the game

For more than 20 years, the European Anti-Fraud Office (OLAF), an administrative investigatory body with the mission to “detect, investigate and work towards stopping fraud involving European Union funds”, has been a preeminent actor in the PIF fight. However, in 2017 a new player entered the scene, the European Public Prosecutor’s Office (EPPO). For the first time in EU history, an independent European body has the power to investigate and prosecute PIF crimes (see Figure A). As a result, we have two EU bodies with different sets of powers but with one common goal in mind: “to better protect EU taxpayers’ money and to bring all crimes against the EU budget to justice as quickly as possible.”

Figure A: Missions and Tasks of EPPO. Source: https://www.eppo.europa.eu/en/mission-and-tasks

OLAF and the EPPO in a nutshell

OLAF’s mandate encompasses investigation of fraud and corruption involving EU funds and serious misconduct within the European institutions as well as development of anti-fraud policy for the Commission. OLAF carries out both ‘internal’ or ‘external’ investigations, depending on whether or not they are conducted within institutions, bodies, offices and agencies of the EU (IBOAs). While conducting its investigations OLAF cannot exercise any coercive powers, so it has to rely on cooperation with national competent authorities. At the end of these investigations, OLAF cannot sanction the suspect or bring them to court. Instead, it can draw a report, binding on the IBOAs but not on national prosecutorial or judicial authorities of the Member States (MSs), and issue recommendations. In practice, the indictment rates following OLAF’s recommendations are low and vary significantly among MSs. That is because in some jurisdictions national prosecutors tend to prioritise the national aspects of cases, neglecting their European dimension, for instance, due to their lack of expertise.

In contrast, the EPPO has criminal powers through which it can investigate and also decide to bring a case to judgement before competent national courts until it has been finally adjudicated. Moreover, since the EPPO’s legal basis, Art. 86 TFEU, allows for the mechanism of enhanced cooperation, MSs could choose whether or not to join. Therefore, currently the EPPO counts only 22 “participating” MSs.

The implementation of these powers creates a complex legislative and organisational structure (here you can find a full explanation). Despite being a single office, the EPPO is composed of a central and a decentralised level, where different authorities play a role (see Figure B). As for the legal framework in which the EPPO operates, the EPPO Regulation provides only minimum rules, referring often to national laws especially in regards to its investigatory powers.

 

Figure B: Structure of the EPPO. Source: Fabio Giuffrida, The European Public Prosecutor’s Office: King Without Kingdom? CEPS Research Report No. 2017/03, February 2017 Abbreviations: ECP: European Chief Prosecutor, EP: European Prosecutor, DCP: Deputy Chief Prosecutor, EDP: European Delegated Prosecutor.

The EPPO and OLAF cooperation: ensuring no case goes undetected

The EPPO’s creation has definitely marked the transition into a new era for European enforcement in the area of PIF. However, in order for its potential to be fully exploited, the “new player” will have to play alongside its well-experienced team-mate OLAF. That’s why, expanding on the few ad hoc provisions contained in their respective Regulations, in 2021 OLAF and the EPPO further specified their obligations to cooperate by signing a Working Arrangement (WA). Considering this combined legal operational framework, let’s describe the most important aspects. First, in line with the principle of non duplication, OLAF needs to terminate its investigation if the EPPO is conducting one into the same facts. However, OLAF may support the EPPO in its investigations by means of operational, forensic, and analytical expertise and tools. Importantly, when providing this support, OLAF needs to respect the stricter criminal procedural safeguards contained in the EPPO Regulation. Additionally, under its own initiative or upon the EPPO request, OLAF can conduct parallel complementary investigations to address essential aspects of the protection of the EU’s financial interests, such as speedy recovery or the adoption of administrative precautionary measures.

Figure C: OLAF and EPPO Joint Enforcement

Moreover, the EPPO and OLAF can mutually exchange information, which enriches the capacities of both offices, enabling them to avoid duplicate investigations, and streamlining their operations. Additionally, the WA sets up a system for the reporting and transmission of potential cases. Since the mandates of OLAF and the EPPO do not fully overlap, this exchange is crucial to ensure that illicit activities detected by the EPPO in non-participating MSs do not escape OLAF’s investigation. Moreover, it guarantees that the EPPO is informed about any criminal offence falling under its mandate even when it was first detected by OLAF. In short, the exchange of both information and cases ensures that the EU’s resources are spent effectively and that every case is tackled by the appropriate authority.

Towards a joint enforcement mechanism?

A closer look at the envisioned OLAF and the EPPO cooperation supports the conclusion that the EU legislator aimed to create more than just two separate EU agencies. On the contrary, it seems that this could be the first step towards a comprehensive joint EU law enforcement system (see Figure C). Indeed, an integrated end-to-end cycle starting with OLAF investigations and ending with the EPPO indictments could be the future of the PIF enforcement in the EU.

