Use and Misuse of New Technologies: Contemporary Challenges in International and European Law [1st ed.] 978-3-030-05647-6;978-3-030-05648-3

Table of contents :
Front Matter ....Pages i-xviii
Front Matter ....Pages 1-1
High-Tech Migration Control in the EU and Beyond: The Legal Challenges of “Enhanced Interoperability” (Philip Hanke, Daniela Vitiello)....Pages 3-35
Swords Shielding Security? The Use of Databases in Criminal Cooperation within the European Union: Challenges and Prospects (Stefano Montaldo)....Pages 37-54
What Do Human Rights Really Say About the Use of Autonomous Weapons Systems for Law Enforcement Purposes? (Andrea Spagnolo)....Pages 55-72
Training and Education of Armed Forces in the Age of High-Tech Hostilities (Marco Longobardo)....Pages 73-91
Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law (Claudia Candelmo)....Pages 93-112
Front Matter ....Pages 113-113
The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third Countries (Stefano Saluzzo)....Pages 115-134
The Passenger Name Record Case: Profiling Privacy and Data Protection Issues in Light of CJEU’s Opinion 1/15 (Valentina Nardone)....Pages 135-150
The European Court of Human Rights Shaping Family Life in Cross-border Surrogacy: The Paradiso et Campanelli Case (Mario Gervasi)....Pages 151-166
Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal Hate Speech Online (Karolina Podstawa)....Pages 167-184
The Construction of a Normative Framework for Technology-Driven Innovations: A Legal Theory Perspective (Francesco De Vanna)....Pages 185-208
Front Matter ....Pages 209-209
Who Is to Blame for Autonomous Weapons Systems’ Misdoings? (Daniele Amoroso, Benedetta Giordano)....Pages 211-232
Attribution to State of Cyber Operations Conducted by Non-State Actors (François Delerue)....Pages 233-255
The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution (Martina Buscemi)....Pages 257-275
Digital Rights and Jurisdiction: The European Approach to Online Defamation and IPRs Infringements (Ornella Feraci)....Pages 277-304
Enforcing the Right to Be Forgotten Beyond EU Borders (Alberto Miglio)....Pages 305-326
Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts (Luca Gervasoni)....Pages 327-351
Front Matter ....Pages 353-353
New Technologies in International (and European) Law—Contemporary Challenges and Returning Issues (Maurizio Arcari)....Pages 355-362
Correction to: The Construction of a Normative Framework for Technology-Driven Innovations: A Legal Theory Perspective (Francesco De Vanna)....Pages C1-C1

Citation preview

Elena Carpanelli · Nicole Lazzerini Editors

Use and Misuse of New Technologies Contemporary Challenges in International and European Law

Use and Misuse of New Technologies

Elena Carpanelli  •  Nicole Lazzerini Editors

Use and Misuse of New Technologies Contemporary Challenges in International and European Law

Editors Elena Carpanelli Center for Studies in European and International Affairs University of Parma Parma, Italy

Nicole Lazzerini Department of Legal Sciences University of Florence Florence, Italy

ISBN 978-3-030-05647-6    ISBN 978-3-030-05648-3 (eBook) https://doi.org/10.1007/978-3-030-05648-3 Library of Congress Control Number: 2019934089 © Springer Nature Switzerland AG 2019 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Foreword

The volume I have the honour to present is the valuable outcome of one of the first research projects that the Center for Studies in European and International Affairs (CSEIA) has promoted after its inception. CSEIA was established in 2016 by the University of Parma (Italy) in collaboration with the European College of Parma Foundation and the financial support, through a special grant, by the Italian Ministry of Education, University and Research. CSEIA’s research activity mainly focuses on four areas: European and International Policy; Biolaw and Bioethics; Industrial Policy; Agro-food Sustainability, Nutrition and Safety. All topics are addressed by different research groups operating under these four “pillars” in an international and European perspective, according to a multidisciplinary and interdepartmental approach. Given the magnitude and the heterogeneity of the areas of investigation covered by CSEIA, “safety and security” has been identified as its basic element of identity, the core issue and common thread, in order to give unity and coherence to the activities promoted and developed by the centre. Among its various aims, CSEIA pursues a further internationalization of the University of Parma, through the setting up of study and research groups on issues of deep relevance at international and European level, the promotion of the scientific debate through the organization of seminars and workshops and the publication of their scientific outcome. Particular attention is paid to the support for research activities conducted by young scholars through the establishment of international networks. This volume paradigmatically represents the rationale characterizing CSEIA activities. This is the result of a research project—concerning security issues arising from the use of new technologies and their impact on International and European Union law—developed and directed by Elena Carpanelli (Post-doc Research Fellow in International Law, CSEIA) and Nicole Lazzerini (Researcher in European Union Law, University of Florence) under the first pillar of CSEIA since the end of 2016. On 19 and 20 June 2017, Elena Carpanelli and Nicole Lazzerini organized an international workshop, financed by CSEIA and hosted by the University of Parma, on the topic “New Technologies as Shields and Swords: Challenges for International, European Union and Domestic Law”. The workshop was conceived as an opportunity for young legal scholars, who are doing research in different European c­ ountries, v

vi

Foreword

to meet, discuss and exchange ideas on different issues covered by the workshop. Professors Deirdre Curtin (European University Institute, Fiesole, Italy), Lorna McGregor (University of Essex, UK) and Ana Vrdoljak (University of Technology, Sidney, Australia) kindly accepted to take part in the event, acting as keynote speakers. About 20 contributions were presented and fully debated within four Panels, introduced and chaired by Managing Editors and Members of the Editorial Board of Questions of International Law (QIL): Professors Maurizio Arcari (University of Milano Bicocca), Beatrice Bonafé (La Sapienza University of Rome), Gabriele Della Morte (Catholic University of Milan), Paolo Palchetti (University of Macerata), Cesare Pitea (University of Parma) and Antonello Tancredi (University of Palermo). As a follow-up to the workshop in Parma, Questions of International Law (QIL) devoted a “Zoom-in” to an in-depth analysis of a particular aspect of challenges posed by new technologies and artificial intelligence (AI) systems to International and European Union law, i.e. the legal and ethical implications of autonomous weapons systems.1 This volume represents a further evolution of the original research project. It contains an updated version of some presentations submitted for the international workshop of 2017, the contribution by two authors of the QIL’s Zoom-in of 2017 and some chapters specifically drafted by other young scholars who were invited by the editors of this book to join their network. The result is an in-depth analysis of the main legal implications arising from the resort to new technological developments in different human activities in peacetime and during international and internal conflicts. Obviously, no definitive conclusions can be drawn, considering the controversial nature of the issues dealt with in this book on a legal and ethical level, as well as the constant and rapid evolution of new technologies and their use. No doubt, however, the following chapters represent a valuable contribution to the ongoing academic debate on the challenges posed by new technologies and their most recent applications to the current international and European legal frameworks, from standard setting to State responsibility. For all these reasons, I am particularly indebted to Elena and Nicole for the amazing energies and care they have constantly devoted to the success of this project. They perfectly managed the 2017 workshop in Parma, and they continue to lead their research group with undoubted authority and competence. Thanks to them, CSEIA has successfully achieved one of its first goals. Together with them and with the support of many other good scholars, CSEIA intends to increase its research networks and to address new ambitious targets. CSEIA, University of Parma  Parma, Italy 18 July 2018

Laura Pineschi

 Coming Soon...? A Reappraisal of the Legal and Ethical Implications of Autonomous Weapons Systems (AWS) ahead of the First Meeting of the CCW Group of Governmental Experts on Lethal AWS, QIL, Zoom-in 43, 2017, http://www.qil-qdi.org, with an Introduction by E. Carpanelli and N. Lazzerini, and contributions by: O. Ulgen, Kantian Ethics in the Age of Artificial Intelligence and Robotics; A.  Spagnolo, Human Rights Implications of Autonomous Weapon Systems in Domestic Law Enforcement: Sci-fi Reflections on a Lo-fi Reality; and D. Amoroso, Jus in bello and Jus ad bellum Arguments against Autonomy in Weapons Systems: A Re-Appraisal. 1

Preface

Technological progress is incessantly transforming our reality, both the private sphere (personal and interpersonal) and the public one. In the last few years, its impact has become pervasive on communication and information, commerce and health, but also law enforcement and even warfare. The deployment of new technologies in itself, or the consequences of their use (and, sometimes, misuse), gives rise to new questions for legal scholars. Is the use of certain technologies unlawful per se? Do some of their applications breach existing rules and, if yes, to what extent? Who is to be held responsible? To whom the unlawful action ensuing from the use of novel technologies can be attributed? More generally, the challenge extends to the very adequacy of traditional legal categories and the effectiveness of existing rules. Are they capable to tackle the implications of emerging technologies and to provide a fair balance between the competing interests at stake? Which  is the margin of manoeuvre to make the existing legal and institutional framework respondent to technological challenges? Is there a need for developing brand new ad hoc rules, normative standards and models of governance? This volume offers a purposeful reflection on these questions, endorsing the perspective of International and European Union law. The transnational character of most cutting-edge technologies brings, these two branches of law to the forefront of the debate, both when assessing the lawfulness of certain uses of novel technologies and when focusing on the need of adapting the current regulatory framework. Rather than highlighting the peculiarities that each technological tool or application may entail, attention is paid to the complex interaction with the existing legal framework, which represents a common trait. Accordingly, the volume unfolds through three parts. Part I is devoted to some current and perspective challenges posed by the use of new technologies in law enforcement and military activities. The need to rethink the terms of the balancing between security concerns and the protection of human rights is the fil rouge underlying the five contributions in this section. In particular, Philip Hanke and Daniela Vitiello examine the critical aspects of the “technologization” of migration control in the European Union (EU), questioning the impact that enhanced interoperability vii

viii

Preface

may have on the coherence of the EU legal order. Stefano Montaldo focuses on the growing use of databases in criminal cooperation within the EU, whereas Andrea Spagnolo investigates the potential of the recourse to autonomous weapons systems at the domestic level to impinge on human rights. Rooting his analysis on international humanitarian law, Marco Longobardo questions the existence and content of a State duty to train and educate military forces on high-tech means and methods of warfare. Finally, Claudia Candelmo attempts to establish whether the use of drones in the targeted killing of suspected terrorists complies with different sets of rules of international law. Part II is dedicated to the role of institutional and non-institutional actors in setting new normative standards, tackling the problems arising from the use of new technologies. In their chapters, Stefano Saluzzo and Valentina Nardone focus on the recent case law of the Court of Justice of the European Union on data protection, highlighting its emerging role as a global standards setting actor in this field. Mario Gervasi critically analyses the way in which the European Court of Human Rights has shaped the notion of “family life” in a leading case on cross-border surrogacy. The growing importance of non-traditional actors, such as the Internet service providers, in the governance of technology-driven developments is examined in the contribution of Karolina Podstawa, whereas Francesco De Vanna offers a more general reflection on the role that lawmakers may play in addressing the issues brought along by the ongoing technological developments. Finally, Part III is concerned with the implications of technology-driven violations as regards the apportion and attribution of responsibility, the establishment of jurisdiction, and the granting of effective judicial protection. Daniele Amoroso and Benedetta Giordano engage with the complex issue of responsibility for the use of autonomous weapons systems. François Delerue and Martina Buscemi deal with the attribution of internationally wrongful acts, focusing, respectively, on cyber-­ attacks launched by non-state actors and on the use of unarmed drones in the context of peacekeeping operations led by the United Nations. Jurisdiction concerns are at the core of Ornella Feraci’s contribution, which focuses on online defamation and infringements of intellectual property rights. Alberto Miglio investigates the reach of the right to be forgotten as upheld by the Court of Justice of the European Union and its enforceability beyond EU borders. Finally, Luca Gervasoni analyses how the use of avoidance doctrines in some domestic legal systems might end up hindering access to justice for victims of drone strikes. Before “giving the floor” to the authors of the different chapters, there are several people that we wish to thank for their support and contribution. First of all, a huge debt is owed to Professor Laura Pineschi, President of the Center for Studies in European and International Affairs (CSEIA) of the University of Parma. The book is indeed the ultimate outcome of a research project financed by the Centre. We are conscious of the precious occasion that we have been offered and extremely grateful for it. Hearty thanks then  go to the Directors of the online journal Questions of International Law (QIL)—Professors Maurizio Arcari, Paolo Palchetti and Antonello Tancredi—for having encouraged this project from the outset. On 19 and

Preface

ix

20 June 2017, CSEIA and QIL supported the organization of a workshop of young scholars at the University of Parma, which provided a unique opportunity to discuss the topics addressed in this volume. In this respect, we wish to express our deepest gratitude to the Members of the Council of CSEIA, for their trust, and to the members of the editorial board of QIL—in particular, Professors Angelica Bonfanti, Beatrice Bonafé, Gabriele della Morte, Matteo Fornari and Micaela Frulli—for partaking and animating the workshop and for their thoughtful comments. Finally, we want to express our deepest  gratitude to all our colleagues who accepted to use their time, expertise and enthusiasm to contribute to this book, not least for their patience and friendship. Our gratitude also extends to those who could participate only in the workshop. We strongly believe that the research community behind this volume is the main achievement of the overall project and we cannot but hope that further outcomes will be added to this book in the near future. Parma, Italy  Florence, Italy   November 2018

Elena Carpanelli Nicole Lazzerini

Contents

Part I Legal Implications of the Use of New Technologies in Law Enforcement Activities and Beyond High-Tech Migration Control in the EU and Beyond: The Legal Challenges of “Enhanced Interoperability”��������������������������������������������������    3 Philip Hanke and Daniela Vitiello Swords Shielding Security? The Use of Databases in Criminal Cooperation within the European Union: Challenges and Prospects����������������������������������������������������������������������������������������������������   37 Stefano Montaldo What Do Human Rights Really Say About the Use of Autonomous Weapons Systems for Law Enforcement Purposes? ������������������������������������   55 Andrea Spagnolo Training and Education of Armed Forces in the Age of High-Tech Hostilities����������������������������������������������������������������������������������������������������������   73 Marco Longobardo Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law������������������������������������������������������������������������������������   93 Claudia Candelmo Part II The Role of Courts and Other Actors in Defining Normative Standards for Technology-Related Challenges The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third Countries��������������������������������������������������������������������������  115 Stefano Saluzzo The Passenger Name Record Case: Profiling Privacy and Data Protection Issues in Light of CJEU’s Opinion 1/15��������������������������������������  135 Valentina Nardone xi

xii

Contents

The European Court of Human Rights Shaping Family Life in Cross-border Surrogacy: The Paradiso et Campanelli Case ������������������������������������������������������������������������������������������  151 Mario Gervasi Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal Hate Speech Online ��������������������������������������������������  167 Karolina Podstawa The Construction of a Normative Framework for Technology-Driven Innovations: A Legal Theory Perspective������������������������������������������������������  185 Francesco De Vanna Part III Addressing Violations Deriving from the Use of New Technologies: Issues of Responsibility and Judicial Protection Who Is to Blame for Autonomous Weapons Systems’ Misdoings?��������������  211 Daniele Amoroso and Benedetta Giordano Attribution to State of Cyber Operations Conducted by Non-State Actors����������������������������������������������������������������������������������������������������������������  233 François Delerue The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution����������������������������������������������������������������������������������������������������  257 Martina Buscemi Digital Rights and Jurisdiction: The European Approach to Online Defamation and IPRs Infringements ������������������������������������������������������������  277 Ornella Feraci Enforcing the Right to Be Forgotten Beyond EU Borders ��������������������������  305 Alberto Miglio Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts������������������������������������������������������������������������������������������������  327 Luca Gervasoni Part IV Conclusions New Technologies in International (and European) Law—Contemporary Challenges and Returning Issues������������������������������  355 Maurizio Arcari

Contributors

Daniele Amoroso  University of Cagliari, Cagliari, Italy Maurizio Arcari  University of Milano-Bicocca, Milano, Italy Martina Buscemi  University of Florence, Florence, Italy Claudia Candelmo  LUISS Guido Carli University, Rome, Italy Francesco De Vanna  University of Modena and Reggio Emilia, Modena, Italy François Delerue  Institut de recherche stratégique de l’École militaire (IRSEM), Paris, France Ornella Feraci  University of Siena, Siena, Italy Mario Gervasi  University of Rome “La Sapienza”, Rome, Italy Luca Gervasoni  University of Milano-Bicocca, Milan, Italy Benedetta Giordano  Juvenile Court of Salerno, Salerno, Italy Philip Hanke  University of Bern, Bern, Switzerland Marco Longobardo  University of Westminster, Westminster, UK Alberto Miglio  University of Turin, Turin, Italy Stefano Montaldo  University of Turin, Turin, Italy Valentina Nardone  University of Rome “La Sapienza”, Rome, Italy Karolina Podstawa  University of Maastricht, Maastricht, The Netherlands Stefano Saluzzo  University of Piemonte Orientale, Alessandria, Italy Andrea Spagnolo  University of Turin, Turin, Italy Daniela Vitiello  University of Florence, Florence, Italy

xiii

Abbreviations

ABC ACHR ADC ADR AFSJ AI AP AWS BAMF BMS CCW CD CIA CIR CIS CJEU CLC CNIL CoC CSDP CSO DARIO DDoS DDR DHS DoD DoS DRC DRM EBCGA ECRIS