Years of cooperation will be necessary to find out if teamwork will make this dream work or if it will remain but a distant dream. So far, it seems that both offices got off on the right foot and the EPPO 2022 annual report enthusiastically highlights the achieved results. Nonetheless, if a lasting relationship is to be built on these foundations, one must not forget that this increase in the powers of EU authorities should be accompanied by both guidance to and cooperation with national authorities and by appropriate guarantees for private individuals.

Even though the digital economy has been around for some time now, there are still doubts concerning, e.g., the way that law should be enforced in the digital context. Hence, the crucial role of expert knowledge in providing relevant insight is understandable. Due to its importance, the question of which sources, and for what reasons, should be considered as providing the relevant expertise is worth examining. In the post, I present the results of an analysis of references from the Commission’s decisions in three cases concerning Google published recently in the form of an article. The goal of the analysis was to identify references to expert knowledge, provide a classification of the roles played by these references, and confront them with the standards that the evidence used by the Commission should fulfil, as presented in the case law of the Court of Justice of the European Union (CJEU) and in doctrine. The results show that due to the variety of roles played by references to expert knowledge in the Commission’s decisions, the importance of following CJEU’s remarks on standards concerning expert knowledge is especially crucial when these sources are:

• used to support authoritative claims about digital technologies and markets, and
• in other cases, when they are indispensable for substantive analysis of the infringement itself or are not corroborating other types of evidence.

Continue reading “How and why is expert knowledge used by the Commission in antitrust decisions against Google?”

The European Commission Legal Service held its first Annual Conference, during which many speakers discussed the crucial changes brought by the entry into force of the Digital Services Act and the Digital Markets Act and debated on the pressing matters of intergenerational justice and climate litigation. This post aims at giving a brief summary of the event.

The first Annual Conference organised by the European Commission Legal Service was held on 17 March 2023 in Brussels. The event was also streamed online, and it represented a timely opportunity to celebrate the 70^th anniversary of EU law and of the Legal Service itself. In fact, the creation of the Legal Service came with the entry into force of the Treaty of Paris establishing the European Coal and Steel Community in 1952.

The conference was kicked-off by the welcoming remarks of Mr. Daniel Calleja Crespo, Director-General of the EC Legal Service. The Director-General highlighted the importance of the two topics of the Conference, namely internet and platforms regulation (morning session) and intergenerational justice and climate litigation (afternoon session). Both topics address two Commission’s priorities for the years 2019-2024, notably “A Europe fit for the digital age” and “A European Green Deal”.

Continue reading “The first Annual Conference of the European Commission Legal Service:celebrating 70 years of EU law by discussing DSA, DMA, intergenerational justice and climate litigation”

Artificial intelligence brings numerous challenges to law enforcement frameworks. As States intend to ever more rely on artificial intelligence, such use remains challenging under European law. The intent of the French government to use algorithmic crowd surveillance reflects such challenges.

Continue reading “Challenges and Opportunities for algorithmic crowd surveillance”

By Isabella, Renuka, Thomas, and Yutong

Corruption scandal at the top of the EU

Increasing anti-fraud enforcement: the need to tackle fraud on a broader level

The European Union is a very complex structure, with a budget of a little less than EUR 190 billion for 2023. This could present an ideal environment for fraudsters, who may take advantage of this to commit and mask their crimes. We can give you an example: imagine you sit at one of the highest positions in the European Parliament, and you are approached by certain countries’ representatives willing to pay you so you can lobby in their favour at Parliament’s meetings. That is fraud and it – unfortunately – happened in real life, as seen in Qatargate.

Although Qatargate involved bribes paid to MEPs, constituents of an EU institution, it was not investigated by EU bodies, but by national authorities from Belgium. Therefore we formulated to research the case in-depth and the anti-fraud framework within the EU with the aim of providing an understanding as to why EU anti-fraud bodies, especially the European Anti-Fraud Office (OLAF) and European Public Prosecutor’s Office (EPPO), have not been directly involved in Qatargate.

Although the importance of these institutions in the EU cannot be overstated, the effectiveness of their power is subject to limitations. Firstly, their competencies, whilst broad, do not fully encapsulate the various forms that European financial fraud may take, and secondly, their relationship with the relevant national competent authorities. This was evidenced by the manner in which the investigation into Qatargate was conducted.

Anti-fraud enforcement in the EU: OLAF and EPPO

As already mentioned before, OLAF and EPPO are the two main bodies established to fight fraud in the EU; and even though both bodies pursue a common objective, significant differences exist between the two.

For OLAF, the investigation powers can be classified into external (concerning the area of the Member States and other countries) and internal investigations (focused within the EU institutions), however, it does not have any sanctioning powers. Because of that, there are concerns about its lacking of sufficient criminal enforcement and judicial materialisation of OLAF’s recommendations caused by national prosecutors in certain Member States, who narrow down their investigations to national aspects.

Unlike OLAF, EPPO is granted shared competence to investigate and prosecute offences with an EU dimension which are related to fraud that has a direct impact on the EU finances/budget. Furthermore, EPPO exercises its competence only via an investigation or by deciding to use its right of evocation. If the latter applies, EPPO will determine whether it wants to take over the case initiated by the Member State(s) after deliberation with the respective national authorities. In that case, the national authorities are required to confer the proceedings to EPPO.

Qatargate: a scandal in the EU Parliament and the EU’s anti-fraud enforcement

The view from the VIP lounge

Currently, Qatargate has only been investigated at the national level, by the Belgian authorities, instead of by OLAF and EPPO, but that does not mean they have not been kept busy. At approximately the same time which Qatargate took over the news, OLAF and EPPO were involved in another investigation into the Parliament.

In December 2022, OLAF issued an investigative report regarding a “suspicion of fraud detrimental to the EU budget, in relation to the management of the parliamentary allowance”, specifically regarding money paid to parliamentary assistants. It is interesting to point out that, as clarified by OLAF Director-General Ville Itälä, “there is no link between the issues investigated by OLAF and the issues under investigation in the ‘Qatargate’. When it comes to the so-called Qatargate, OLAF is following the matter very closely, in line with its investigative experience and analytical expertise. We are in contact with the Belgian authorities on the matter”.

Based on what we have discussed above, the inner logic of such clarification is the fact that, unlike EPPO, OLAF does not have any sanctioning powers. This means that OLAF does not possess the power to conduct criminal investigations and prosecutions; so without a request from national authorities, it cannot initiate an investigation, and can only provide limited information support. Currently, OLAF shows the willingness to support the investigation into Qatargate, but it does not seem to be actively engaged in Qatargate.

The most notable fact is that OLAF is a non-prosecutorial body, and is reliant on the individual Member States for their cooperation. For example, in 2015, Hungarian authorities refused to comply fully with an investigation into bid tenders related to the disbursement of funds under the Economic Operative Programme. In such instances, OLAF cannot compel a Member State to assist in its investigations other than to request the National Competent Authorities (NCAs) do so themselves or for the European Parliament. Progress in this regard has been made, with OLAF and the Office of the Prosecutor General of Hungary, its NCA, signing a cooperation agreement last year to protect EU funds from fraud and embezzlement in the country by strengthening the closeness of its investigations.

A similar problem exists for EPPO, in that Member States retain an ‘opt-out’ from the Area of Freedom, Security, and Justice (AFSJ). Currently, Hungary, Poland, and Sweden have not joined EPPO, with Denmark and Ireland maintaining the opt-out on a case-by-case basis. While negotiations remain ongoing with Denmark and Ireland as to the level of cooperation EPPO can expect from their NCAs, this highlights the issue EPPO, and OLAF, face in an inability to force Member States to cooperate if it simply wishes not to comply.

Having explained why OLAF is not directly involved, EPPO’s reasoning is different. EPPO’s main focus is the protection of the EU budget, and because of that, as there is no evidence, so far, that the wrongdoings investigated in Qatargate have an impact on EU finances, this body – even though it has the power to conduct judicial investigations – was not involved. Yet.

Overlaps between OLAF and EPPO

In addition to the matters raised in the section above, there is another aspect that needs to be considered. Given OLAF and EPPO’s similar roles, there can often be unintentional overlap in the investigations they carry out, see the graph below.

To ensure there are no conflicts, EPPO’s Regulation expressly directs the organisation to maintain a close relationship with OLAF based on mutual cooperation, information exchange, and complimentary support. However, EPPO does not have to inform OLAF of its investigations, per Article 8(1) of the OLAF Regulation, creating a potential lack of communication and duplication of investigative resources. EPPO is only required to consider doing so where there is suspected illegal conduct relating to the financial interests of the EU. This may have occurred with Qatargate given OLAF was investigating Eva Kaili’s parliamentary assistants before EPPOs publication of its investigation.

Protecting your money: How OLAF and the EPPO can help each other fight the misuse of EU funds.

OLAF and EPPO are considerable investigative forces in the EU, but due to the factors discussed in this blog post, might be possible that fraudulent practices that hurt the EU’s and its citizens’ interests go undetected and unprosecuted, given that fraud is unavoidable to a degree in a Union so large. Therefore, expanding the strength of their investigative and prosecutorial powers and increasing their cooperation, will, in the authors’ opinion, decrease the overall levels of financial mismanagement and fraud in the EU.

By Eloise, Marina and Amber

The EPPO

Imagine you are a national who is a suspect or accused in a criminal proceeding of the EPPO. Are you aware of your exact rights as a defendant?

Defence rights in EPPO proceedings: Who cares?