Automated Border Control American Convention on Human Rights Anonymous Digital Coalition Alternative Dispute Resolution Area of Freedom, Security and Justice Artificial Intelligence Additional Protocol Autonomous Weapon Systems German Office for Migration and Refugees Biometric Matching Service Convention on Certain Conventional Weapons Compact Disc Central Intelligence Agency Common Identity Repository Customs Information System Court of Justice of the European Union Convention on Civil Liability for Oil Pollution Damage Commission nationale de l’informatique et des libertés Code of Conduct on Countering Illegal Hate Speech Online Common Security and Defence Policy Civil Society Organizations Draft Articles on the Responsibility of International Organizations Distributed Denial of Service Disarmament, Demobilization and Reintegration Department of Homeland Security Department of Defense Denial of Service Democratic Republic of the Congo Digital Rights Management European Border and Coast Guard Agency European Criminal Records Information System xv

xvi

ECHR ECtHR EDPS EDT EECC EES EIS EJK EP ETIAS ETS EU EUCFR EUFOR FRA FRY FTF GC GDPR GGE HLEG HRC HRW IACtHR IBM ICAO ICC ICCPR ICJ ICRC ICTY IHL IHRL ILC IPRs ISP ITLOS ITR ITU JCE LAWS MARRI MHC MID

Abbreviations

European Convention on Human Rights European Court of Human Rights European Data Protection Supervisor Electronic Disturbance Theater Eritrea-Ethiopia Claims Commission Entry–Exit System Europol Information System Extrajudicial Killing European Parliament European Travel Information and Authorisation System European Treaty Series European Union Charter of Fundamental Rights of the European Union European Force European Union Agency for Fundamental Rights Former Republic of Yugoslavia Foreign Terrorist Fighter Grand Chamber General Data Protection Regulation Group of Governmental Experts High-Level Expert Group on Information Systems Interoperability Human Rights Committee Human Rights Watch Inter-American Court of Human Rights Integrated Border Management International Civil Aviation Organization International Criminal Court International Covenant on Civil and Political Rights International Court of Justice International Committee of the Red Cross International Criminal Tribunal for the Former Yugoslavia International Humanitarian Law International Human Rights Law International Law Commission Intellectual Property Rights Internet Service Provider International Tribunal for the Law of the Sea International Telecommunication Regulation International Telecommunication Union Joint Criminal Enterprise Lethal Autonomous Weapon Systems Migration, Asylum, Refugees Regional Initiative Meaningful Human Control Multiple Identity Detector

and

Abbreviations

MINURCAT MINUSTAH MLA MLC MONUSCO

xvii

United Nations Mission in the Central African Republic United Nations Stabilization Mission in Haiti Mutual Legal Assistance Congo Liberation Movement United Nations Organization Stabilization Mission in the Democratic Republic of the Congo NGO Non-governmental Organization NIFO National Interoperability Framework Observatory NSA National Security Agency OCHA Office for the Coordination of Humanitarian Affairs OJ Official Journal OMC Open Method of Coordination PC Personal Computer PCDPD Police and Criminal Data Protection Directive PET Privacy-Enhancing Technology PIL Private International Law PNR Passenger Name Record PSD2 European Payment Services Directive RPA Remotely Piloted Aircraft RTP Registered Traveller Programme SBC Schengen Borders Code SIENA Secure Information Exchange Network Application SIS Schengen Information System SOFA Status of Forces Agreement SR Special Rapporteur TET Transparency-Enhancing Technology TEU Treaty on European Union TFEU Treaty on the Functioning of the European Union TFTP Terrorist Financing Tracking Programme UAS Unmanned Aerial System UAV Unmanned Aerial Vehicle UCLA Unilaterally Controlled Latino Assets UDHR Universal Declaration of Human Rights UK United Kingdom UKSC United Kingdom Supreme Court UN United Nations UNCLOS United Nations Convention on the Law of the Sea UNCT United Nations Country Team UNDP United Nations Development Programme UNGA United Nations General Assembly UNHCR United Nations High Commissioner for Refugees UNICEF United Nations Children’s Fund UNPROFOR United Nations Protection Force UNSC United Nations Security Council UNTS United Nations Treaty Series

xviii

US USD UUAV VIS VRS WA ZANL

Abbreviations

United States United States Dollars Unarmed Unmanned Aerial Vehicle Visa Information System Army of the Republika Srpska Working Arrangements Zapatista Army of National Liberation

Part I

Legal Implications of the Use of New Technologies in Law Enforcement Activities and Beyond

High-Tech Migration Control in the EU and Beyond: The Legal Challenges of “Enhanced Interoperability” Philip Hanke and Daniela Vitiello

Abstract  New technologies are transforming human mobility while raising new legal issues. This is also affecting the control of migratory flows, with an increasing recourse to sensor technology and unmanned aerial vehicles. In the European Union, this trend is coupled with an acceleration of the standardisation process of computer systems’ interconnection, aimed at fine tuning access to information and personal data by surveillance authorities. The Chapter depicts the normative, institutional and operational design of the Union as an area in which the lion’s share of internal security is ensured through new technologies and information systems. It then turns to analyse the legal challenges arising from the crafting of “smart borders”, i.e. borders based upon automation of surveillance and system interoperability. Two main research questions are tackled: first, how these new features affect the EU integrated border management; and, second, whether the existing legal framework of EU law can accommodate this change. Apparently, the search for enhanced interoperability may stretch even further the tensions underpinning the Area of Freedom, Security and Justice, so that the more interoperable EU surveillance systems become, the less coherent the EU legal order risks being.

1  Introduction The experience of international travellers has changed in recent years. In the past, one would go to an immigration officer upon arrival at the airport. Nowadays, it is increasingly more common to go to a kiosk that scans the passport and collects Philip Hanke has written Sects. 1, 2, and 3; Daniela Vitiello has written Sects. 4, 5, 6, and 7. This research has been funded by the Swiss National Science Foundation within the framework of the NCCR on the move—The migration-mobility nexus. P. Hanke University of Bern, Bern, Switzerland e-mail: [email protected] D. Vitiello (*) University of Florence, Florence, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_1

3

4

P. Hanke and D. Vitiello

certain information, involving only minimal or occasional interaction with an officer, or one goes through a gate which opens automatically after scanning the passport or identification document. The available methods also vary with the citizenship of the traveller (for example, automated passport checks might only be available for citizens of the airport’s country and citizens of countries that have a special agreement with the airport’s country) and whether he or she registered for the service (e.g., Global Entry in the US).1 Completely automatic border controls are indeed a perspective and stated goal in some places.2 Similarly, the surveillance of borders is undergoing technological upgrades. Unmanned Aerial Vehicles (UAVs), commonly referred to as drones, are increasingly used for different tasks. Migration offices, dealing with visa or residence permit applications use software tools to make decisions. Migration flows are monitored and predicted using information technology. In other words, the field of migration control (in the broadest sense) is undergoing a process of digitalisation, where both software programs and new kinds of hardware play an important role. However, not every new technology immediately creates new legal challenges. Obviously, fully autonomous decision-making, including decisions on the use of lethal force by robots or decisions on providing help, would require new rules. In other cases, existing frameworks regarding human rights or data protection might be sufficient. Here the problem is not legal protection per se, but its enforcement. Hence, since the push to invade migrants’ privacy is likely to continue, it is important to build effective shields against infringements of fundamental rights prompted by high-tech surveillance. This Chapter departs from an overview of the high-tech processes involved in modern migration control (Sect. 2), looking at the digitalisation of administrative processes, its impact on migrants’ journeys and stays, the militarisation and virtualisation of borders, as well as the more futuristic question of automation (Sect. 3). It then takes as a case study the European Union by discussing the development of an interoperable high-tech information-sharing environment for the establishment of securitised “smart borders”. The analysis moves on from the normative, operational and institutional developments associated to their establishment to explain how the “enhanced interoperability” paradigm will streamline their functioning (Sect. 4). Then, the new features of the “enhanced interoperability” paradigm are identified and examined with a view to evaluate whether they can be accommodated with the existing legal framework of EU law (Sects. 5 and 6) and are capable of overcoming the Schengen crisis of solidarity and responsibility-sharing (Sect. 7).

 For an interactive map showing which airports have implemented Automated Border Control, see IATA, Automated Border Control Implementation, available at: http://www.iata.org/whatwedo/ passenger/Pages/automated-border-control.aspx. For an overview of the algorithms used, see Sanchez del Rio et al. (2016). 2  See e.g. the plans of the United Arab Emirates: Malek (2018). 1

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

5

2  T  he Many Faces of High-Tech Migration Control: Insights from the Practice The term “digitalisation” is usually defined as the process of turning information in a form that is easily readable by a computer.3 For example, at one point countries digitalised passports and identification documents: while they used to be handwritten or typewritten in the past, modern passports are not only printed by computers, but are also easily machine-readable. They contain codes at the bottom of the main page that can be scanned and automatically be read into the computer systems of airlines or immigration authorities. Furthermore, a chip embedded in the passport usually contains a picture of the holder as well as some biometric information. The last years, however, have seen a drastic increase in digitalisation. Computers are becoming more powerful, storing digital information has become substantially cheaper, while human activity shifted further into the digital sphere. The result is the creation of big data sets, which can rather easily be analysed using modern computers. This process of “machine learning” is then used to make predictions: either to give advice to management or policy makers, but also to individual consumers. Digitalisation also leads to automation. With more and better understood data, it is increasingly possible to automate certain tasks—not just in factories, but also in office settings, such as, in a legal context, the review of contracts, or the provision of customer service. As a result, digitalisation is now taking place in all industries at the same time, affecting not only production, but creating entirely new business models. Therefore, another definition of digitalisation emphasizes the “use of digital technologies to change a business model and provide new revenue and value-­ producing opportunities”,4 which is not quite the same as the mere act of moving from the typewriter to a printer. Some use two different expressions: “digitisation” to refer to going from analogue to digital, and “digitalisation” to refer to the general transformation of processes.5 Applying that distinction, a chip with a picture integrated into a passport is digitisation, but the act of replacing human immigration officers by automated border systems is digitalisation. Sometimes, new technological means also give rise to innovative political solutions and institutional arrangements.6

 See e.g. the definition in Collins English Dictionary, available at: https://www.collinsdictionary. com/dictionary/english/digitize. 4  Gartner IT Glossary, available at: https://www.gartner.com/it-glossary/digitalization/. 5  Prause (2018). Likewise, the Third Industrial Revolution refers to the shift from analogue and mechanical devices to digital technology, whereas the Fourth Industrial Revolution is driven by further embedding of technology in society, as well as breakthroughs in artificial intelligence, the Internet of Things (IoT), robotics, and other fields. See Schwab (2017). 6  For example, one of the main problems in the Brexit negotiations is the border between Northern Ireland and the Republic of Ireland. A so-called “hard border” is not a politically desired outcome (particularly in light of the Good Friday Agreement), which is why an electronic border solution is being discussed. See Kennedy (2017). 3

6

P. Hanke and D. Vitiello

2.1  Digitalisation in Administrative Processes at the Borders Digitalisation produces a host of new data that can be used to predict future migration flows. For example, one study using Google Trends (data on searches by Google users) showed a clear correlation between the relative volume of Arabic-language searches for the term “Greece” by users in Turkey and the number of monthly arrivals of migrants (of all nationalities) into Greece. Searches peaked in August, and arrivals in October 2016.7 Such paths of data analysis are not only interesting from a scientific point of view but can also be paramount in preparing for the arrival of large flows of people, e.g. by arranging necessary accommodation and first aid. The collection of data is also currently discussed at the international level in the framework of the United Nations Global Compact for Migration, which, at the time of writing, is still at the drafting stage. The latest published version contains a commitment to “build a robust global evidence base by improving and investing in the collection, analysis and dissemination of accurate, reliable, comparable data, disaggregated by sex, age and migration status”8 and notes a couple of actions it deems instrumental, such as conducting household surveys, ensuring compatibility between national data systems, or using border and other administrative records to produce statistics. Likewise, it deems “instrumental” the use of “innovative technology”9 (which is not specified in further detail) with the purpose of providing all migrants with proper identification and documentation. Another aspect is the use of legal tech by immigration authorities. Using machine learning algorithms, agencies can implement predictive analysis tools that learn from past decisions and generate risk profiles for new applications for visas, residence permits, or asylum, e.g. by evaluating the probability that the applicant might become criminal or welfare dependent. Canada, for instance, has already taken first steps in this direction: the plan is to develop a system that automatically marks red flags for alleged fraud and weighs the merits of an immigration application.10 Although there is the potential benefit of speeding up processes substantially, there is the risk of institutionalising systematic discrimination against groups of people.11 On the other hand, it might be easier to identify biases present in software than in humans. However, digitalisation affects not only bureaucracies, but also the migrants and refugees themselves, who, likewise, are also adopting new technologies.

 Connor (2017) and European Political Strategy Centre, 10 Trends Shaping Migration, European Commission, 2017, available at: https://ec.europa.eu/epsc/publications/ other-publications/10-trends-shaping-migration_en. 8  United Nations, Global Compact for Safe, Orderly and Regular Migration, Draft Rev 1 of 26 March 2018, p. 5. 9  Ibid., para. 9. 10  Keung (2017). 11  Hanke (2017). 7

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

7

2.2  D  igitalisation and the Everyday Lives of Migrants and Refugees Smartphones take a special role in the process of technological upgrading, as they allow for global connectivity. They help during the process of migration (e.g. by providing map services or connecting migrants with smugglers), as well as by allowing migrants to keep in touch with their families. They can also play a role as a tool for integration. For example, recently arrived migrants in Germany can use an app called “Ankommen” (German for “to arrive”) developed by local authorities. The app provides basic information on German language courses, asylum procedures and aspects of life in Germany. Other apps are provided by private actors and civil society, and help with, for instance, finding accommodation (e.g. AirBnB. com’s “Open Homes” scheme12). However, there are also critical voices. Benton and Glennie13 find that the new tools do not fully meet refugees’ needs, that the speed of the technological response outpaced policy debates, and that many digital efforts are not well connected to the offline world. Furthermore, smartphones can be used for possibly problematic surveillance of asylum seekers once they entered the country. In 2017, the German Office for Migration and Refugees (BAMF) started reading out data from the mobile phones of asylum seekers (currently on a voluntary basis). This is done to obtain information about their identity and origin. The BAMF is also using speech (language and dialect) and picture analysis systems to verify the applicant’s region of origin.14 According to the Chief Information Officer of the BAMF, the system (IBM Watson), which reduced the time it takes to register a refugee from 3 h to 20 min, can detect with 80% accuracy when a person says that he or she came from Egypt but speaks with a Syrian accent. It also uses face recognition to contribute to the analysis. The official claims that the system serves refugees well, as it verifies that 99% have been truthful about their identities.15 The final decision, however, is still done by a human. Whether the use of such software is legal and effective is still up for debate.16 The possible combination of faulty software and public officials who are not sufficiently qualified17 to assess complicated asylum applications has been the cause for criticism.18 In Germany, this led the Federal Commissioner for Data Protection and Freedom of Information to question whether the massive invasion of privacy is constitutional. In her statement,19 she argued that the invasion of privacy does not withhold a  See https://www.airbnb.de/welcome.  Benton and Glennie (2016). 14  Strerath and Gremer (2017). 15  Richter (2018). 16  Biselli (2017a). 17  Holzschuh (2017). 18  Biselli (2017b). 19  Documented in: Reuter (2017). 12 13

8

P. Hanke and D. Vitiello

p­ roportionality test, as the information can also be obtained through less invasive means. Infringing on fundamental rights can only be legitimate as a last resort and thus can only be done if all other measures have failed. Phones of asylum seekers, she argued, can contain very personal data, and a search thereof thus reveals more information than necessary for the administrative process. She also raised the concern that such a search also infringes upon the rights of thirds (e.g. communication partners) who are not a party to the asylum procedure. Other countries are working on similar measures. For example, the Austrian Minister of the Interior recently proposed accessing smartphone data of asylum seekers, in particular the geographic data, and claimed that the government is already working on a solution that does not collide with fundamental rights obligations.20 There are also other technological developments with relevance for migration. The emergence of so-called FinTech (financial technology) start-ups specializing on currency transfers led to a significant reduction in costs related to remittance payments, which totalled around USD 429 billion in 2016.21 Furthermore, an increasing number of such payments are now made using Bitcoin or other cryptocurrencies. The advantages of these currencies are the low transaction costs, particularly when making transfers to developing countries. The United Nations Development Programme (UNDP) started a trial in Tajikistan together with a blockchain start-up which aims at enabling regional labour migrants to send and receive money by using cheap smartphones in a predominantly cash-based economy.22 Decisions taken by financial supervisory authorities and lawmakers in general on how to regulate FinTech companies, which are currently treated favourably by regulators, as evidenced e.g. by the new European Payment Services Directive (PSD2), and cryptocurrencies, where policy approaches swing between scepticism and hype, will thus have ramifications on the lives of migrants. The aspect of high costs of remittance payments is also taken up in the Global Compact for Migration (mentioned earlier), which, again, considers instrumental the development of “innovative technological solutions for remittance transfer, such as mobile payments, digital tools or e-banking, to reduce costs, improve speed, enhance security, increase transfer through regular channels and open up distribution channels to underserved populations, including in rural areas”.23 Considering the speed at which the global financial sector is undergoing structural change, this provision might actually even become obsolete before the Compact is ratified.