The European Public Prosecutor’s Office (EPPO) is a powerful body. It can investigate and prosecute the offences that are affecting the EU’s financial interests. The actual prosecution by the EPPO always takes place before a national court in one of the EU Member States. A consequence could be that you as an individual have to take on the battle against the EPPO in a criminal proceeding. Now, it can be noticed that specific defence rights are not laid down in the EPPO Regulation itself. How could you defend yourself properly in this case?

In this blog post, we will provide you with some answers. We will guide you through the problems that we potentially have to deal with in a criminal proceeding by the EPPO. Especially in the case that the proceedings are referred to as a cross-border case. Additionally, we will lay out the arguments that you as the defendant could make. To make sure that in the end, you still stand a chance of effectively arranging your defence.

The defendant (left) against the powerful EPPO (right)

Criminal proceedings with a cross-border dimension: What to expect, or maybe even fear?

The EPPO has the power to choose a different Member State for prosecution than your own. It might therefore not be foreseeable before which court your trial will be held. Do you have any possibility to request a change of jurisdiction? Or that you will at least be heard before such a jurisdictional change is made? Unfortunately not. You do not have a voice or choice when it comes to the forum selection.

Secondly, in the case of a so-called cross-border prosecution, the investigation and obtaining evidence by the EPPO has taken place in multiple Member States. The delegated prosecutors of the EPPO are allowed to exchange and submit relevant evidence to the case file. Therefore, you as the defendant could be confronted with multiple documents based on different national procedural rules. If you want to argue that a piece of foreign evidence is illegally obtained, you need to take into account that the court will evaluate this argument based on its national procedural law. You could be confronted with the issue that the ‘potentially illegal’ evidence is stipulated as legal under their applicable procedural standards.

Another complexity you should become aware of is that your right to access the case file is limited. There are no uniform standards for handling the information in the case file laid down in the EPPO Regulation. There are no rules regarding access to such case files, nor are there any safeguards to ensure that the content of the information in the case management system always adequately reflects the case file.

Lastly, the EPPO Regulation does refer to the Charter of Fundamental Rights of the European Union as well as the ABC-Directives, to guarantee procedural rights. Therefore, it would seem that you receive enough protection and defence rights against the acts of the EPPO. But do not cheer too quickly. As noted, the national law of the state where the trial is held determines the procedural standards applicable. If a Member State has not implemented specific defence rights from these Directives, you can rely solely on the national procedural safeguards applicable. The level of protection of defence rights will be determined by the procedural rules of the state where the proceedings take place.

How to set up a successful defence

Looking at the issue of forum selection, you should be granted the ability to have more insight into where the proceedings will take place. Especially since this could simplify the process of selecting a lawyer. On this basis, you could use the argument that there should be a right to request a change of jurisdiction. Or at least, you should be granted a chance to be heard before such a jurisdictional change is made. Consideration should be given to your personal circumstances. The issue of foreseeability and the possibility of forum shopping means that the defendant must be guaranteed that there will be no change in the court’s jurisdiction during ongoing proceedings, as it is difficult to predict the court where the trial will be held.

Access to the case file is another important defence element. You could argue that complete access to information is necessary in order to prepare an effective defence strategy. The EPPO Regulation’s limited provision of free exchange of evidence makes it almost impossible for you to become aware of all documents obtained under all various procedural rules. You could use the argument of disproportionality in light of all the knowledge necessary to actually be able to understand the case file. The extra costs for an effective defence due to this complexity can be deemed unbearable.

The same argument can be used to challenge the lack of specific defence rights in the EPPO Regulation itself. As a defendant, it does not seem right to be dependent on the procedural rules of the Member State in which the proceedings take place.

Goal achieved?

Since you as a defendant are facing the consequences of an EPPO proceeding, you should be protected in all of your rights to be able to set up an effective and fair defence. In light of the difficulties that the defendant could face in a cross-border procedure of the EPPO, the individual needs to be made aware of applicable rights and possibilities to arrange his defence as effectively and successfully as possible. The Charter and the ABC-Directives are well-known instruments for defence rights. However, it would be easier and more efficient to include defence rights provisions, forum selection and a regression clause in the already existing EPPO Regulation. Cross-border prosecution is complex and deserves a general, harmonised and clear defence rights framework.

 

 

 

By An Nhien, Iman, Liudmila, Timothy and Alice

National Security vs. Privacy

By An Nhien, Iman, Liudmila, Timothy and Alice

In the ever-evolving battle against serious and organized crime, law enforcement agencies (LEAs) are turning to a new weapon: lawful hacking. But as the supporting role of using hacking techniques by the and other agencies becomes more prevalent, questions are being raised about the impact on fundamental rights, particularly the right to privacy. With events like the high-profile EncroChat case and a landmark decision of the Court of Justice of the European Union (‘CJEU’), the legality and implications of hacking techniques in general, and the supporting role of Europol in facilitating lawful hacking in particular, are under intense scrutiny. Join us as we delve into the legal limbo and decode the delicate balance between privacy and public safety in the realm of facilitating lawful hacking by Europol.