 See e.g. the new Austrian government’s plan to read geodata from phones: Hagen (2018).  World Bank (2017). 22  Castillo (2017). 23  United Nations, Global Compact cit., p. 22. 20 21

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

9

2.3  The Militarisation and Virtualisation of Borders Borders around the world are continuously upgraded, adding all kinds of surveillance systems. Despite the debate surrounding the construction of a concrete wall, the border between the United States and Mexico is undergoing such a process. The result is a “virtual wall” that incorporates military and civilian technology. Recent calls for tenders have shown that the border authorities are increasingly investing in drones.24 Unlike the UAVs currently in use, which have been marred with technical problems and shortcomings,25 these drones will also have facial recognition capabilities as well as equipment to capture biometric information.26 To give an estimate of the numbers involved: the IDENT database of the US Department of Homeland Security (DHS) contains over 170 million fingerprints and facial images from non-­ citizens who entered the United States,27 and the FBI is able to scan across 411 million photos (of US citizens and foreigners) in state and federal databases.28 The latter was criticized in a report by the Government Accountability Office for the lack of audits for inaccuracies and safeguards against infringements on privacy rights.29 Particularly at this border, the surveillance combines two policy goals: one is the prevention of unauthorized migration; the other is the interdiction of drug trafficking and other crimes. Facial detection through drones can help warn border patrol agents if it detects known violent criminals, particularly since communication channels in the field are not always operating well and backup is not always readily available.30 However, this means that migrants, including unaccompanied minors, are subjected to harsh measures intended against highly armed drug cartels. The recent decision to deploy Arizona and Texas National Guard troops to the Mexican border marks another step towards the militarization of border control (although similar actions were taken previously by Presidents Bush and Obama). In particular, the DHS Secretary Kirstjen Nielsen is reported saying that the National Guard could “help look at the technology, the surveillance”, especially since the military is not allowed to directly carry out law enforcement duties.31 It is thus fair to conclude that there is a certain cross-fertilization between warfare and border control.  Biryukov (2017).  Peck (2018). 26  Nixon (2017). 27  Sternstein (2015). 28  United States Government Accountability Office, Face Recognition Technology—FBI Should Better Ensure Privacy and Accuracy. Report to the Ranking Member, Subcommittee on Privacy, Technology and the Law, Committee on the Judiciary, US Senate, 2016. Washington, D.C., available at: https://www.gao.gov/assets/680/677098.pdf. 29  Ibid. 30  Brandom (2017). 31  CNBC, National Guard Troops from Arizona, Texas Deploy to Border, 6 April 2018, available at: https://www.cnbc.com/2018/04/06/national-guard-troops-from-arizona-texas-deploy-to-border. html. 24 25

10

P. Hanke and D. Vitiello

Similarly, the European Union and its Member States are investing in new technologies as well, although the fragmentation of competencies in that field are more pronounced than in the United States.32

3  A  utonomous Systems at the Border: The Trolley Problem or… Defining Clear Rules Ex Ante Autonomous systems need to take decisions “on their own”, which, in fact, means: according to pre-defined rules. With regard to migration, two particular decisions are relevant: In which cases should the system provide help, and to whom? When should it use force to prevent a certain outcome? The so-called “trolley problem” was first put forward in the late 1960s,33 and has been formulated in a wide variety of contexts and revolves around the question whose life should be saved in a hypothetical scenario where a runaway train is barrelling down the tracks. It is highly relevant when it comes to autonomous systems and is currently mainly discussed in the context of self-driving cars. In this scenario, the vehicle’s software is forced to make a decision between several courses of action and respective outcomes. Shall the vehicle run over pedestrians crossing the street and save its occupants, or should it crash into a wall, saving the pedestrians but killing the occupants of the vehicle? In the field of border control, similar cases can be conceived. Consider, for example, the case where a coast guard ship (or a rescue drone with facial recognition) is called in for a marine emergency. There are two boats in distress and about to drown, thereby killing all their passengers. One boat contains eight children, whereas the other boat contains ten Syrian refugees, of which six are ISIS members. The example poses an ethical question in the realm of border protection at sea. When confronted with this example, the participants of a workshop held at the University of Parma in June 2017 almost unanimously opted to rescue the boat with children.34 This reflects a clear value judgment: the lives of six children are valued higher than that of eight adults (or people who are presumed to be adults, as the case did not actually state the age of the passengers on that boat), of which some are terrorists. Other cases might involve the choice between saving children and saving a larger number of innocent adults, or saving men versus saving women, saving people who might integrate well into the labour force versus saving people who are in a higher need of assistance, and so forth. There are many ways of answering these ethical dilemmas, which cannot be discussed here in all detail.35 What is important,  See below, Sect. 7.  Foot (1967). 34  Workshop “New Technologies as Shields and Swords: Challenges for International, European and Domestic Law”, 19–20 June 2017, University of Parma, Italy. 35  At MIT’s Moral Machine website, the user can judge which outcome is more acceptable in a larger number of scenarios involving self-driving cars. See moralmachine.mit.edu. 32 33

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

11

however, is that with new technologies, who makes these decisions and where those decisions are made matters. In the case of a coast guard ship, the decision is made in the spur of the moment, maybe guided by documents such as internal rules or directives. The autonomous drone, however, takes action according to algorithms programmed by its developers, that is, at a completely different time and place. Is there a right answer to the question whether one should save children or terrorists? Different belief systems, legal theories, and approaches obviously affect the outcome. So far, the decision has been delegated to the unlucky person who ended up being in the particular situation to actually take action. The increasing use of autonomous systems—be it self-driving cars or drones used in the Mediterranean or at the border between the United States and Mexico—offers the opportunity to devise rules not at the individual, but democratically at the social level. In many places around the world, thought processes are on the way to address these ethical questions and come up with a legal framework regulating the use of robots. Germany put in place the subcommittee “Fachforum Autonome Systeme” of the “Hightech Forum”, an expert council advising the Federal Government. An ethics commission constituted by the Federal Ministry of Transport and Digital Infrastructure defined twenty rules for autonomous vehicles.36 Similar initiatives exist in the Netherlands (“Digitale Zamenleving”) and elsewhere. Most importantly, the European Parliament has the issue on its agenda and released a study on the subject in 2016.37

4  E  U Integrated Border Management and the “Security Union”: A Laboratory for High-Tech Migration and Border Control The development of the EU Integrated Border Management (IBM) was conceived as an operational spin-off of the Schengen cooperation, aimed at enhancing efficiency and responsibility-sharing in EU Member States’ cooperation at the external borders, with a view to better safeguarding the internal security of the Area of Freedom, Security and Justice (AFSJ). Since the very beginning, the search for efficiency spill-overs has contributed to the crafting of the IBM as a laboratory for the testing of all most up-to-date technologies applicable to border surveillance.38 The political option for a “high-tech” border control system has favoured the establishment of a legal nexus between the EU border policy and the EU external action in the field of migration, allowing an extension of the operational area of joint interdiction and surveillance well-ahead of the external line of demarcation of EU

 Ethik-Kommission (2017).  Nevejans (2016). 38  Dijstelbloem et al. (2011). 36 37

12

P. Hanke and D. Vitiello

Member States’ territory.39 In addition, the EU Integrated Maritime Surveillance (IMS) has been intermingled with the construction of a Common Information Sharing Environment (CISE).40 In this way, the digitalisation of EU border management has become a constitutive element for the development of the EU’s external borders as a legal fiction, putting forward a unique typology of “virtual” borders for a sui generis international organisation.41 These virtual borders can be described as a buffer zone, functionally-­ connoted and administratively interconnected with its external neighbourhood. The external dimension of EU border policy is mostly based upon satellite and sensor networks, providing pre-frontier intelligence pictures building up the necessary situational awareness to eliminate blind spots in the “security continuum”.42 Its border dimension is characterised by the recourse to biometric identifiers, security scanners43 and other high-tech systems, advancing the automation of administrative processes of fingerprinting, identity verification and flow monitoring. Its internal dimension is made by IT databases, accessible to national law enforcement authorities. This functional design has been completed by the empowerment of supranational “security professionals”—the AFSJ Agencies—44 entrusted with two principal tasks: first, the coordination of cooperation between EU Institutions, EU Member States and third parties; second, the administration of high-tech devices for migration and border control. With the adoption of the 2010 Internal Security Strategy45 and the 2014 Maritime Security Strategy,46 inter-agency cooperation on border surveillance has been institutionalised, with a view to foster the dual use of

 Beuving (2010), p. 220.  Communication to the European Parliament and the Council of 8 July 2014, Better situational awareness by enhanced cooperation across maritime surveillance authorities: next steps within the Common Information Sharing Environment for the EU maritime domain, COM(2014) 451 final. 41  On the a contrario definition of “external borders” in EU law see Article 2(2) of Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code), OJ L 77/1 (“SBC”). On the extension of joint border control beyond the external line of demarcation of EU Member States’ territory, see Guild (2001), p. 13 ff. On the “legal fiction” of EU’s external borders, as dissociated from the territorial scope of EU law as specified in Articles 52 and 355 TFEU, refer to Thym (2016), p. 40. 42  Bigo (1994). 43  Bellanova and Gonzalez Fuster (2013). 44  Pollak and Slominski (2009), Carrera et al. (2013) and Zeitlin (2015). 45  Communication to the European Parliament and the Council of 22 November 2010, The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, COM(2010) 673 final. 46  European Union Maritime Security Strategy as adopted by the Council (General Affairs) on 24 June 2014, 11205/14. 39 40

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

13

high-tech instruments within the framework of enhanced coordination between the IBM strategy and the Common Security and Defence Policy (CSDP).47 However, the development of this high-tech, multi-layered system of border management has not prevented the emergence of structural tensions linked to the lack of inter-state solidarity, mutual trust and sincere cooperation, nor it has effectively protected European citizens from “hybrid threats”,48 associated to terrorism and transnational crime, nor prevented colossal fatalities recurrently occurring during unauthorized migration journeys.49 Although the EU Ιnstitutions have acknowledged mass movements of migrants and refugees as “the new normal”,50 the EU response confirmed an aprioristic listing of mixed flows of third country nationals among the threats to internal security, in blatant disregard of the premises of the Schengen Border Code (SBC).51 The so-called “refugee crisis” exasperated the IBM risk-adverse rationale through an emergency rhetoric prioritising ad hoc solutions and the obsession for “blind spots”. This rhetoric prompted a massive retaliation against smugglers52 and muscular responses to irregular migration and asylum abuses,53 which have offered the occasion to complete the design of the EU’s external borders as a “low-intensity war zone”.54 Among the “morbid symptoms” that have appeared during the “crisis-­ interregnum”,55 two are tightly connected to the high-tech dimension of border control: a proactive use of UAVs at EU’s external borders and a renewed emphasis on “enhanced interoperability”. These two elements have been turned into structural components of “an effective and genuine Security Union”,56 based upon a ­brand-­new  Progress report “State of play” on the Strengthening Ties between CSDP and FSJ road map implementation, EEAS document 01648/12, LIMITE 14130/12, 24 September 2012; Interim Strategic Review of EUBAM Libya, EEAS(2015) 435, LIMITE 7886/15, 13 April 2015; Parkin (2012). 48  Joint Communication to the European Parliament and the Council of 6 April 2016, Joint Framework on countering hybrid threats. A European Union response, JOIN(2016)18 final; A Europe that protects: EU works to build resilience and better counter hybrid threats, European Commission Press Release of 13 June 2018. 49  See UNHCR, Mediterranean death toll soars, 2016 is deadliest year yet, 25 October 2016. 50  Communication to the European Parliament, the European Council, the Council and the European Investment Bank of 7 June 2016, On establishing a new Partnership Framework with third countries under the European Agenda on Migration, COM(2016) 385 final, p. 5. 51  Preamble of SBC, Recital 26. Contra, see European Council Conclusions of 18 October 2018, Press Release 577/18. 52  United Kingdom, House of Lords, EU Action Plan against migrant smuggling, London: The Stationery Office Limited, 3 November 2015. 53  Communication to the European Parliament and the Council of 16 March 2016, Next Operational Steps in EU-Turkey Cooperation in the Field of Migration, COM(2016) 166 final, p. 2. 54  Heyman and Campbell (2012). 55  On the famous definition of the crisis as an “interregnum”, elaborated by Antonio Gramsci, and on its relevance today, see Bauman (2012). 56  European Council Conclusions of 15 December 2016, EUCO 34/16; Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 28 April 2015, The European Agenda on Security, COM(2015) 185 47

14

P. Hanke and D. Vitiello

“defence-security nexus”,57 presented by the Commission as a policy priority for the next years. Therefore, the refugee crisis has been the test-bed for a decisive shift towards a European multi-dimensional approach to security and defence, delivering “a new phase in integrated border management”58 and a new approach on interoperability of information systems.59 These changes may have a huge impact on data protection, access to asylum and human security at sea. The following sub-sections seek to provide insights for a legal appraisal of these changes, moving on from the normative, operational and institutional developments associated to the construction of the EU’s “smart borders” to explain how the “enhanced interoperability” paradigm will streamline their functioning.

4.1  The Architecture of EU’s “Smart Borders” The EU response to the refugee crisis encompasses two potential drivers of change: the construction of “smart borders” and the search for “enhanced interoperability” of EU databases on migration, asylum and police cooperation.60 Understanding how the latter will work requires a previous assessment of the changes that the former introduces. This entails, inter alia, situating three developments within a renewed “IBM strategy”61: from the normative angle, the establishment of an Entry-Exit System (EES)62; from an operational viewpoint, the regular recourse to sky ­patrolling final (“Agenda on Security”). On the legal development of the “Security Union”, see Carrera and Mitsilegas (2017). 57  The Defence-Security Nexus. Towards an EU Collective Security, European Political Strategy Centre Strategic Notes No. 28, 18 October 2017.  On the EU Global Strategy, refer to Council Conclusions of 19 November 2018  on Security and Defence in the context of the EU Global Strategy, Doc. 13978/18. 58  Communication to the European Parliament, the European Council and the Council of 20 April 2016, Delivering on the European Agenda on Security to fight against terrorism and pave the way towards an effective and genuine Security Union, COM(2016) 230 final, p. 5. 59  Communication to the European Parliament, the European Council and the Council of 16 May 2017, Seventh progress report towards an effective and genuine Security Union, COM(2017) 261 final. 60  Interoperability package. Presentation by Julian King, Commissioner for the Security Union, at the LIBE Committee of the European Parliament, 15 January 2018, LIBE/8/11944. 61  See Article 4 of Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) 863/2007 of the European Parliament and of the Council, Council Regulation (EC) 2007/2004 and Council Decision 2005/267/EC, OJ L 251/1 (“Frontex Regulation”). 62  Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

15

and inter-agency cooperation within the third phase of Eurosur63; from an institutional perspective, the transformation of Frontex into the European Border and Coast Guard Agency (EBCGA).64 The key normative development, affecting the construction of EU’s smart borders, is the accomplishment of the old project of the European Commission to establish the EES. This project was launched again in 2016, with partial amendments concerning the aspects that led to the failure of the 2013 package.65 More precisely, the 2016 revised package expands access rights for law enforcement authorities, extends data retention periods and merges within the new EES Regulation the old proposals on the EES and the Registered Traveller Programme (RTP).66 In addition, it integrates the technical infrastructure needed to grant interoperability between the EES, the pre-existing Visa Information System (VIS)67 and the new European Travel Information and Authorisation System (ETIAS).68 Importantly, the adoption of the 2016 “smart borders package” has led to an amendment of the 2016 SBC, aimed at operationalising automated border controls via the introduction of “e-gates” and “self-service systems” for pre-enrolling data in the EES.69 At the same time, the strengthening of the IBM counter-terrorism component has been pursued through another amendment of the SBC, allowing for systematic checks against relevant law enforcement databases on all persons (including EU citizens).70 Furthermore, the modification of the EU legal body regulating ­border implementing the Schengen Agreement and Regulations (EC) 767/2008 and (EU) 1077/2011, OJ L 327/20 (“EES Regulation”). 63  Communication to the European Parliament and the Council of 26 November 2014, A new era for aviation—Opening the aviation market to the civil use of remotely piloted aircraft systems in a safe and sustainable manner, COM(2014) 451 final. On the phases of Eurosur, see Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 13 February 2008, Examining the creation of a European border surveillance system (EUROSUR), COM(2008) 68 final. 64  Article 1 of Frontex Regulation. 65  ‘Smart borders’: enhancing mobility and security, IP/13/162 of 28 February 2013. For a critical appraisal of the 2013 package see Jeandesboz et  al. (2013); Article 29 Working Party (“WP”), Opinion 05/2013 of 6 June 2013 on Smart Borders, WP206. 66  Smart Borders Package: Questions & Answers, MEMO/16/1249 of 6 April 2016. 67  Council Decision of 8 June 2004 establishing the Visa Information System (VIS), OJ L 213/5. 68  Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018, amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS), OJ L 236/72. The ETIAS mirrors the US “ESTA” system, determining the eligibility of visa-exempt third country nationals to travel to the Schengen area in light of security and migration risks by gathering and checking their biographical information before departure. For a critical appraisal, refer to Alegre et al. (2017). 69  Regulation (EU) 2017/2225 of the European Parliament and of the Council of 30 November 2017, amending Regulation (EU) 2016/399 as regards the use of the Entry/Exit System, OJ L 327/1. 70  Regulation (EU) 2017/458 of the European Parliament and of the Council of 15 March 2017, amending Regulation (EU) 2016/399 as regards the reinforcement of checks against relevant databases at external borders, OJ L 74/1. See also: Recommendation of 15 June 2015, Amending the Recommendation establishing a Common Practical Handbook for Border Guards (Schengen

16

P. Hanke and D. Vitiello

management is far from being finalised. Three new amendments to existing legislation may substantially contribute to re-shaping the EU’s external borders: the recast of the Schengen Information System (SIS II),71 to improve the use of biometric identifiers and include automated fingerprint search functionality for law enforcement purposes; the extension of the European Criminal Records Information System to Third Country Nationals (ECRIS-TNC)72; and the empowerment of the EU Agency for the operational management of large scale IT systems in the area of freedom, security and justice (eu-LISA).73 The digitalisation of visa processing, envisaged by the Commission in order to create “better synergies between EU visa policy and EU external relations”,74 will complete the architecture of the EU’s smart borders. The strengthening of maritime surveillance, within the framework of Eurosur,75 can be considered the key operational component in the construction of the EU’s

Handbook) to be used by Member States’ competent authorities when carrying out the border control of persons (C (2006) 5186 final), C(2015) 3894 final. 71  Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018, On the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) 1987/2006, OJ L 312/14. See also: Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018, On the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU, OJ L 312/56. 72  Proposal for a Regulation of the European Parliament and of the Council of 29 June 2017, Establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) and amending Regulation (EU) 1077/2011, COM(2017) 344 final, 2017/0144 (COD). See also: Proposal for a Directive of the European Parliament and of the Council of 19 January 2016, amending Council Framework Decision 2009/315/JHA, as regards the exchange of information on third country nationals and as regards the European Criminal Records Information System (ECRIS), and replacing Council Decision 2009/316/JHA, COM(2016) 7 final, 2016/0002 (COD). On the ECRIS, refer to Montaldo, in this volume. 73  Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) 1077/2011, OJ L 295/99. 74  Communication to the European Parliament and the Council of 14 March 2018, Adapting the common visa policy to new challenges, COM(2018) 251 final. See also: Proposal for a Regulation of the European Parliament and of the Council of 16 May 2018, amending Regulation (EC) 767/2008, Regulation (EC) 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA, COM(2018) 302 final, 2018/0152 (COD). 75  Regulation (EU) 1052/2013 of the European Parliament and of the Council of 22 October 2013 establishing the European border surveillance system (Eurosur), OJ L 295/11 (“Eurosur Regulation”).

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

17

smart borders.76 It entails upgrading the functionalities of the European Maritime Information Sharing System via the integration of Eurosur Fusion Services by means of a massive deployment of sensor and satellite technology and enhanced inter-agency cooperation.77 The principal aim is to register all events of irregular migration and cross-border crime, enabling Frontex Risk Analysis Unit to deliver accurate reports on pre-frontier situation.78 This development goes hand in hand with the expansion of Frontex’ mandate, representing the institutional volet in the design of EU’s smart borders. It plays a crucial role in buttressing the IBM risk-adverse rationale by means of strengthened tools of regulation by information79 and an influential say in the debate over the use of cost-effective quasi-automatic border checks and border monitoring UAVs.80 Through the development of common risk indicators for border checks, the Agency is now capable of supporting the identification of foreign fighters by national border guards.81 In addition, it has been charged with monitoring “the capacity and readiness of Member States to face threats and challenges at the external borders”,82 a task that is performed on the basis of intelligence collected in the context of joint operational activities.83 Lastly, Frontex has been mandated to boost the “operational

 Refer to Marin and Krajčíková (2016) and Rijpma (2017).  The support of the European Maritime Safety Agency (EMSA), the European Fisheries Control Agency (EFCA) and the EU Satellite Centre (SatCen) to national authorities carrying out Coast Guard functions is foreseen by the respective Founding Regulations. According to the Commission, the procurement process to provide Remotely Piloted Aircraft Systems (RPAS) services for maritime surveillance has been already finalised and RPAS have been used for demonstrations. See European Parliament, Parliamentary Questions E-000107/2017 of 27 March 2017, Answer given by Ms Bulc on behalf of the Commission. See also Frontex and EMSA, Pilot Project: “Creation of a European Coastguard Function”. Final Report, 22 December 2017, p. 12. 78  See Joint Staff Working Document of the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 14 June 2017, Second Report on the implementation of the EU Maritime Security Strategy Action Plan, SWD(2017) 238 final, p. 14. 79  Among AFSJ Agencies, Frontex’ regulatory role has been crucial to the establishment of the IMB, by providing an epistemic foundation to the EU border and migration agenda, via risk analysis based on data gathered during joint operations and pilot projects. On this task, see amplius Paul (2016). 80  Frontex conducted the pilot for the Automated Border Control (ABC) system and collaborated with eu-LISA to the pilot for the EES. Refer to FRONTEX Guidelines for Processing of ThirdCountry Nationals through Automated Border Control, Frontex 2016; From strategic guidelines to actions: the contribution of the JHA Agencies to the practical development of the area of freedom, security and justice in the EU, EASO 2014. 81  EU Counter-Terrorism Coordinator, JHA agencies’ role in counter-terrorism, LIMITE 6146/18 ADD 1, 27 February 2018, para. 3. O the extension of Frontex’ mandate to counter-terrorism, see Frontex Regulation, Article 8(1)(m). 82  Ibid., Article 8(1)(b). 83  Ibid., Article 47. See also: Joint Communication to the European Parliament, The European Council and the Council of 25 January 2017, Migration on the Central Mediterranean route Managing flows, saving lives, JOIN(2017) 4 final. 76 77

18

P. Hanke and D. Vitiello

interoperability” between Eurosur84 and a complex web of non-EU risk analysis networks dispersed along key migratory routes.85 As noted by the European Data Protection Supervisor (EDPS), this expanded mandate turns the Agency into a “personal data hub where massive amounts of personal information is to be processed for border management”—86 a development that may raise concerns over the respect of data protection standards, especially with regards to asylum seekers.87

4.2  C  rafting the EU’s “Smart Borders” as an Interoperable Environment The “technical glue” connecting all the dots of this impressive common information-­ sharing environment is represented by the concept of “enhanced interoperability”.88 This concept was put forward by the European Commission in the aftermath of the EU Agenda on Security89 and followed up by entrusting a High-Level Expert Group on Information Systems and Interoperability (HLEG) to develop proposals for the improvement of existing databases, the creation of complementary systems to close information gaps and the containment of fragmentation and obstacles to an effective communication of all systems.90 The HLEG delivered its Final Report in May  Article 12 of Eurosur Regulation.  Frontex Regulation, Article 8(1)(s). “Operational interoperability” has been achieved via association of third countries’ information and intelligence services. In the 2018 proposal for the recast of Frontex Regulation, the agency’s hub function is further emphasised, since Eurosur is “internalised” into Frontex’ legislative framework. See the Proposal for a Regulation of the European Parliament and of the Council of 12 September 2018, On the European Border and Coast Guard and repealing Council Joint Action No 98/700/JHA, Regulation (EU) 1052/2013 of the European Parliament and of the Council and Regulation (EU) 2016/1624 of the European Parliament and of the Council, COM(2018) 631 final, 2018/0330 (COD). 86  EDPS, Opinion of 18 March 2016, Securing Europe’s rights and borders. See also: Opinion of 17 May 2010, on the Proposal for a Regulation of the European Parliament and the Council Amending Council Regulation (EC) 2007/2004 Establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (Frontex), para. 34 ff. 87  European Union Agency for Fundamental Rights (FRA), Fundamental rights and the interoperability of EU information systems: borders and security, July 2017, p. 26 ff. 88  Communication to the European Parliament and the Council of 6 April 2016, Stronger and Smarter Information Systems for Borders and Security, COM(2016) 205 final; Joint Communication to the European Parliament and the Council of 10 November 2017, Improving Military Mobility in the European Union, JOIN (2017) 41 final, p. 2. On the concept of interoperability, see Berthelet (2017). 89  European Agenda on Security: Commission sets out new approach on interoperability of information systems, IP/17/1303 of 16 May 2017. 90  Commission Decision of 1 July 2016, Setting up the High-Level Expert Group on Information Systems and Interoperability, C(2016) 3780. 84 85

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

19

2017.91 Its recommendations were acknowledged by the Justice and Home Affairs (JHA) Council in June,92 engaging the Commission in proposing legislative options. These options were presented in December 2017 within the framework of the so-called “twin proposals”: one, on interoperability of information systems for borders and visa; the other, on interoperability of information systems for police and judicial cooperation, asylum and migration.93 In order to assess whether and how these proposals mark a real change, it is necessary to acknowledge that the “interoperability call” is all but new.94 It dates back to the very foundation of the EU IBM as based upon an anticipatory border governance, operationalised through “non-arrival” policies95 and externalisation of migration and asylum responsibilities.96 The search for enhanced interoperability has already played a role in the elaboration and enforcement of a “sea border control concept” for areas of large influx of irregular migrants, which has been tightly connected to the use of “technical devices” to ensure the overall traceability of human mobility at EU’s external frontiers and beyond.97 At the same time, the gradual establishment of an integrated management system for EU’s external borders98 has presupposed an ever-increasing integration of EU Member States’ domestic border control services, pursued through the development of a composite information sharing architecture, based upon interconnected IT databases.99 Thus, it is necessary to identify the new functional features—if any—of the quest for “enhanced interoperability” within the framework of the “Security Union”. The unprecedented technological change, making it possible the attainment of results that were completely out of reach few years ago, is certainly part of the picture. It may pose new challenges to the rule of law and fundamental rights, which may not necessarily find suitable legal solutions within the EU legal order. However,  HLEG, Final Report of 17 May 2017 on Information Systems and Interoperability (“HLEG Final Report”). 92  Council Conclusions of 8–9 June 2017, On the way forward to improve information exchange and ensure interoperability of EU information systems, Doc. 10151/17. 93  Proposal for a Regulation of the European Parliament and of the Council of 12 December 2017, On establishing a framework for interoperability between EU information systems (borders and visa) and amending Council Decision 2004/512/EC, Regulation (EC) 767/2008, Council Decision 2008/633/JHA, Regulation (EU) 2016/399 and Regulation (EU) 2017/2226, COM(2017) 793 final; Proposal for a Regulation of the European Parliament and of the Council of 12 December 2017, On establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration), COM(2017) 794 final. 94  Communication to the Council and the European Parliament of 24 November 2005, On improved effectiveness, enhanced interoperability and synergies among European databases in the area of Justice and Home Affairs, COM(2005) 597 final. See amplius Gutheil et al. (2018), p. 42 ff. 95  Gammeltoft-Hansen and Hathaway (2015). 96  Refer to Brouwer (2008), p. 132 ff.; Rijpma and Cremona (2007). 97  Strategy deliberations of the Council of the European Union of 21 November 2006, Integrated Border Management, Doc. 13926/3/06 REV 3. 98  Article 77(2)(d) TFEU. 99  The Stockholm Programme—An Open and Secure Europe Serving and Protecting Citizens (2010/C 115/01), OJ C 115/1, para. 4.2.3. 91

20

P. Hanke and D. Vitiello

technology does not determine its function. This means that the transformative power of the new “enhanced interoperability” paradigm cannot be simplistic inferred from the provision of brand-new technical components, such as the European Search Portal (ESP), the shared Biometric Matching Service (BMS), the Common Identity Repository (CIR) and the Multiple Identity Detector (MID).100 On the contrary, it has to be assessed through a teleological approach, researching the function of the “enhanced interoperability” paradigm within the development of the EU’s smart borders. Beyond the physiological adjustment of European IT systems to a rapidly evolving technological landscape, a thorough reading of the twin proposals shows how the concept of interoperability passes from being a technical feature of IT systems to an encompassing policy goal. Indeed, unleashing the potential of EU databases serves the purposes of “a more joined-up inter-agency and cross-sectoral approach” to hybrid threats, as set forth in the EU Agenda on Security.101 This approach is central in the crafting of a “Security Union” as based upon the blending of migration management, counter-terrorism and external defence policy settings.102 Legally speaking, it prompts the blurring of regulatory boundaries between different EU policies, adopted upon different legal bases, mostly belonging to the CSDP and the AFSJ.103 This move may trigger several legal challenges, as it potentially clashes with the rigidity of the EU “constitutional” order based upon the rule of law and the principles of conferral, subsidiarity, procedural autonomy and institutional balance. Interoperability is ultimately presented as a powerful shield against these risks, allowing the construction of the “defence-security nexus” without amending the Treaties.104 Therefore, the “enhanced interoperability” paradigm has to be understood as a key enabler of this “Security Union”. As expressly stated by the European Commission, it is intended to overcome the division of rules and competences characterising the “different silos”105 of European policies having a security component,  On their specific technical function within the economics of the “twin” legislative proposals, see Eisele (2018). 101  Agenda on Security, p. 4. 102  Joint Declaration of the European Parliament, the Council and the Commission of 14 December 2017, On the EU’s legislative priorities for 2018–2019. See also: Communication to the European Parliament, the European Council and the Council of 24 January 2018, Thirteenth progress report towards an effective and genuine Security Union, COM(2018) 46 final, p. 1. 103  On the legal challenges linked to this cross-sectoral approach see EDPS, Reflection paper of 17 November 2017 on the interoperability of information systems in the area of Freedom, Security and Justice, p. 9. 104  The Defence-Security Nexus, p. 3, where the Commission acknowledges that the construction of this nexus might encounter “constitutional limitations”, which “could, at times, impede the merging of internal and external security dimensions, particularly if this is done using a single instrument”. Therefore, interoperability may play a role in ensuring consistency without amending the Treaties. 105  Impact Assessment of a Commission proposal for a Regulation of the European Parliament and of the Council on establishing a framework for interoperability between EU information systems (borders and visa) and amending Council Decision 2004/512/EC, Regulation (EC) 767/2008, Council Decision 2008/633/JHA, Regulation (EU) 2016/399 and Regulation (EU) 2017/2226 100

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

21

by means of technical devices streamlining access rights and information sharing among all law enforcement end users.

5  I nteroperability as an Encompassing Goal: Crowding Fundamental Rights and Data Protection Out? As a matter of legal definition, the “enhanced interoperability” paradigm shall promote the development of a comprehensive and less-fragmented machinery for EU information systems dealing with migration and border management. Coverage, predictability and timelessness of the information shared are in fact the necessary prerequisites to improve the reaction capability and swift response to threats. At the same time, there is no doubt that the new fully-fledged system of interoperable databases will have to operate in compliance with fundamental rights, including data protection. In its impact assessment of the twin proposals on interoperability, the European Commission affirmed that the new measures “would not alter the balance already ensured by each of the existing central systems as regards their impact on fundamental rights”.106 However, it also conceded that interoperability may have “an additional, indirect impact (both positive and negative) on a number of fundamental rights” enshrined in the EU Charter of Fundamental Rights (EUCFR).107 How the EU Legislator is going to cope with the trade-off between the attainment of “enhanced interoperability” in the security field and the preservation of the existing balance as regards fundamental rights and data protection has not been clarified at this stage of the legislative process. Nonetheless, there can be identified at least four features of the new “enhanced interoperability” paradigm that could affect the legitimacy of the outputs of the balancing exercise. The first two, which are related to the (COM(2017)793) and of a Commission proposal for a Regulation of the European Parliament and of the Council on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration) (COM(2017) 794), SWD(2017) 473, SWD(2017) 474 (summary), (“Impact Assessment”), p.  11.  In the same vein, see also Council Conclusions of 6 December 2018 on the future strategic direction in the field of internal security, Doc. 14806/18, para. 1: “the European Union’s strategic direction in the field of internal security calls for deepening the integrated and holistic approach in the area of freedom, security and justice as set out in the EU treaties, to support the Member States in their core objective to guarantee internal security”. 106  Impact Assessment, p. 33 ff. Another feasibility study will be launched by the Commission in the first quarter of 2019 to further explore technical, operational and legal aspects of interoperability between the customs and JHA systems for both EU border management and customs operations. See Council of the European Union, Assessment Report of Practitioners—Executive Summary of 4 December 2018, Doc. 15142/18. 107  These rights include: the right to dignity (Article 1), the right to life (Article 2), the respect for private life (Article 7), the protection of personal data (Article 8), the right to asylum (Article 18), the prohibition of refoulement (Article 19), the principle of non-discrimination (Article 21), the right to an effective remedy (Article 47).