What is Lawful Hacking?

There is no singular definition at the EU level. Similar terms such as “lawful hacking”, “law enforcement hacking”, “government hacking”, or “network investigative techniques” are often used interchangeably. However, Liguori argued that “lawful hacking” could be the most appropriate term as it broadly implies both the technical means of this investigative method and the lawful nature of the activity. Hence, he defines “lawful hacking” as the use of hacking techniques by LEAs to gain access to computer systems and networks for the purpose of investigating criminal activity. Simply put, LEAs would exploit the vulnerabilities of software, hardware, or firmware, to gain access to technical devices and then extract data and evidence from such devices. For instance, LEAs can conduct a forensic examination of seized smartphones after using algorithms to find the password of such smartphones.

Europol has declared the need to use lawful hacking due to the strong encryption on electronic devices that undermines the investigation and prosecution of organized crimes as the data is unavailable or unidentifiable. The use of encryption has increased the number of serious crimes, which has been identified by Europol as a threat to public order and safety, the efficiency of the criminal justice system, and the rule of law. On the contrary, the use of lawful hacking itself can also pose risks to the protection of fundamental rights. Indeed, the application of this method can, for instance, potentially interfere with individuals’ privacy if LEAs excessively access personal data without sufficient valid reasons or legitimate aims. As such, LEAs’ use of lawful hacking has become a contentious issue in the European Union (EU), raising questions about the balance between LEAs’ needs and individual privacy rights. The landmark is a stark example of the potential impact of lawful hacking by Europol and national LEAs on fundamental rights, particularly the right to privacy. Keep reading as we uncover the ramifications of lawful hacking, considering the EncroChat case.

EncroChat’s Downfall: Privacy at Stake.

In the world of encrypted communication networks, EncroChat was the king of security – until its downfall. EncroChat, an encrypted communication network advertised as a secure means of communication with complete anonymity, was dismantled by a French-Dutch joint investigation team in July 2020. Specifically, in the Encrochat case, LEAs hacked into a secure messaging platform that has been believed to be exploited by criminals, gaining access to private conversations and gathering evidence and leading to the arrest of several suspects across Europe. While the investigative method of lawful hacking helped in capturing criminals, does it also negatively impact the privacy of other normal users like us?

Article 8 of the European Convention on Human Rights (ECHR) guarantees our privacy rights. However, the EncroChat operation involved the development and distribution of malware disguised as an update, raising questions about the legality of the evidence obtained and the right to privacy. The lack of transparency in the methods used has caused uproar in legal circles, with debates about the potential misuse of lawful hacking. This means that while LEAs might have legitimate aims when they broke into the EncroChat system, they should do this very carefully because of the complex legal issues that arise alongside them, especially those related to privacy protection. In short, before deciding to apply or assisting the lawful hacking application, LEAs must take into account whether and to what extent this method can interfere with the individual’s privacy.

Legal Limbo: Hacking Techniques Challenged by European Parliament and CJEU.

In a report published by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) in 2017, even before the EncroChat case, concerns about the legality of lawful hacking activities conducted or supported by LEAs were raised. According to the report, there is a risk that the use of hacking techniques may infringe on fundamental rights. These concerns have been further amplified by the CJEU’s decision in the case of Accordingly, the CJEU ruled that the UK’s regime for public authorities’ retention and access to communications data, including LEAs, was inconsistent with EU law. The Court held that communications data’s retention on a general and indiscriminate basis, without any differentiation, limitation, or exception for the objective of fighting crime, was impermissible.

Privacy vs. Public Safety: Decoding Lawful Hacking by Europol

Although there are concerns about the possible violation of privacy rights by lawful hacking, it should be noted that this right is not absolute as it can be restricted under certain circumstances. Simply put, your privacy is only respected if it does not hamper the protection of the fundamental rights of other individuals or, on a larger scale, the interests of public safety/national security. If your privacy affects the latter, it is justified for you to “compromise” your interests for that of public security when you are legally requested, for instance, to provide access to your personal information by LEAs. It is, therefore, a matter of balancing different (and perhaps opposing) fundamental rights and interests of different parties involved. Concerning the use of lawful hacking for investigation purposes, one of the most important tasks of LEAs is to balance individuals’ right to privacy and national security, public safety and/or other individuals’ fundamental rights. To do this, Europol must refer to the Charter of Fundamental Rights of the EU (The Charter) and the ECHR since these legal documents protect and balance fundamental rights within the EU.