22

P. Hanke and D. Vitiello

“scale effects” produced by centralisation, are examined below, while the other two, which are direct expression of the technological jump, are considered in the next session. The first feature is the quantitative dimension of data collection and retention. Indeed, the new paradigm is based upon large-scale sharing of vast quantities of real time data, retained in the centralised system for years. The massive amount of data stored, to allow a systematic exchange among all involved end users, is the added value of centralisation, considering the existence of several EU information systems, already granting access to law enforcement authorities (i.e. Eurodac,108 VIS and SIS II). This architecture, however, challenges the principles of privacy by design109 and data security,110 whose respect would require instead a limitation of  Regulation (EU) 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of “Eurodac” for the comparison of fingerprints for the effective application of Regulation (EU) 604/2013 of the European Parliament and of the Council of 29 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, OJ L 180/1. On the recast of the Eurodac Regulation, extending its scope to the identification of irregularly entering and staying third-country nationals for return purposes, refer to: Proposal for a Regulation of the European Parliament and of The Council of 4 May 2016, On the establishment of “Eurodac” for the comparison of biometric data for the effective application of [Regulation (EU) 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of largescale IT systems in the area of freedom, security and justice (recast), COM(2016) 272 final, 2016/0132 (COD). 109  Contra, see Impact Assessment Report of 6 April 2016 on the establishment of an EU Entry Exit System Accompanying the document Proposal for a regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) 767/2008 and Regulation (EU) 1077/2011 and Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2016/xxx as regards the use of the Entry/Exit System (EES), SWD(2016) 115 final, Part 1/3, p. 27. 110  See Recitals 29, 71, 156 and Articles 5(1)(f), 24(1), 25(1)(2), 28, 39, 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1 (“GDPR”). The applicability of the GDPR to the subject matter is expressly recognised by the “twin” proposals. Indeed, their Chapter VII regulates issues regarding data processors, confidentiality, monitoring, rights of data subjects and limits to international transfer, in accordance with the standards set forth in the GDPR. The GDRP also applies to data recording, storage and processing for border surveillance purposes under Article 1(2) of EES Regulation, while the processing of personal data by Member States’ designated authorities is subject to the application of the Directive 108

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

23

data collection and retention.111 As with all large-scale interoperable data systems, such data collection raises concerns over illegal access, unlawful sharing and wrong matches,112 which should be carefully evaluated and compensated with sufficient safeguards, ensuring effective access to a remedy.113 The CJEU has indeed recalled that centralisation may sharply impact data protection, requiring more stringent safeguards.114 In addition, specific issues can be put forward with reference to the procedures for the collection of biometric identifiers, which should in any case comply with the right to a good administration115 and transparency.116 The necessity to create an individual file for each traveller crossing EU’s external borders might generate unsustainable delays,117 while automated fingerprinting may result in intrusive and humiliating procedures, with a disproportional impact on vulnerable people.118 Finally, the duration of the data retention period, as set forth in Article 34 EES, seems excessive and disproportionate in light of the consolidated CJEU

(EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Police and Criminal Data Protection Directive), OJ L 119/89 (“PCDPD”). 111  See Article 25 of GDPR. 112  FRA, Under watchful eyes: biometrics, EU IT systems and fundamental rights, 2018, p. 88 ff. 113  Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger et  al. [2014] ECLI:EU:C:2014:238, paras. 54–66. In general, on the effectiveness of the right to access a remedy, see Case C-562/13 Centre public d’action sociale d’Ottignies-Louvain-la-Neuve v. Moussa Abdida [2014] ECLI:EU:C:2014:2453, para. 45 ff. 114  C-291/12 Michael Schwarz v. Stadt Bochum [2013] ECLI:EU:C:2013:670, paras. 61–62. 115  Article 41 EUCFR. On the scope and extension of the right to good administration in immigration and asylum procedures, see C-604/12 H. N. v. Minister for Justice, Equality and Law Reform and Others [2014] ECLI:EU:C:2014:302, paras. 49–50; C‑249/13 Khaled Boudjlida v. Préfet des Pyrénées-Atlantiques [2014] ECLI:EU:C:2014:2431, para. 30 ff. 116  Opinion of Advocate General Kokott delivered on 18 July 2007 in the Case C-275/06 Productores de Música de España (Promusicae) v. Telefónica de España SAU, ECLI:EU:C:2007:454, para. 53. On the ongoing construction of an untransparent “Security Union” by means of security-sensitive data exchange between the levels of EU governance, refer to Curtin (2018). 117  According to Frontex, 12 seconds is the amount of time each EU border guard should be granted to decide on admission of travellers at EU’s external borders. Avoiding delays is of paramount importance to keep border checks acceptable and legitimate in people’s eyes, while guaranteeing the smooth functioning of the borders as filters for commercial and human mobility. See FRONTEX, 12 seconds to decide. In search of excellence: Frontex and the principle of best practice, 2015. 118  eu-LISA, Smart Borders Pilot Project. Report on the technical conclusions of the Pilot, Volume 2, Annex 7. See also: Fundamental rights implications of the obligation to provide fingerprints for Eurodac, FRA Focus 5/2015.

24

P. Hanke and D. Vitiello

j­ urisprudence119 on the Data Retention Directive.120 The Preamble of the EES Regulation justifies this duration with reference to the necessity “to keep data related to third-­country nationals who have not exited the territory of the Member States within the authorised period of stay”, for identification and return purposes, but also for risk analysis.121 Thus, this data retention period should facilitate the identification of “overstayers”, who are generally visa holders, whose authorised stay shall not exceed 5 years, according to the EU Visa Code.122 However, lacking any explanation of the unsuitability of less intrusive measures, this justification does not seem to comply with the “strict necessity” test elaborated by the CJEU when assessing the legitimacy of interferences with the fundamental rights enshrined in Articles 7 and 8 EUCFR.123 In addition, it also seems excessive in light of the caselaw of the European Court of Human Rights (ECtHR) on retention of biometric identifiers for prevention of identity frauds.124 The second feature is the purposes’ blurring. The twin proposals do not introduce a different set of rules on consultation for border management and law enforcement goals, but make all EU databases accessible to all national law enforcement authorities though a “two-step data consultation approach”.125 While full access rights remain restricted, according to existing rules and procedures established for each EU information system, the first step of the new data consultation approach allows all potential end users to cross-check all systems within the CIR. Therefore, law enforcement authorities will have the possibility to identify, in one single search and without access restrictions, the IT system containing information on an unknown individual (first step) and then their access rights will differ according to the regulation of the database of their interest (second step). The Commission has maintained that this approach does not introduce any legal issue concerning data protection, since it is based on existing access rights.126 However, a generalised single search access for identification purposes may have a disproportional (though indirect) impact on data protection and fundamental rights, should the mere existence of a record on an individual in one database influence police investigations, even before an authorisation to consult the concerned database is obtained by a designated authority. All in all, personal data, including sensitive categories of data, such as biometric identifiers, should be collected and processed for specified, explicit and  Digital Rights Ireland cit., paras. 29-52-59.  Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L 105/54. 121  Recitals 33 ff. of EES Regulation. 122  Article 24 of Regulation (EC) 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code), OJ L 243/1. 123  Case C-203/15 Tele2 Sverige [2016] ECLI:EU:C:2016:970, paras. 96–102. 124  M.K. v. France (App. No. 19522/09), ECtHR, judgment of 18 April 2013, para. 40; Centrum För Rättvisa v. Sweden (App. No. 35252/08), ECtHR, judgment of 19 June 2018. 125  See the twin proposals, p. 9. 126  Ibid. 119 120

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

25

legitimate purposes.127 Since data processing is not neutral, changing the intended use of sensitive data may render them inadequate or excessive.128 Thus, the twin proposals may trigger a substantial “function creep”, which has been described as the “continuous repurposing of information initially gathered for other purposes”.129 This creep cannot be considered as a technical and unintended side effect of the search for greater coordination among European IT systems. It is instead a researched policy feature, which serves the purposes of the new “defence-­ security nexus”. However, putting the “enhanced interoperability” paradigm in the service of the “Security Union” cannot lead to exclude the cogency of the purpose limitation principle, as defined within the EU general data protection framework.130 Since data protection is a subject-matter which the EU is competent to address,131 and EU primary law reserving to Member States the maintenance of law and order and the safeguarding of internal security cannot be regarded as affecting EU competence,132 all high-tech border management measures (including those enhancing interoperability) must comply with the general limitation set forth in Article 52(1) EUCFR133 when introducing restrictions to the exercise of the right enshrined its Article 8.

6  H  uman Mobility Under EU “Smart” Surveillance: Automation, “Dronization” and Intelligence Sharing The last two features of the “enhanced interoperability” paradigm are automation of border control and a proactive use of UAVs (“dronization”)134 in maritime surveillance. These features are the quintessence of the technological jump, allowing the IBM toolkit to reach its full potential. The ever-expanding degree of automation is a distinctive feature of the new interoperability paradigm. The new proposals foresee an unprecedented recourse to

 Recital 39 and Article 5(1)(a) of GDPR. See also Digital Rights Ireland cit., paras. 61–62; Tele2 Sverige cit., para. 119. 128  EDPS, Opinion 06/2016 of 21 September 2016 on the Second EU Smart Borders Package. Recommendations on the revised Proposal to establish an Entry/Exit System. 129  Brouwer (2011). 130  Recital 50 and Article 5(1)(b) of GDPR. 131  Article 16 TFEU. 132  Clearly, Articles 72–73, 276 TFEU and Article 4(2) TEU should be considered as rules on the division of executive powers between the national and supranational level of EU governance. See, amplius, Peers (2013); WP, Opinion 01/2015 of 16 June 2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones, WP231. 133  On its interpretation with reference to data protection, see Digital Rights Ireland cit., para. 51. In more general terms, see e.g. Case C-419/14 WebMindLicenses Kft. v. Nemzeti Adó-és Vámhivatal Kiemelt Adó- és Vám Főigazgatóság [2015] ECLI:EU:C:2015:832, paras. 80–82. 134  Csernatoni (2016). 127

26

P. Hanke and D. Vitiello

automatic systems for data interconnection and simultaneous consultation, which may affect fundamental rights in different ways. First, automation of border management may widen the room for mismatches and inaccurate data cross-checking135; second, it may disproportionately impact certain categories of third country nationals (e.g. irregular migrants)136 and EU citizens (e.g. those holding multiple nationalities); third, it risks fast-tracking rigid pre-packaged solutions in cases requiring careful evaluation (e.g. unaccompanied minors’ age determination).137 In addition, since pre-determined criteria for data mining have a risk-adverse rationale, automation may increase the risk of social sorting and discriminatory profiling, in contrast with the consolidated CJEU jurisprudence on border control.138 This would happen, for instance, should law enforcement authorities deduce from the higher average number of records in the centralised system of people holding certain personal characteristics (e.g. nationality, ethnic origin, religion) that the abovementioned characteristics may be considered as circumstantial pieces of evidence of the existence of a threat to internal security.139 In more general terms, automation, coupled with an increased number of authorities having access to the system, creates a multi-actor processing environment, which can make it difficult to identify the authority holding final responsibility for inaccurate data management.140 Brought to its extreme consequences, the development of automatic tools may trigger a de-materialisation of border control, in which the proxy (i.e. the high-tech system) exercises quasi-law enforcement duties, in contrast with the prohibition on automated decision-making,141 and without any  On the responsibility of controllers for data accuracy see Recital 39 and Article 5(1)(d) of GDPR. 136  As pointed out by the Advocate General Sharpston, in its Opinion delivered on 12 February 2015  in the Case C-554/13 Z.  Zh. and O. v. Staatssecretaris van Veiligheid en Justitie, ECLI:EU:C:2015:94, para 63, in some cases migrants with false papers try to escape identification to protect themselves, even though their fear does not amount to a fear of persecution for asylum purposes or these persons do not seek asylum in Europe. It is for national authorities to determine “what [public order] interests require protection and in what respect the individual concerned constitutes a danger to [public order]. In other words, there should be no automatic decisions depriving an individual of a right to voluntary departure simply because he is convicted of travelling with a false document and could therefore be an illegally staying third-country national”. 137  For instance, the law adopted in Italy for the protection of unaccompanied minors foresees a complex process of age determination, involving numerous specialists and precluding the use of technological tools for automatic age determination. See the Law No. 47 of 7 April 2017, in O.J. (“Gazzetta Ufficiale” No. 93 of 21 April 2017 (so-called “Legge Zampa”), Article 5(3) ff. 138  Joined Cases C-188/10 and C-189/10 Aziz Melki e Sélim Abdeli [2010] ECLI:EU:C:2010:363, para. 75; Case C-23/12 Mohamad Zakaria [2013] ECLI:EU:C:2013:24. See also: Recital 38, Articles 10 and 11(3) of PCDPD. 139  Lyon (2013). 140  EDPS, Opinion 7/2017 of 2 May 2017 on the new legal basis of the Schengen Information System; SIS II Supervision Coordination Group, Report of 31 January 2018 on an overview of access to the SIS II. 141  Article 22(1) of GDPR. See also: WP, Guidelines of 3 October 2017 on Automated individual decision-making and profiling for the purposes of Regulation 2016/679. 135

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

27

c­ ontroller being held accountable.142 While this is a merely hypothetical, futuristic scenario, the risks for the effective protection of fundamental rights are tangible and should be addressed by ensuring transparency and access to remedy.143 The last feature is an expanded capacity of international information/intelligence sharing. It is linked to the diffusion of UAV technology for sky patrolling and pre-­ frontier surveillance, coupled with the expansion of international data transfer for purposes of counter-terrorism, migration management and return. Concerning the first layer (international information/intelligence sharing), Eurosur allows cooperation with third countries “to detect, identify, track and intercept persons, attempting to enter the EU illegally outside border crossing points”.144 Its functioning is based upon different sources: bilateral agreements between EU Member States and third countries,145 sometimes authorising the operation of drones, satellites or sensors on their skies146; working agreements between Frontex and the competent authorities of third countries, containing obligations de contrahendo for the conclusion of separate (and secret) security protocols on intelligence exchange147; and working arrangements between Frontex and third parties, to set up and run Risk Analysis Networks.148 Intelligence sharing within the Eurosur “hub” is mainly required to craft the Common Pre-Frontier Intelligence Picture.149 This is in turn necessary to boost Member States’ reaction capability and to gather materials for Frontex’ risk analysis. However, the Eurosur Regulation does not exclude the transfer of EU risk analysis, information and intelligence to third countries, provided that it complies with the limitations set forth in its Recital 13 and Article 20, which anchor this activity to the EU general data protection framework. Nonetheless, this safeguard is not sufficient to exclude that potentially unreliable intelligence provided by third countries feeds Frontex’ risk analysis and affects the timeliness and quality of operational decisions. In addition, the IBM  On the relevance of accountability for effective data protection see: Recital 85 and Article 5(2) of GDPR. 143  HLEG Final Report, p. 47. 144  Examining the creation of Eurosur, para. 3. 145  Cassarino (2011). 146  For instance, on the Italian technical agreements with Libya of 28 November 2013, authorising the use of UAVs on Libyan skies, see: Ministero della Difesa, Italia—Libia: accordi di cooperazione, Roma 28 novembre 2013. 147  See, for instance: Working Arrangement (WA) of 16 April 2013 establishing operational cooperation between Frontex and the State Border Service of the Republic of Azerbaijan, para. 3.2; WA of 22 February 2012 establishing operational cooperation between Frontex and the National Security Council of the Republic of Armenia, para. 3.2; WA of 19 January 2012 establishing operational cooperation between Frontex and the Nigerian Immigration Service, para. 4; WA in the form of an exchange of letters between Frontex and Migration, Asylum, Refugees, Regional Initiative (MARRI) Regional Centre, para. 1. 148  They are: Frontex Risk Analysis Network, Eastern Borders Risk Analysis, Western Balkans Risk Analysis Network and Africa Frontex Intelligence Community. On their function within the “defence-security nexus”, see EU Counter-Terrorism Coordinator, JHA agencies’ role in counterterrorism, 6146/18 ADD 1 EXT 1, 6 April 2018, p. 13. 149  Article 11 of Eurosur Regulation. 142

28

P. Hanke and D. Vitiello

e­ mergency-­driven rationale150 could make it difficult to avoid the transfer to third countries of information that could be used to identify persons who risk being subjected to fundamental rights violations. This may challenge the respect of Article 20(5) of Eurosur Regulation, a risk that is magnified by the absence of oversight on data usage beyond European borders. Finally, an “heterogenesis of the ends” of international data transfer marks the Eurosur cooperation, considering that the prevention of loss of lives at sea via search and rescue activities has been a key reason for the creation of Eurosur.151 Although Eurosur Regulation does not affect EU Member States’ competence in this regard and its exercise in the framework of international conventions, the centralisation of UAV-based remote control could have fostered the respect of the duty to render assistance at sea,152 by easing early detection and rescue of migrants’ boats in distress. This would have been consistent with Regulation 656/2014,153 establishing rules for the surveillance of the external sea borders, which puts human security at the core of Frontex-coordinated operations. However, in practice, the rhetoric of “limiting loss of lives at sea by impeding departures” has reduced search and rescue activities to a “side effect” of surveillance.154 This practice not only thwarts fundamental rights at sea, by shifting them from legal entitlements to humanitarian concessions,155 but also calls into question the compatibility of the Eurosur acquis with the purpose limitation principle.156 With the adoption of the EES Regulation, a second layer of international data transfer has been introduced into the picture. On the one hand, its Article 41 frames international data transfer in restrictive terms,157 connecting the EES regime to the

 Frontex, FRAN Quarterly Q4, 2013, p. 5.  EUROSUR: new tools to save migrants’ lives at sea and fight cross-border crime, MEMO/13/580 of 19 June 2013. Interestingly, the obligation to “save lives and keep migrants out of harm’s way” is also central in the call for a globally managed migration under the UN Global Compact on Migration. See United Nations, Global Compact for Safe, Orderly and Regular Migration, Final Draft of 11 July 2018, para. 13, available at:  https://www.un.org/pga/72/wp-content/uploads/ sites/51/2018/07/migration.pdf. 152  For a comment on the scope and content of this customary norm, codified in Article 89 of United Nations Convention on the Law of the Sea (10 December 1982, 1833 UNTS 397), see Moreno-Lax (2011). 153  Refer, in particular, to Articles 9 and 10 of Regulation (EU) 656/2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation coordinated by the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, OJ L 189/93. 154  Opinion of the Committee of the Regions, Smart Borders package, (2014/C 114/15), OJ C 114/90, para. 11. 155  Moreno-Lax (2018). 156  WP, Opinion 03/2013 of 2 April 2013 on Purpose Limitation, WP203, p. 4. 157  Indeed, Article 41(1) of EES Regulation reads as follows: “[d]ata stored in the EES shall not be transferred or made available to any third country, to any international organisation or to any private entity”. 150 151

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

29

provisions of EU law on data protection158; on the other hand, it puts forward a broad number of exceptions. With reference to border surveillance, it foresees the transfer of personal data of third-country nationals, in individual cases, to identify them for return purposes.159 Lacking an “adequacy decision”160 by the Commission,161 the provision does not exclude that international data transfer may be based on the footing of data protection clauses in readmission agreements162 or even on the sole ground of its necessity “for important reasons of public interest”.163 With reference to law enforcement, the provision is even more indefinite, admitting international data transfer in a wide range of cases concerning the fight against terrorism.164 This loose regime of data circulation beyond the EU has to be contextualised in the general trend aimed at renewing and diversifying the toolkit for international transfers under the EU general data protection framework.165 It puts forward a number of alternatives to adequacy decisions,166 including data transfers between public authorities or bodies on the basis of administrative arrangements.167 This trend is controlled, and somehow contrasted, by the CJEU, whose “strict necessity” and “essential equivalence” tests—as elaborated in the Schrems case law168 and reiterated in its Opinion on the EU-Canada PNR agreement—169 find general application to international data transfer. In line with this approach, the new Directive on data protection in law enforcement states that data exchange with third countries for law enforcement purposes “should not allow frequent, massive and structural transfers of personal data, or large-scale transfers of data, but should be limited to data strictly necessary”.170 Yet, data exchange in the field of border surveillance and border law enforcement poses specific challenges, which may not be adequately met under existing EU  Ibid., Recitals 36, 39, 41, 43 and Articles 3(2), (3), and 41(2) of EES Regulation.  Ibid., Article 41(2): “By way of derogation from paragraph 1 of this Article, the data referred to in Article 16(1) and points (a), (b) and (c) of Article 17(1) of this Regulation may be transferred by border authorities or immigration authorities to a third country or to an international organisation listed in the Annex I to this Regulation in individual cases, if necessary in order to prove the identity of third-country nationals for the sole purpose of return”. 160  Article 45 of GDPR. 161  See Article 41(2)(a) of EES Regulation. 162  Ibid., Article 41(2)(b). 163  Ibid., Article 41(2)(c). 164  Ibid., Article 41(6). 165  Communication to the European Parliament and the Council of 10 January 2017, Exchanging and Protecting Personal Data in a Globalised World, COM(2017) 7 final. 166  See Article 46(2)(e) and (f) of GDPR. 167  Ibid., Article 46(2)(a) and 46(3)(b) of GDPR. 168  Case C-362/14 Maximillian Schrems v. Data Protection Commissioner [2015] ECLI:EU:C:2015:650, paras. 73, 74 and 96. 169  Opinion 1/15 [2017] ECLI:EU:C:2017:592, para. 214. For a comment, refer to Carpanelli and Lazzerini (2017). 170  Recital 72 of PCDPD. 158 159

30

P. Hanke and D. Vitiello

l­egislation and case-law. They are mainly connected to the intrusiveness, discreetness and unaccountability of sense-and-detect technology used for intelligence and data gathering, bypassing individual consent for data acquisition,171 while allowing mass data collection, continuous surveillance and dual use.172 Therefore, in addition to legal issues linked to data protection (such as the function creep, the bulk data processing and the lack of data minimisation), questions arise as regards the effectiveness of fundamental rights in operational activities related to border management and third party liability in case of accident.173 Answers should be identified as a matter of urgency, considering that UAVs are destined to become a core feature of EU anticipatory border governance174 as based upon pre-emption of flows, externalisation of border control, automated data gathering and the blurring of borders’ civil/military functions.175

7  C  oncluding Remarks on Enhanced Interoperability, the Crisis of Schengen and the Solidarity Principle High-tech securitisation of EU’s external borders risks downgrading fundamental rights within this area, through a normalisation of the state of exception that exasperates the dichotomy between freedom and security by picturing freedom as absence of control and security as pervasive control. With respect to this risk, the call for enhanced interoperability of EU information systems for border management and security cannot be rapidly archived as a revival of old-fashioned technical concepts. It is framed, instead, as an encompassing policy goal, functional to the  EDPS, Opinion on the Communication from the Commission to the European Parliament and the Council on “A new era for aviation - Opening the aviation market to the civil use of remotely piloted aircraft systems in a safe and sustainable manner”, para. 16. 172  United Kingdom, House of Lords, 7th Report of Session 2014–2015 on Civilian Use of Drones in the EU, London: The Stationery Office Limited, 5 March 2015. 173  It has to be recalled, inter alia, that the Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018, On common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) 2111/2005, (EC) 1008/2008, (EU) 996/2010, (EU) 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) 552/2004 and (EC) 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) 3922/91, OJ L 212/1, does not apply to drones “while carrying out military, customs, police, search and rescue, firefighting, border control, coastguard or similar activities or services under the control and responsibility of a Member State, undertaken in the public interest by or on behalf of a body vested with the powers of a public authority, and the personnel and organisations involved in the activities and services performed by those aircraft” (Article 2(3)(a)). In these fields, it is for the Member States to freely decide whether to apply their national law or the abovementioned Regulation “in particular with a view to achieving safety, interoperability or efficiency gains” (Recital 10). For a general description of EU policy on drones, see Marzocchi (2015). 174  Hayes et al. (2014). 175  Marin (2017), p. 111. 171

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

31

setting of a Security Union and capable of severely impacting the configuration of the AFSJ as a common area of fundamental rights protection, in which “privacy matters [because it] is a question of human dignity”.176 These repercussions may trigger a further upgrade of the EU anticipatory border governance as based upon non-arrival policies and externalisation, which is capable of heightening the tension between the AFSJ, as a legal space of protection governed by the rule of law, and its securitised external borders. Indeed, the features of the new “enhanced interoperability” paradigm—i.e. the quantitative dimension of data collection and retention, a centralised framework for law enforcement access to all databases, an advanced automation of data gathering and processing and a UAV-­ based toolkit for international intelligence/data exchange—177 could complicate the establishment of responsibilities for abusive conducts in data collection, processing, analysis and exchange, while making access to an effective remedy extremely difficult for potential victims. At the same time, the concept of enhanced interoperability has been presented as a technical antidote to the crisis of Schengen,178 aimed at re-establishing solidarity, mutual trust and sincere cooperation among EU Member States, and consequently, at better protecting fundamental rights.179 However, the type of standardisation that interoperability would introduce does not seem per se sufficient to re-establish the centrality, within the EU IBM and the AFSJ, of the overarching principle of solidarity and responsibility-sharing. Since data and information sharing is not equivalent to sharing norms and values,180 enhanced interoperability should be intended as a mere instrument of inter-state cooperation. Despite the plethora of state-of-the-art technologies and large-scale IT systems, interstate solidarity and responsibility-sharing require something still not subject to programming language to be truly effective: political will.

176  J-C. Juncker, State of the Union 2016, 14 September 2016. It has to be noted that a general reference to the right to dignity is included in many IT instruments and in the SBC and that the CJEU has often reiterted the justiciability of this right as a self-standing entitlement (see, e.g., Case C-377/98 Netherlands v. European Parliament and Council [2001] ECLI:EU:C:2001:523, para. 70 ff.). 177  See Article 46(2)(e) and (f) of GDPR. 178  Council Conclusions of 8–9 June 2017 cit.: “Protection of the EU’s external borders, including land borders, should lead to resuming the normal functioning of the Schengen area. The Estonian presidency is convinced that to achieve this, the EU must make the best use of databases and modern IT-solutions, which allow for rapid exchange of information, when and if needed, also to make the fight against terrorism and organized crime more efficient”. 179  On the potential use of enhanced interoperability to better protect vulnerable migrants, including children and trafficked people, see HLEG Final Report, p. 8. 180  Noll (2015).

32

P. Hanke and D. Vitiello

References Alegre, Suise, Julien Jeandesboz, and Niovi Vavoula. 2017. European Travel Information and Authorisation System (ETIAS): Border Management, Fundamental Rights and Data Protection. Brussels: European Parliament. Bauman, Zygmunt. 2012. Times of Interregnum. Ethics & Global Politics 5: 49 ff. Bellanova, Rocco, and Gloria Gonzalez Fuster. 2013. Politics of Disappearance: Scanners and (Unobserved) Bodies as Mediators of Security Practices. International Political Sociology 7: 188 ff. Benton, Meghan, and Alex Glennie. 2016. Digital Humanitarianism: How Tech Entrepreneurs Are Supporting Refugee Integration. Transatlantic Council on Migration. Washington, D.C.: Migration Policy Institute. https://www.migrationpolicy.org/research/ digital-humanitarianism-how-tech-entrepreneurs-are-supporting-refugee-integration. Berthelet, Pierre. 2017. Sistèmes d’information européens sécurité-immigration: lorsqu’ “interopérabilité” ne rime effectivement pas avec “interconnexion”. EU Immigration and Asylum Law and Policy. http://eumigrationlawblog.eu/systemes-dinformation-europeens-securite-immigration-lorsqu-interoperabilite-ne-rime-effectivement-pas-avec-interconnexion/. Beuving, Minze A. 2010. Frontex. Its Role and Organisation. In The Institutional Dimension of the European Union’s Area of Freedom, Security and Justice, ed. Jörg Monar, 217 ff. Brussels: Peter Lang. Bigo, Didier. 1994. The European Internal Security Field: Stakes and Rivalries in a Newly Developing Area of Police Intervention. In Policing Across National Boundaries, ed. Malcolm Anderson, and Monica den Boer, 164 ff. London: Pinter. Biryukov, Nikita. 2017. Department of Homeland Security Flooded With Bids to Build Border Drones. NBC News. https://www.nbcnews.com/news/us-news/ department-homeland-security-flooded-bids-build-border-drones-n754071. Biselli, Anna. 2017a. Asylverfahren: Software, die an der Realität scheitern muss. Die Zeit. http://www.zeit.de/digital/internet/2017-03/ bamf-asylbewerber-sprach-analyse-software-computerlinguistik/komplettansicht. ———. 2017b. Jetzt doch: Behörde soll auch Geodaten aus Handys von Geflüchteten auswerten. Netzpolitik.org. https://netzpolitik.org/2017/ jetzt-doch-behoerde-will-auch-geodaten-aus-handys-von-gefluechteten-auswerten/. Brandom, Russell. 2017. The US Border Patrol is Trying to Build Face-­ Reading Drones. The Verge. https://www.theverge.com/2017/4/6/15208820/ customs-border-patrol-drone-facial-recognition-silicon-valley-dhs. Brouwer, Evelien. 2008. Digital Borders and Real Rights – Effective remedies for Third-Country Nationals in the Schengen Information System. Leiden: Martinus Nijhoff. ———. 2011. Legal Boundaries and the Use of Migration Technology. In Migration and the New Technological Borders of Europe, ed. Huub Dijstelbloem, and Albert Meijer, 134 ff. London: Palgrave Macmillan. Carpanelli, Elena, and Nicole Lazzerini. 2017. PNR: Passenger Name Record, Problems Not Resolved? The EU PNR Conundrum After Opinion 1/15 of the CJEU. Air and Space Law 42: 377–402. Carrera, Sergio, Leonhard den Hertog, and Joanna Parkin. 2013. The Peculiar Nature of EU Home Affairs Agencies in Migration Control: Beyond Accountability versus Autonomy? European Journal of Migration and Law 15: 337 ff. Carrera, Sergio, and Valsamis Mitsilegas, eds. 2017. Constitutionalising the Security Union. Effectiveness, Rule of Law and Rights in Countering Terrorism and Crime. Brussels: Centre for European Policy Studies. Cassarino, Jean-Pierre. 2011. Resilient Bilateralism in the Cooperation on Readmission. In The External Dimension of the European Union’s Area of Freedom, ed. Marise Cremona, Jörg Monar, and Sara Poli, 191–208. Brussels: Peter Lang.

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

33

Castillo, Michael. 2017. The UN Wants to Adopt Bitcoin and Ethereum – And Soon. Coindesk. https://www.coindesk.com/the-united-nations-wants-to-accept-ethereum-and-bitcoinand-soon/. Connor, Phillip. 2017. The Digital Footprint of Europe’s Refugees. Pew Research Center’s Global Attitudes Project. http://www.pewglobal.org/2017/06/08/digital-footprint-of-europes-refugees/. Csernatoni, Raluca. 2016. High-Tech Fortress Europe: FRONTEX and the Dronization of Border Management. European Public Affairs. http://www.europeanpublicaffairs.eu/ high-tech-fortress-europe-frontex-and-the-dronization-of-border-management/. Curtin, Deirdre. 2018. Second Order Secrecy and Europe’s Legality Mosaics. West European Politics 41: 1–23. Dijstelbloem, Huub, and Albert Meijer, eds. 2011. Migration and the New Technological Borders of Europe. London: Palgrave Macmillan. Eisele, Katharina. 2018. Initial Appraisal of a European Commission Impact Assessment. EPRS PE 615.649. Ethik-Kommission. 2017. Automatisiertes und vernetztes Fahren. Bundesministerium für Verkehr und digitale Infrastruktur. Foot, Philippa. 1967. The Problem of Abortion and the Doctrine of Double Effect. Oxford Review 5: 5–15. Gammeltoft-Hansen, Thomas, and James C.  Hathaway. 2015. Non-Refoulement in a World of Cooperative Deterrence. Columbia Journal of Transnational Law 53: 235–284. Guild, Elspeth. 2001. Moving the Borders of Europe. Inaugural Lecture. Nijmegen: CPO. Gutheil, Mirja, Quentin Liger, James Eager, Yemi Oviosu, and Daniel Bogdanovic. 2018. Interoperability of Justice and Home Affairs Information Systems. Brussels: European Parliament. Hagen, Lara. 2018. Kickl will Flüchtlinge ‘konzentriert’ an einem Ort halten. derStandard.at. https://derstandard.at/2000071880249/ Asyl-FPOe-Kickl-will-Fluechtlinge-konzentriert-an-einem-Ort-halten. Hanke, Philip. 2017. Artificial Intelligence and Big Data  – An Uncharted Territory for Migration Studies? Blog NCCR  – On the Move. http://blog.nccr-onthemove.ch/ artificial-intelligence-and-big-data-an-uncharted-territory-for-migration-studies/. Hayes, Ben, Chris Jones, and Eric Töpfer. 2014. Eurodrones Inc. Amsterdam: Statewatch. Heyman, Josiah, and Howard Campbell. 2012. The Militarization of the United States-Mexico Border Region. Revista de Estudos Universitários 38: 75 ff. Holzschuh, Franziska. 2017. Exklusiv: Hunderte Bamf-Entscheider nicht qualifiziert. Nürnberger Nachrichten. http://www.nordbayern.de/cm/2.244/politik/ exklusiv-hunderte-bamf-entscheider-nicht-qualifiziert-1.6204830. Jeandesboz, Julien, Didier Bigo, Ben Hayes, and Stephanie Simon. 2013. The Commission’s Legislative Proposals on Smart Borders: Their Feasibility and Costs. Brussels: European Parliament. Kennedy, John. 2017. Despite Brexit Breakthrough, Experts Predict Electronic Border for Ireland. Silicon Republic. https://www.siliconrepublic.com/enterprise/border-brexit-ireland-electronic. Keung, Nicholas. 2017. Canadian Immigration Applications Could Soon Be Assessed by Computers. The Toronto Star. https://www.thestar.com/news/immigration/2017/01/05/immigration-applications-could-soon-be-assessed-by-computers.html. Lyon, David. 2013. Surveillance as Social Sorting: Privacy, Risk, and Digital Discrimination. London: Routledge. Malek, Caline. 2018. UAE to Phase out Immigration Officers in Favour of AI by 2020. The National. https://www.thenational.ae/uae/government/ uae-to-phase-out-immigration-officers-in-favour-of-ai-by-2020-1.704633. Marin, Luisa. 2017. The Deployment of Drone Technology in Border Surveillance. Between Techno-securitization and Challenges to Privacy and Data Protection. In Surveillance, Privacy and Security. Citizens’ Perspectives, ed. Michael Friedewald, Peter J.  Burgess, Johann Čas, Rocco Bellanova, and Walter Peissl, 107 ff. London: Routledge.

34

P. Hanke and D. Vitiello

Marin, Luisa, and Kamila Krajčíková. 2016. Deploying Drones in Policing Southern European Borders: Constraints and Challenges for Data Protection and Human Rights. In Drones and Unmanned Aerial Systems, Legal and Social Implications for Security and Surveillance, ed. Aleš Završnik, 101 ff. New York: Springer. Marzocchi, Ottavio. 2015. Privacy and Data Protection Implications of the Civil Use of Drones. Brussels: European Parliament. Moreno-Lax, Violeta. 2011. Seeking Asylum in the Mediterranean: Against a Fragmentary Reading of EU Member States’ Obligations Accruing at Sea. International Journal of Refugee Law 23: 174–220. ———. 2018. The EU Humanitarian Border and the Securitization of Human Rights: The ‘Rescue-Through-Interdiction/Rescue-Without-Protection’ Paradigm. Journal of Common Market Studies 56: 119 ff. Nevejans, Nathalie. 2016. European Civil Law Rules in Robotics. Study for the JURI Committee. DG Internal Policies. Policy Department C. Citizen’s Rights and Constitutional Affairs. Nixon, Ron. 2017. On the Mexican Border, a Case for Technology Over Concrete. The New York Times. https://www.nytimes.com/2017/06/20/us/politics/on-the-mexican-border-a-case-fortechnology-over-concrete.html. Noll, Gregor. 2015. Why the EU Gets in the Way of Refugee Solidarity. Open Democracy. https://www.opendemocracy.net/can-europe-make-it/gregor-noll/why-eu-gets-in-way-ofrefugee-solidarity. Parkin, Joanna. 2012. EU Home Affairs Agencies and the Construction of EU Internal Security, CEPS Papers in Liberty and Security in Europe No. 53. Paul, Regina. 2016. Integration by Risk Analysis? Frontex and the Silent Harmonization of European Border Control, HowSAFE Working Paper No. 6. Peck, Michael. 2018. Drones Can’t Protect Our Borders. The National Interest. http://nationalinterest.org/feature/drones-cant-protect-our-borders-12046. Peers, Steve. 2013. European Parliament Inquiry on Mass Surveillance.  http://www.europarl. europa.eu/document/activities/cont/201311/20131115ATT74514/20131115ATT74514EN. pdf. Pollak, Johannes, and Peter Slominski. 2009. Experimentalist But Not Accountable Governance? The Role of Frontex in Managing the EU’s External Borders. West European Politics 32: 904 ff. Prause, Jacqueline. 2018. Digitization vs. Digitalization – Wordplay or World View? SAP News Center. https://news.sap.com/digitization-vs-digitalization-wordplay-or-world-view/. Reuter, Markus. 2017. Datenschutzbeauftragte: Geplante Handydurchsuchung bei Asylbewerbern nicht verfassungsgemäß. netzpolitik.org. https://netzpolitik.org/2017/datenschutzbeauftragtegeplante-handydurchsuchung-bei-asylbewerbern-nicht-verfassungsgemaess/. Richter, Markus. 2018. Transforming Immigration Operations by Applying AI and Big Data. Client Success Field Notes (IBM). https://www.ibm.com/blogs/client-voices/ immigration-operations-ai-big-data/. Rijpma, Jorrit J.  2017. Brave New Borders: The EU’s Use of New Technologies for the Management of Migration and Asylum. In New Technology and EU Law, ed. Marise Cremona, 197 ff. Oxford: Oxford University Press. Rijpma, Jorrit J., and Marise Cremona. 2007. The Extra-Territorialisation of EU Migration Policies and the Rule of Law. EUI Working Papers LAW. Sanchez del Rio, Jose, Daniela Moctezuma, Cristina Conde, Isaac Martin de Diego, and Enrique Cabello. 2016. Automated Border Control E-Gates and Facial Recognition Systems. Computers & Security 62 (Sept): 49–72. Schwab, Klaus. 2017. The Fourth Industrial Revolution. New York: Crown Business. Sternstein, Aliya. 2015. DHS to Launch Iris and Facial Recognition at the Border. Nextgov.com. http://www.nextgov.com/cio-briefing/2015/01/ dhs-launch-iris-and-facial-recognition-border/103908/.