For instance, Article 8(2) ECHR states that a public authority cannot restrict privacy right unless it adheres to the law and is necessary to protect national security/public safety, etc. This interpretation was confirmed by the Court in Malone v. UK, ruling that a method allowing communications interception to support investigations by LEAs was essential if it met conditions provided by Article 8(2). Three main conditions for a lawful interception by LEAs include:

1. such interference/interception is provided by the law;
2. it is necessary and proportionate, and
3. it aims to pursue legitimate aims such as the protection of public safety or national security or the prevention of crime/disorder

Since lawful hacking is one example of lawful interception, it is also subjected to these requirements. As long as the three conditions are met, the role of Europol in supporting lawful hacking does not violate the right to privacy enshrined in the ECHR and the Charter. Europol, in the joint Eurojust-Europol annual report on encryption in 2021, emphasizes it would follow such requirements by stating that their technologies must be accompanied by suitable protections, such as standards of necessity and proportionality to ensure the admissibility of collected electronic evidence in court. So, don’t worry whenever the LEAs are hacking your devices because they will respect and protect your privacy while doing so.

 

Safety and privacy

 

 

 

 

 

 

 

 

 

 

 

By Georgios, Maren & Julian

 

 

Significant banks can still cause severe dangers to the European financial market as shown by the SRBs first resolution case, Banco Popular. Banco Popular had severe liquidity issues which endangered the financial stability of Spain and Portugal. The swift resolution could have prevented a tremendous impact on the economy and possible costs of a state bail-out. The blog post aims to give an insight into how the SRB makes such a resolution decision looking at the Banco Popular case. Which shows that decisions made by the SRB are subject to democratic legitimacy concerns in the form of: judicial accountability, institutional balance and the amounts of discretion the Agency thereby.

 

Let’s talk about the development of the EBU and the SRB subsequent to the financial crisis

In response to the global financial crisis the EU created the SRB, an EU agency, to make the financial market more resilient and stable and to move towards the European Banking Union (EBU). This is one of the most significant developments in European Integration since the establishment of the Economic and Monetary Union; which was meant  to restore confidence in the European banking systems after the double threat of the international financial crisis and the sovereign debt crisis. The EBU consists of 3 pillars: the Single Supervisory Mechanism, the Single Resolution Mechanism (SRM) and the European Deposit Insurance Scheme which is still under construction, as can be seen in Figure 1.

(Figure 1 – Banking Union)

The SRB is the EBUs resolution authority and therefore part of the SRM and has been established by the SRM Regulation (Regulation No 806/2014 (SRMR)). When a bank is failing or is likely to fail despite stronger supervision through the SSM, the SRM allows the effective resolution of the bank. The core mission of the SRB is to ensure an orderly resolution of failing banks, with minimum impact on the economy and public finances of EU countries, avoiding state bail-outs, which happened to a massive extent during the financial crisis to the detriment of the taxpayers.

The SRB as an EU agency has a broad mandate and an autonomous budget as independence is especially crucial when resolving significant banks. This mission is one of great societal relevance and one the author’s stand behind.

 

How does the SRB resolve a bank looking at the Banco Popular case

(Figure 2 – Resolution making process)

The procedure according to which the SRB adopts resolution schemes and according to which the resolution becomes a fully-fledged resolution plan, is described in Art. 18 SRMR. (Figure 2).

More specifically, in order for the SRB to draft a resolution scheme three conditions need to be fulfilled:

• Step1: Bank is failing or likely to fail
• Step 2: Private sector financing or any other private alternative does not exist
• Step 3: Public interest assessment

Step1: Bank is failing or likely to fail

First, the ECB should find a bank is failing or likely to fail, but it is also possible for the SRB to proceed to a similar assessment on its own. However, this only happens when the ECB is specifically requested by the SRB to make an assessment and when the ECB fails to act within three days of the request. In the case of Banco Popular the SRB initiated proceedings on the 3^rd June 2017 and asked the ECB to assess Banco Populars situation. On the 6^th June 2017 the ECB determined that the bank was failing or likely to fail as ‘[i]t is likely that the institution will not be able to pay back its debts or other liabilities in the near future’ (Art. 2). Thereby, the first condition of Article 18 (1)(a) is fulfilled, the bank is having severe liquidity issues endangering the financial stability of Spain and Portugal.

Step 2: Private sector financing or any other private alternative does not exist

Secondly, the SRB should assess that there is no reasonable prospect that any private sector financing, other private alternative or supervisory action could prevent the failure of the entity. The resolution, in other words, must be rendered as the most suitable and proportionate measure to avert the collapse of a certain bank. SRB in cooperation with the ECB determined that there is no reasonable prospect for private measures (Art. 3).

Step 3: Public interest assessment

Lastly, the adoption of the resolution must serve the public interest (Art. 18 (1), (5) SRMR). The SRB in cooperation with the ECB determined that the resolution is in the public interest to safeguard financial stability in Spain and Portugal (Art. 4).

In the Banco Popular case, the SRBs executive session, which consists of the Chair and four full-time members, which are observed by the Commission and the ECB, determined the three conditions given. Shortly after, it adopted the resolution scheme on the 7^th June at 5:30 am according to Art. 18 (1) SRMR.