High-Tech Migration Control in the EU and Beyond: The Legal Challenges…

35

Strerath, Frank, and Heiner Gremer. 2017. Gegen falsche Flüchtlinge: BAMF prüft Asylanträge mit neuer Technik. Bayrischer Rundfunk. https://www.br.de/nachrichten/mittelfranken/inhalt/ bamf-asyl-digitale-assistenzsysteme-100.html. Thym, Daniel. 2016. Legal Framework for Entry and Border Controls. In EU Immigration and Asylum Law. A Commentary, ed. Kay Hailbronner, and Daniel Thym, 31 ff. Munchen/Oxford: C.H. Beck/Hart/Nomos. World Bank. 2017. Remittances to Developing Countries Decline for Second Consecutive Year. Press Release. http://www.worldbank.org/en/news/press-release/2017/04/21/ remittances-to-developing-countries-decline-for-second-consecutive-year. Zeitlin, Jonathan, ed. 2015. Extending Experimentalist Governance? The European Union and Transnational Regulation. Oxford: Oxford University Press.

Swords Shielding Security? The Use of Databases in Criminal Cooperation within the European Union: Challenges and Prospects Stefano Montaldo

Abstract  This Chapter analyses the changing scenario of information technology cooperation for law enforcement purposes in the EU.  It proposes a taxonomy of existing information cooperation tools, based on two criteria: the cooperation techniques and the institutional settings governing information exchange. On this basis, the analysis briefly addresses the increasing involvement of private (economic) actors in contributing to cooperation in criminal matters and the quest for a higher degree of interoperability among various information systems. While highlighting the risks connected to prioritizing security concerns, the Chapter also underscores the integrative potential of information cooperation in a common European space without internal borders.

1  S  hielding Security Through the Sword of Information Cooperation: The Evolving Paradigm for Law Enforcement in the EU Since the entry into force of the Lisbon Treaty, the European Unionʼs primary aim has become the establishment of an Area of Freedom, Security and Justice (AFSJ). Article 3 TEU now prioritizes this objective, even over the development of the EU internal market. This major paradigm shift reflects the deepening European integration process in recent decades and unveils a growing body of secondary legislation aimed at facilitating the prevention and detection of crime in the EU. The Union legislature has sought to harmonize national legal orders, in particular in relation to substantive and procedural criminal law, the two founding pillars of police and judicial cooperation in criminal matters. Beyond these mainstreams, evolving security threats require the adoption of several flanking measures,1 of  See, inter alia, Boehm (2012).

1

S. Montaldo (*) University of Turin, Turin, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_2

37

38

S. Montaldo

which common provisions on information collection and exchange for law enforcement purposes have played—and continue to play—a major role. Access to information is inherently linked to cooperation in criminal matters, as it substantiates collaboration between police and judicial authorities. It overcomes national boundaries and the fragmentation of domestic legal orders, enhancing the smooth functioning of the European judicial space. In addition, sharing relevant information is also a duty incumbent upon the State and a pre-condition to cooperation procedures, in particular those implementing the principle of mutual recognition. In short, it contributes to the effectiveness of cooperation mechanisms, a key concern in EU institution discourse on the drive towards increased security within Union borders, and provides added value to Member Statesʼ repressive systems.2 In this framework, the rise of widespread international terrorist threats and terrorist attacks against civilians in various Member States has further boosted attention to closer information cooperation among national authorities. Since 9/11 and the London and Madrid attacks in 2004, EU legislation has flourished in this domain,3 gradually leading to the creation of a variety of instruments with very different features and institutional settings. The current scenario ranges from traditional Mutual Legal Assistance (MLA) exchanges of information to centralized EU databases and information flows coordinated by EU agencies such as Europol and Eurojust. The proliferation of both information technology systems and rules governing their actual functioning has been welcomed widely by practitioners as a response to evolving security concerns.4 In this context, the present Chapter analyses the main features of the current scenario of EU information cooperation in criminal matters. It first provides a taxonomy of information cooperation tools based on two criteria: the heterogeneous cooperation techniques underpinning information flows and the institutional settings governing the operation of databases and other information sharing tools (Sect. 2). Secondly, it examines the growing involvement of private (economic) actors in contributing to the immaterial body of data used by EU and national authorities for law enforcement purposes (Sect. 3). Attention is then paid to one of the major challenges ahead, namely attempts to enhance the interoperability of existing instruments (Sect. 4). In this scenario, the advances and shortcomings of the evolving paradigm of European information security are discussed (Sect. 5). The Chapter highlights the integrative potential of information cooperation as a powerful complementary tool for the effective implementation of several EU policies and contributing to securing the common European space with no internal borders. At the same time, the continuous evolution of information technology systems poses several challenges, mainly with regard to the urgent need to prevent law

 Fletcher et al. (2008), p. 46.  The expanding legislation concerning data and law enforcement has been imaginatively compared to the growth of “mushrooms after a rainy Autumn day”. Cf. Gutiérrez Zarza (2015), p. 2. 4  This connection has been repeatedly stressed by both European institutions and scholars. Cf. in particular Blasi Casagran (2017), p. 16. 2 3

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

39

enforcement authorities from abusing these instruments to the detriment of the individuals concerned and of the EUʼs security strategy as a whole.

2  F  oil, Sabre, or Sword? The Main Features of EU Information Sharing Tools, with Multiple Cooperation Techniques and Diversified Institutional Settings 2.1  F  unctional Taxonomy: Information Cooperation Tools and Police and Judicial Cooperation Techniques in Criminal Matters Information cooperation tools for law enforcement purposes can be divided into four main categories depending on their legal bases and the cooperation techniques underpinning them: MLA procedures, EU data-sharing instruments and mutual recognition mechanisms, and databases serving different purposes but ultimately used to tackle criminal phenomena. MLA procedures represent the traditional source of information cooperation in criminal matters within the EU.  They encompass all areas of cooperation in the gathering and exchange of information, including requesting and providing assistance in obtaining evidence. For decades, these mechanisms have been based on bilateral or multilateral agreements, such as the 1959 Strasbourg Convention of the Council of Europe.5 Following the Treaty of Amsterdam, the Tampere Programme of 1999 envisaged the negotiation of a former third pillar Convention on mutual legal assistance between Member States. These efforts resulted in the Brussels Convention of 2000,6 which eventually entered into force in 2005, although some Member States still have not implemented it in their legal orders. Flexibility is one of the distinctive features of the procedures designed by these instruments, endowing the requested State with wide discretion on whether to cooperate, to the point that the political branch can refuse to execute a foreign request or order. Moreover, relevant instruments impose no mandatory deadlines, further hampering timely cooperation.7 In order to address these flaws, the EU legislature gradually enacted a series of instruments intended to either complement or replace MLA procedures. Some aim at facilitating the exchange of specific kinds of information, while others are inherently connected to the implementation of the principle of mutual recognition of certain judicial orders. From the first point of view, an interesting attempt to move intergovernmental cooperation a step forward is provided by the so-called Prüm  Council of Europe, Convention of 20 April 1959 on mutual assistance in criminal matters.  Convention of 29 May 2000 on mutual assistance in criminal matters between the Member States of the European Union, in OJ C 197 of 12 July 2000, p. 1. 7  Vermeulen (2006). 5 6

40

S. Montaldo

decisions. In 2005, Austria, Belgium, France, Germany, Luxembourg and Spain agreed on common procedures to advance cooperation in criminal investigations on cases with a cross-border dimension. The basic idea was to identify a national contact unit addressee for all information requests from partner countries in order to speed up previous MLA legacies. Interestingly enough, this initiative took the shape of an international treaty, i.e. a traditional MLA instrument. However, the Prüm Treaty8 was soon incorporated into EU law, following heated debate on the urgent need for more transparent procedures and higher standards of protection of fundamental rights. This process led to the adoption of two Council decisions and a flanking Framework Decision concerning the development of the Prüm acquis, and the accreditation procedure of forensic service providers performing laboratory activities, respectively.9 The new legal nature did not affect the systemʼs structure, which can be described as a network of decentralized national databases. National contact points have the duty to provide assistance in the event of an inquiry issued by foreign law enforcement or judicial authorities. In particular, vehicle registration data can be directly shared, while access to biometric data—namely DNA and fingerprints—is based on a “hit/no hit” model. This means that a preliminary request must be sent to a national contact unit to determine whether the data stored at the national level actually match the information the foreign authority is seeking. At this stage, the system only provides the receiving contact point with a confirmation/exclusion of a hit, whereas access to the actual content of the information requires an additional subsequent request. This step reveals the mixed nature of the mechanism, because pre-existing bilateral or multilateral MLA procedures strike back at, and apply to, this second request. Another successful instrument is the European Criminal Records Information System (ECRIS), through which the pre-existing Network of Judicial Registers set up by France, Germany, Spain and Belgium in 2003 was extended to the European level by the Council in 2009.10 This system is based on the principle of availability and allows national authorities to access information on convictions and other data extracted from national criminal records registers. The main beneficiaries are judges, prosecutors, and administrative authorities, who are provided easy access  Prüm Treaty of 27 May 2005 on the stepping up of cross-border cooperation, particularly on combating terrorism, cross-border crime and illegal migration, signed between Belgium, Germany, Spain, France, Luxembourg, The Netherlands and Austria. 9  Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, in OJ L 210 of 6 August 2008, p. 1; Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/ JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and crossborder crime, in OJ L 210 of 6 August 2008, p. 12; Council Framework Decision 2009/905/JHA of 30 November 2009 on Accreditation of forensic service providers carrying out laboratory activities, in OJ L 322of 9 December 2009, p. 14. 10  Council Framework Decision 2009/315/JHA of 26 February 2009 on the exchange of information extracted from criminal records, in OJ L 93 of 7 April 2009, p.  23, and Council Decision 2009/316/JHA of 6 April 2009 on the establishment of the European Criminal Records Information System (ECRIS) in application of Article 11 of Framework Decision 2009/315/JHA, in OJ L 93 of 7 April 2009, p. 33. Cf. Stefanou and Xanthaki (2008). 8

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

41

though a secure and uniform information infrastructure to the criminal history of any EU citizen, regardless of the Member State where he/she was convicted. This networkʼs scope is related primarily to Framework Decision 2008/675/JHA, on the inclusion of previous convictions handed down in another Member States in the course of new criminal proceedings. The Framework Decision does not harmonize national legal orders, but imposes on the national authorities the minimum obligation of attaching consequences to a previous conviction abroad, whenever such effects follow from previous national convictions under domestic law. In practice, this information is useful for assessing whether the convict has reoffended and for determining both the type of sentence and arrangements for its enforcement.11 A third and essential aspect of information cooperation between Member States concerns the implementation of the principle of mutual recognition of national judicial decisions. In this context, cooperation mechanisms usually do not involve establishing new databases, rather they encourage information sharing with a view to executing a foreign decision in cases having cross-border elements or implications. In principle, all mutual recognition instruments require the issuing and the executing Member States to make available all relevant information necessary to address a request for cooperation. Swift and automatic procedures imply the timely disclosure of information, with no unnecessary formalities. Consequently, information sharing in a spirit of sincere cooperation is a pre-condition for the full effectiveness of the judicial cooperation mechanisms designed by the EU legislature. However, in certain cases, this even impacts the essence of the dialogue between domestic authorities. The European Investigation Order (EIO)12 is a remarkable example in this respect. The EIO is intended to replace a plethora of diversified systems for obtaining evidence abroad, through letters rogatory or letters of request.13 Accordingly, it applies to practically all investigative measures and types of evidence,14 with limited exceptions.15 Moreover, its scope of application extends to sharing information of  At the same time, information through ECRIS may be exchanged for any other purpose according to national law, such as recruitment, naturalization, asylum, fire arms licensing, child adoption procedures, etc. In particular, information must be exchanged if requested for recruitment procedures with regard to posts involving direct and regular contact with children, as required by Art. 10 of the Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating sexual abuse and sexual exploitation of children, and child pornography, in OJ L 335 of 17 December 2011, p. 1. 12  Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, in OJ L 130 of 1 May 2014, p. 1. 13  Interestingly enough, its adoption was proposed by a group of Member States pursuant to Article 76(2) TFEU. The proponents’ idea was precisely to address the shortcomings of previous intergovernmental tools for judicial cooperation in the field of criminal evidence. 14  Directive 2014/41/EU applies to any kind of data, including DNA and banking information. It has also updated mechanisms to technological advances, in particular in relation to tapping tools and digital evidence. 15  Directive 2014/41/EU does not solve all problems related to the complexity of the supranational legal scenario. For instance, specific provisions apply to common investigation teams and some provisions of the Brussels Convention of 2000 on mutual legal assistance have not been replaced. 11

42

S. Montaldo

potential evidentiary relevance, including information that does not yet exist, but could be necessary for advancing an investigation. Lastly, the boost to information-driven security has led to a functional spill-over effect, whereby databases originally and primarily designed to pursue non-criminal purposes have become law enforcement tools. More generally, this phenomenon reflects the blurring boundaries between various interrelated EU policy domains, such as border management, security and defence, financial regulation and law enforcement, under the aegis of “an all-encompassing, yet at the same time amorphous, concept of security”.16 A prominent example of this widened mesh of the information cooperation network is the (at least partial) shift of the rationale of SIS II, VIS, CIS and EURODAC databases from border control to the prevention, detection and investigation of crimes. CIS, the Customs Information System, is regulated by the then first pillar Regulation (EC) 766/200817 and covers surveillance of potential breaches of customs and agricultural legislation. However, following the first implementation period, the Council adopted Decision 2009/917/JHA,18 aimed at expanding the scope of customs information technology to “preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly”.19 Consequently, both the competent authorities in the Member States and the EU agencies Europol and Eurojust are granted direct access to all information collected in the database in order to achieve the aims outlined above. Moreover, Art. 8 of the Decision makes the use of such data for even “further purposes” conditional upon the authorization and any additional measures required by the Member State having entered them. Other non-criminal information tools raise even more sensitive issues, in particular concerning the protection of individual rights, as they entail the collection and processing of selected biometric data, such as fingerprints. This is a key concern regarding the operational implications of EURODAC, a centralized system that supports the national authorities in determining the Member State responsible for an asylum application. A prototypical version of this database was first established in 1990, when the Dublin Convention on asylum was signed, to ensure the swift For an analysis of the legal scenario following the expiry of the deadline for implementing Directive 2014/41/EU at the national level, see Montaldo (2017). 16  Mitsilegas (2017), p. 10. 17  Regulation (EC) 766/2008 of the European Parliament and of the Council of 9 July 2008 amending Council Regulation (EC) 515/97 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters, in OJ L 218 of 13 August 2008, p. 48. 18  Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes, in OJ L 323of 10 December 2009, p. 20. 19  Cf. Article 1(2) of the Decision. The notion of national laws is clarified by Article 2(1) and refers to the laws or regulations of a Member State, in application of which the national customs administration has competence, concerning the movement of goods subject to measures of prohibition, control or restriction; measures to control cash movements within the EU; and the transfer, conversion, concealment, or disguise of property or proceeds acquired or obtained directly or indirectly through illicit conducts, such as international drug trafficking or tax evasion.