Thereafter, the Commission, within 24 hours of the transmission, could endorse or object to the resolution draft. If specific circumstances under the SRMR are given, within 12 hours of the transmission, the Council could be involved and asked to endorse or object to the draft within the next 12 hours. When the Commission remains silent and does not express any objections, the resolution enters into force automatically after 24 hours (Art. 18 (7) SRMR). If the draft is objected to, the SRB should reform the draft, incorporating the objections within the next 8 hours.

In the Banco Popular case, the Commission took 1 hour (5:30-6:30) to assess the decision and endorsed it. In a statement of reasons it stated: ‘[t]he Commission agrees with the resolution scheme[,] [i]n particular it agrees with the reasons of the SRB why it is necessary in the public interest’. This short time frame gives doubts to whether it just copy-pasted the decision or actually assessed it as required per the Art. 18 (7) SRMR and whether they sufficiently assessed the discretionary aspect of the scheme. Although the Commission is an observer in the entire process, it does not show how they assessed and evaluated each decision made by the SRB. Instead of merely saying ‘we agree’ some thorough reasoning why the Commission agrees is important to avoid future democratic legitimacy concerns in the SRB’s decision making process.

The SRB decided to use the sale of business tool (Figure 3), which enabled the conversion of capital into shares which were subsequently bought by Banco Santander for the symbolic amount of 1 Euro. Banco Santander was able to provide the necessary liquidity and Banco Popular was able to open the next day as a subsidiary of Banco Santander.      

    

(Figure 3 – Resolution Tools)

The implementation of the adopted resolution relied solely on the relevant National Resolution Board. Nonetheless, according to Art. 29 SRMR, where a national resolution authority has not applied, not complied or has applied it in a way which poses a threat to any of the resolution objectives or the efficient implementation, the SRB may take over the implementation of the resolution, after informing the Authority and the Commission. In the Banco Popular case the Spanish authority swiftly implemented the SRB resolution scheme.

What democratic legitimacy challenges may arise from this process?

In our opinion it seems like the Banco Popular resolution has been successful in the way that it has prevented depositors of the bank and the taxpayer to lose money and safeguarded the financial stability in Spain and Portugal. However, despite the evident effectiveness of the resolution and the resolution-making process, legal and institutional challenges remain, which were also raised by the shareholders borning the burden of the bank’s rescue. The General Court rejected all of their claims in five separate cases. However, democratic legitimacy concerns persist to arise, also from certain aspects of the overall resolution making process provided in the SRMR as:

Firstly, even though it did not occur in Banco Popular, the SRB could come to the assessment that the three criteria are not fulfilled, thus no resolution decision would be concluded. As occurred in the ABLV case, whereto the ECJ decided  that the SRB’s non-resolution decision could not be challenged (Ernests Bernis case). The action for annulment (Art. 263 TFEU) by the shareholders, on which the decision had an economic effect, was inadmissible due to the missing legal effect on them. This makes the non-resolution decision unchallengeable for the ones economically affected, questioning the legal accountability.

Secondly, the SRB’s resolution scheme can be automatically adopted, if the Commission remains silent for the 24 hours after transmission. Then the SRB exercises discretionary policy-making powers with questionable safeguard of accountability in place.

Thirdly, even when the SRB’s decisions are reviewed by the Commission or the Council, the short deadlines of 24 hours and 12 hours provided by the SRMR, could cause doubt to a thorough review. Creating concerns about the de facto integrity and actual facilitation of such a review process. The 77 minute long Commission’s review of the Banco Popular resolution scheme, indicates more of an approval of  SRB’s decisions, without any real assessment. although it could be argued that the Commission is involved as an observer beforehand and therefore steers the SRB, using their final say as a negotiation tool. However, is this sufficient to quantify a thorough assessment.

These three questions relating to democratic legitimacy remain after looking at the Banco Popular ‘saga’ and the SRB’s resolution process.

 

By Daan, Giulio, Henrik and Majed

Section I – ECHA: There’s more than meets the eye

 Chemicals are of fundamental importance for the well-functioning of modern society. Think of chemicals such as hydrogen and bromine. However, dangerous chemicals, such as asbestos, have led to the loss of many lives. Therefore, the European Chemicals Agency (ECHA) is concerned with the safe use of chemicals within the internal market. However, officially it is not an enforcement agency. Paradoxically, a closer examination of this ‘non-enforcement’ agency reveals that it has powers that can be classified as enforcement powers. The arguments for and against the ECHA possessing direct and indirect enforcement capacities are carefully weighed in this blog post.

As this post shows, some arguments point to the ECHA’s lacking enforcement capacities, such as its reliance on national authorities and its lack of direct involvement with citizens in the various stages under REACH. However, various other arguments can be presented that point in the direction of it, in reality, possessing different variations of enforcement powers. Not only can it take binding decisions in the registration phase, but also by delivering its scientific opinions, it is in the driver’s seat of an enforcement network which is built upon the National Competent Authorities’ (NCAs) powers. With that said, in the end, it is up to you to decide how to view ECHA’s enforcement powers.

Direct and indirect enforcement

 Enforcement can be understood as the capacity to prevent potential violations of the law while ensuring compliance with its obligations. Direct enforcement can be understood as monitoring, investigating, and sanctioning individuals and businesses who are subject to the rules and regulations of substantive law. On the other hand, indirect enforcement concerns those instances where public authorities coordinate and influence the application of the law by national or European authorities, but not directly against citizens.

The iceberg: a schematic overview of ECHA’s enforcement capacities

Section II – The ECHA lacking enforcement capacities The ball is in the Member States’ court

Looking at the ECHA’s operations shows that the Agency lacks enforcement powers. Be it the checking for completeness of the dossiers filed by companies or the evaluations of the compliance of the information with the required standards, ECHA’s decisions are effectively made by its Member State Committee. Take, for instance, the evaluation of chemicals. What the Agency does is draw up a ‘Community Rolling Action Plan’ which is a list of chemicals the Member States’ authorities can discretionally choose from to later assess the chemical in complete autonomy.

Next, is that the national authority prepares a draft decision, which in most cases is the final decision in respect of the chemical at issue that will be made by the ECHA itself. Therefore, the impression is that of an Agency that limits itself to rubber-stamping what in reality is the working of the competent authorities of the individual Member States. After all, Article 45(1) of the REACH Regulation unequivocally states that “the Agency shall rely on the competent authorities of Member States” with regard to the role they play in the proper evaluation of chemicals.

Direct enforcement or bureaucratic pen-pushing?

 Secondly, the REACH Regulation sets out the ECHA’s functions in respect of the registration, evaluation, authorisation, and restriction of chemicals. With regards to authorisation and restriction, the role of the Agency is purely advisory, whereas, in the registration and evaluation processes, its decisions are technically binding. Yet is it really the case that the faculty to make binding decisions provides the Agency with direct enforcement powers? A mere glance over the Agency’s tasks suggests that it is not. It is true that the Agency may accept (unconditionally or conditionally) or reject a company’s application for placing a chemical on the market, but that is virtually all its direct enforcement ability. During that phase, the Agency enforces the standards of information required by REACH directly in relation to the applicant. All the while, this direct enforcement is little more than a formal check to verify whether the information included in the applicant’s dossier is complete. Past this bureaucracy-dictated check, there is little in the Agency’s activities that may amount to direct enforcement. As said, in the authorisation and restriction stages, its role is purely advisory and, with regards to the evaluation stage, the Member States’ authorities are the ones in charge of verifying the substantial compliance of the information with the legal standards.

Section III – The ECHA possessing enforcement capacities The EU’s chemistry expert

The ECHA is a pre-decision-making agency. Even though the ECHA does not make a certain decision by itself, it influences the outcome to a great extent. The ECHA can have such influence over decisions through the drafting of decisions, opinions and recommendations. Since the ECHA is considered the leading expert on the EU’s chemicals policy, other parties require good arguments in order to diverge from the ECHA’s stance. Thus, while formally the decision might be made by the Commission, factually, it is the agency that stipulates what will happen. The rationale behind this phenomenon is that the Commission does not possess the expertise required in order to assess the ECHA’s recommendations and thus it will usually adopt the ECHA’s stance. Thus, although the ECHA legally lacks direct enforcement powers in most fields, through indirect enforcement the ECHA factually enforce rules in the field of EU chemical policy. This makes sense because EU agencies are usually set up to be the experts in their field and it would be inefficient not to provide these experts with the tools to materialize their knowledge.

A closer look: direct and indirect enforcement in practice through the ECHA

 While the ECHA does not legally possess enforcement capacities, it does play a central role in the enforcement of the EU’s chemicals policy. In terms of direct enforcement, the ECHA is capable of taking binding and consequential decisions directly on individuals and businesses during the dossier submission stage, where it undertakes a ‘completeness check’ of the content of applications. At this stage and during the registration phase, the ECHA can solely decide whether to accept or reject the application of the chemical in question. A negative decision by the ECHA can have significant consequences on the applicants, who will need to either appeal the decision or submit a revised registration application. This can delay or prevent registration altogether and, consequently, the subsequent circulation of a chemical substance into the Union. The ECHA is therefore capable through this capacity of independently preventing potential violations of REACH while achieving compliance with its obligations.

Following the registration phase, the ECHA continues to play an important role in the evaluation and authorization stages. Here, the agency harmonizes and supervises cooperation with NCAs in a manner akin to that of an enforcement network, inducing a high level of collaboration between the different NCAs. In addition, decisions adopted by those NCAs often rely on the scientific opinions of the ECHA, demonstrating how the agency contributes to the indirect enforcement of the obligations under REACH.