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

43

i­ dentification of the State responsible for an application and to prevent asylum shopping and refugees in orbit. The system evolved over time, along with the increasing body of EU legislation realizing a Common European Asylum System. It took its current name with Regulation (EC) 2725/200020 and began operations in 2003. Ten years later, a major amendment profoundly re-examined the potential practical implications of the data stored in it. Indeed, Regulations (EC) 603/2013 and 604/201321 extend access to such information to national law enforcement authorities and Europol22 in order to prevent, detect or investigate the serious criminal offences referred to in Article 2(2) of the Framework Decision 2002/584/JHA on the European Arrest Warrant.23

 Council Regulation (EC) 2725/2000 of 11 December 2000 concerning the establishment of Eurodac for the comparison of fingerprints for the effective application of the Dublin Convention, in OJ L 315 of 15 December 2000, p. 1. 21  Regulation (EU) 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of “Eurodac” for the comparison of fingerprints for the effective application of Regulation (EU) 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, in OJ L 180 of 29 June 2013, p. 1; Regulation (EU) 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person, in OJ L 180 of 29 June 2013, p. 31. 22  See Recital 8 highlighting the strategic importance of up-to-date information in the area of law enforcement, in particular in relation to terrorist offences, the most deeply rooted and powerful drivers of the evolution of EU information cooperation tools. Recital 13 manifestly acknowledges that this reform brings about a “change of the original purpose of EURODAC, which interferes with the fundamental right to respect for the private life of individuals whose personal data are processed in EURODAC”. By virtue of this, the Regulation establishes strict conditions and limits for the use of EURODAC data for law enforcement purposes. 23  Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States, in OJ L 190 of 18 July 2002, p. 1. Article 2(2) of this Framework Decision lists the serious offences for which double criminality is not required for an Arrest Warrant to be issued and executed. The list represents a benchmark for all subsequent EU legislation implementing the principle of mutual recognition to national judicial decisions in criminal matters. Despite some inconsistencies in its implementation at the national level, the list referred to by the new EURODAC Regulation has received a general consensus among Member States and this is an essential element for the self-containment of the extended use of the data collected in it. 20

44

S. Montaldo

2.2  I nstitutional Taxonomy: Governing Information Cooperation in Criminal Matters The proliferation of information cooperation techniques goes hand in hand with the different institutional settings governing the use of databases and other information sharing tools. From this point of view, categories blur and evolve rapidly due to the complex interplay between traditional national sovereign powers in criminal law and increasingly intrusive EU rules. While Member States want to preserve control over law enforcement within their borders24; they are also keen to grant a greater role to the Union institution and bodies, because of the common challenges and side effects created by the establishment of a European space without borders. So, regardless of the high degree of variety in terms of complexity and formality, a tentative taxonomy must take some common features into due consideration, namely the multi-layered and multi-actor nature of the institutional arrangements governing information cooperation. The most traditional approach to information sharing is represented by horizontal cooperation between Member States, through which national authorities are expected to make data stored in domestic databases available to foreign requesting authorities. Formerly purely national databases now allow for targeted and closely supervised peer-to-peer network circulation of data. In this framework, the EUʼs role is limited to establishing common rules for the operation of information exchange, the respective obligations of the requesting and receiving States, and precise identification of the information allowed to circulate. Examples of tools included in this category are the ECRIS and the Prüm systems,25 which envisage no role for EU judicial cooperation and law enforcement bodies such as Europol or Eurojust. A second set of tools features the necessary twist between the EU and national layers as a distinctive element. Some information systems, such as EURODAC and SIS II, engage both national authorities and Union coordination on a star-like basis. Basically, national authorities are required to inject information in a centralized system, which is then made available upon request to all competent authorities in each Member State. In this way, centralized coordination maximizes the availability of data and their potential use for pursuing national and EU policies. Lastly, the most recent and increasingly prominent trend regards the considerable enhancement of EU bodies tasked with law enforcement roles. The establishment of centralized databases managed entirely by EU agencies is one of the most promising tangible outcomes of this progressive empowerment. In particular, with  Suominen (2014).  Interestingly enough, the Commission is trying to upgrade ECRIS’s current structure, in order to partially supplement this horizontal instrument with a common EU database, at least in relation to convictions handed down against third-country nationals. Cf. Communication from the Commission (2017)344 final of 29 June 2017, Proposal for a regulation establishing a centralized system for the identification of Member States holding conviction information on third-country nationals and stateless persons to supplement and support ECRIS. 24 25

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

45

the Stockholm Programme, Europol has undergone an in-depth transformation towards becoming a “hub for information exchange between law enforcement authorities in the Member States and a platform for law enforcement service”.26 Member States are under no specific obligation to transfer information to Europol or involve the Agency in a case. While the attitude of national authorities varies widely, reliance on Europolʼs information support increases significantly every year.27 Two instruments are seeing considerable success in this respect. Firstly, the agency runs its own Europol Information System (EIS) that collects information on persons and objects of interest related to serious offences covered by Europolʼs mandate. Secondly, the agency has a specific communication tool, the Secured Information Exchange Network Application (SIENA) messaging system. The system allows the secure transfer of sensitive information to Europol officers and experts, national contact units, domestic law enforcement authorities and even authorities located in third countries with which the agency has a cooperation agreement. SIENA was launched in 2009. Its scope and operational capacity have been increasing ever since: today, it also allows for horizontal exchanges of information between national authorities, so much so that the Commission and the Council now urge Member States to use this system as a default tool when sharing information for law enforcement purposes.28 This trend towards centralization is further confirmed by the establishment of eu-LISA, an agency dedicated to the management of the EU information systems operating in the Area of Freedom, Security and Justice.29

3  U  nconventional Swords. The Privatization of Information Cooperation for Law Enforcement Purposes (and Its Confinement by the Court of Justice) The quest for security has also led to an increased direct or indirect involvement of (economic) private actors handling strategic data. This “privatisation of surveillance”30 has influenced the evolution of certain EU harmonization measures grounded in Article 114 TFEU and therefore connected mainly to the establishment of the internal market. The heated debate on the use of Passenger Name Record (PNR) data for law enforcement purposes is particularly instructive in this respect. It is well known that the events of 9/11 triggered the conclusion of a series of bilateral agreements between the EU and the USA, aiming to advance transatlantic  European Council (2009), p. 20.  Vermeulen and Wills (2011). 28  Council (2014). 29  Regulation (EU) 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, in OJ L 286 of 1 November 2011, p. 1. 30  Bures and Carrapico (2018). 26 27

46

S. Montaldo

cooperation in tackling terrorism and serious crimes. In addition to traditional treaties on extradition and mutual legal assistance and some agreements involving Europol and Eurojust, the EU agreed on common rules concerning certain operational aspects of the US security strategy. A first 2004 text grounded in current Art. 114 TFEU was declared invalid by the Court of Justice,31 because its prevailing “criminal essence” would have required a third pillar measure instead. Indeed, the Court pointed out that although data were originally collected for commercial purposes, the actual objectives underpinning the agreement were to prevent and fight terrorism, entrusting public law enforcement authorities with great discretion in accessing and using PNR data. The proposed agreement was then amended and transferred to the third pillar, but the European Parliament refused consent to its conclusion in 2007. It came into force only in 2012,32 surrounded by widespread scepticism regarding its political soundness and implications for fundamental rights.33 For the purposes of this analysis, it is important to underline that the system established by the agreement requires air carriers to transfer passenger data almost automatically to US authorities, regardless of the existence of specific grounds or security threat for this data processing to take place.34 Bulk data transfers have been at the heart of negotiations for further international agreements, in particular with Australia and Canada, and the Commission is ready to launch a new season of international instruments desired by several third countries willing to strengthen information cooperation with the EU for security purposes. However, the future approach to this subject will have to be revisited, since in its recent Opinion 1/15,35 the Court of Justice declared that the proposed text of the EU-Canada agreement on the transfer of passenger PNR data fails to meet the required standards of fundamental rights protection. In particular, the agreement allows Canadian authorities to systematically transfer and store all air passenger data, and even to transmit this data to other third countries. According to the Court, the interferences with the right to private life and with the protection of personal data—as guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights— are justified by the pursuit of objectives of general interest, namely contrasting terrorism and other serious transnational crimes. However, several provisions go beyond that which is strictly required to achieve those aims, thereby unnecessarily  Court of Justice, judgment of 30 May 2004, joined cases C-317/04 and C-318/04, European Commission and European Parliament v. Council. 32  Council Decision 2012/472/EU of 26 April 2012 on the conclusion of the agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security, in OJ L 215 of 11 August 2012, p. 4. 33  See, amongst others, Santos Vara (2014). 34  From this point of view, this new generation of instruments departs from previous forms of responsabilization of commercial actors, such as those provided by anti-money laundering legislation, where specific suspicions are needed for law enforcement authorities to access relevant data. See Mitsilegas (2016), p. 159. 35  Court of Justice, Opinion 1/15 of 26 July 2017 pursuant to Article 218(11) TFEU. 31

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

47

infringing upon the fundamental rights under consideration. Currently, proposed transfers also involve sensitive data that would require a more solid and specific justification concerning a defined threat to public security. Moreover, the agreement fails to comply with the Charter since it provides for a generalized power to retain data, even in the case of air passengers—the vast majority—who pose no security issues or potential threats and whose information should be deleted once they have left Canada. The opinion is in line with the previous case law of the ECJ on the protection of personal data and builds on a stricter approach to the retention of data and metadata for control purposes.36 Notably, in Tele2 and Watson the Court of Justice pointed out that unbridled access to information stored by private companies may easily reveal precise conclusions regarding a personʼs everyday life and habits, thereby offering leeway for excessive intrusions on the right to privacy.37 Indeed, processing of any sort must be limited by appropriate safeguards, in terms of strict conditions and procedures for it to take place, independent supervision and effective set of remedies.38 The European Union has also encouraged information cooperation in the financial and banking sectors. EU law makers have adopted several pieces of legislation aimed at tackling illicit financial support to terrorist organizations,39 but the information cooperation legal framework in this area is still far from settled and clear. In this domain as well, action was triggered by the US unilateral reaction to security concerns and was initially influenced largely by US requirements. In 2001, the US government launched a comprehensive strategy on this matter: the Terrorist Financing Tracking Programme (TFTP). As a part of this set of counter-terrorism measures, the American administration managed to obtain, secretly and unilaterally, EU citizensʼ financial data from the private company SWIFT, a global provider of financial communication standards and of secure financial messaging services. The media uncovered this programme of generalized financial surveillance in 2006,40 with US authorities justifying it on the grounds that the companyʼs servers were located on US soil. However, the companyʼs headquarters were in Belgium, where the standard of protection stemming from Directive 95/46/EC applied.41 Moreover, SWIFT decided to move its servers to Switzerland soon after the TFTP was unveiled,  Court of Justice, judgment of 8 April 2014, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland; judgment of 6 October 2015, Case C-362/14, Schrems; judgment of 21 December 2016, Joined Cases C-203/15 and C-698/15, Tele2 and Watson. 37  Cf. para. 99 of the judgment. 38  Cf. para. 109 of the judgment. 39  See, amongst others, the decision to harmonize national laws regarding the minimum rules on criminalization of terrorist financing: Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism, in OJ L 88 of 31 March 2017, p. 6. 40  See de Hert and de Schutter (2008). Millions of financial transactions were scrutinized every day and the relevant information was stored for 124 days. 41  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in OJ L 281 of 23 November 1995, p. 31. 36

48

S. Montaldo

so that a new legislative framework for allowing transfers of data to the EU was required. The EU and the US agreed to a bilateral treaty that was signed one day before the entry into force of the Lisbon Treaty, after harshly criticized secret negotiations,42 in a poorly disguised attempt to benefit from the intergovernmental regime of the former third pillar.43 In response, the European Parliament once again denied approval, thereby opening the way to new post-Lisbon negotiations that eventually led to a revised text, called SWIFT II. The bilateral agreement is rooted in Articles 87(2)(a) and 88(2) TFEU, concerning police cooperation. It scales down the discretion of US authorities, to whom access to data is made conditional upon a formal request, which shall clearly substantiate the need for the data and restrict the amount of information that may be transferred. The agreement provides for a regular double monitoring mechanism, involving Europol and an Eminent Person appointed in the US, flanked by a deputy EU overseer. However, the European Parliamentʼs quest for judicial scrutiny was not included in the text. In addition to operational solutions, an important aspect shared by both the PNR and the TFTP bilateral agreements is their emphasis on reciprocity. On the one hand, reciprocity entails that the operation of the agreements should be mutually beneficial, as law enforcement authorities in the EU can also expect US authorities to provide them potentially useful alerts and data.44 Of course, a similar approach raises concerns about the respect and overall consistency of EU data protection laws. In principle, the EU and the Member States are entitled to access data processed pursuant to US legislation, which might be adequate, but provides a lower standard of protection. On the other hand, reciprocity could entail the need for a future reconsideration of these agreements if the EU were to take legislative action on the internal level. Accordingly, Article 11 of the TFTP agreement requires that the Commission consider launching an equivalent EU system to achieve greater precision in targeting relevant data. In that event, paragraph 3 adds that the parties will consult in order to consider adjustments to the treaty. In this framework, the Commission put forward a set of proposals for a European version of the terrorist finance tracking system in November 2013, ranging from the establishment of a central financial intelligence unit coordination service to the creation of a common EU database or the sharing of decentralized national systems.45 However, none of these proposals were ever discussed, due to the opposition of the European Parliament, which perceived this initiative as a way of internalizing and institutionalizing a highly intrusive surveillance tool. Therefore, the current EU legal scenario is basically limited to a number of flanking measures, such as Regulation (EU) 2015/847, on information on payers and payees accompanying

 Curtin (2013).  Mitsilegas (2016), p. 156. 44  Cf. Article 18(1) of the PNR bilateral agreement. 45  See Commission communication COM(2013)842 final of 27 November 2013, a European terrorist finance tracking system (EU TFTS), building on COM(2011) 429 final of 13 July 2011, a European terrorist finance tracking system: Available options. 42 43

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

49

national and international transfers of funds,46 which is intended to facilitate the prevention, detection and investigation of money laundering and terrorist financing. On the contrary, in April 2016 the European Parliament and the Council did adopt Directive 2016/681/EU,47 establishing a harmonized EU system for PNR data transfers of extra-EU flight passengers.48 With a view to minimizing the amount of data processed by public authorities, whilst ensuring the interoperability and efficiency of surveillance and crime prevention and detection activities, air carriers will be required to transfer PNR data to a national passenger information unit specifically tasked with collecting, processing and eventually transferring relevant information to other authorities in the EU.  The final addressees of these data will be national law enforcement authorities competent for the prevention, detection and investigation or prosecution of terrorist activities and other serious crimes,49 to be formally included by each Member State in a list of national bodies entitled to request and use data for the purposes of the Directive.50 Consequently, reciprocity of US-EU relationships will impose bilateral consultations on possible amendments to the PNR treaty. Interestingly, Article 20(2) of the agreement actually provides for this duty of consultation, but reverses the perspective that one might expect, stating that should the EU system opt for a less stringent degree of data protection, the parties should consider amending the agreement accordingly. The reverse dynamic appears to be more in line with current trends in EU legislation and case law and must be considered as being implicitly covered by the reciprocity clause.

4  T  oo Many Swords to Handle! Towards Interoperability of EU Information Systems As we have seen, reliance on information technology systems is a distinctive element of law enforcement action in the European Union. The proliferation of databases has been driven by the need to reach as much coverage as possible, in terms  Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, in OJ L 141 of 5 June 2015, p. 1. 47  Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in OJ L 119 of 4 May 2016, p. 132. The Directive was to be implemented by the end of May 2018. 48  Member States can inform the Commission of their intention to extend its scope to intra-EU flights. Every flight taking off from a Member State and landing outside the EU and vice versa must be considered an extra-EU flight. 49  The relevant serious crimes are listed in Annex II of the Directive. The Annex is slightly different from the traditional list provided for by Framework Decision 2002/584/JHA on the European Arrest Warrant. For instance, it includes industrial espionage and trafficking in stolen vehicles. 50  Cf. Article 7. 46

50

S. Montaldo

of collection and storage of different kinds of information, even outside the AFSJ domain. However, the rapid quantitative expansion of information cooperation has gradually revealed a number of flaws, because in most cases, the instruments established so far operate in silos. This means that they are not able to communicate, thereby forcing law enforcement authorities seeking comprehensive information on a person or object to conduct multiple searches in different systems. The solution to this challenge is increased interoperability, i.e. the adoption of technical strategies allowing different entities “to exchange electronically meaningful information in ways that all parties understand”.51 European institutions have been trying to gain control over this problem in recent years. In 2016, following an initiative of the Dutch Presidency, the Council issued a Roadmap to enhance information exchange and interoperability solutions in the Home Affairs area.52 Accordingly, the Commission proposed a set of possible options to avoid the so-called “silo effect” and foster interoperability among information systems.53 Taking a step further, the Commission has even contended that interoperability should be a background issue to be taken into account when legislative instruments are drafted.54 The debate over how interoperability should be achieved and which information systems should involve is ongoing. The Commission has tried to facilitate it by establishing a high-level expert group on information systems and interoperability, which has proposed various scenarios.55 The basic solution would be to create a single search interface or portal at the EU level, where results and matches from different databases would converge for a single centralized request. This option would reflect similar strategies followed by some Member States that have combined national and EU information systems.56 Alternatively, each system could be interconnected in a horizontal technical network, so that when a single request is submitted all relevant data are automatically consulted, regardless of where they are located. Other proposals focus on specific—and actually as sensitive as frequently longed for by law enforcement authorities—categories of information, namely biometric data. A biometric matching service would allow the use of a single identifier  European Union Agency for Fundamental Rights (2017).  Council (2016). 53  Communication from the Commission COM(2016) 205 final of 6 April 2016, Stronger and smarter information systems for borders and security. 54  Communication from the Commission COM(2017) 134 final of 23 March 2017, European interoperability network. Implementation strategy. 55  The high-level expert group included experts from Member States, Schengen associated third countries, and some EU institutions and agencies. It met for the first time in June 2016 and issued its final report in May 2017. The report and all other documents concerning the group’s meetings and activities are available at: http://ec.europa.eu/transparency/regexpert/index. cfm?do=groupDetail.groupDetail&groupID=3435. 56  The Commission has established the National Interoperability Framework Observatory (NIFO), which collects and shares all relevant national practices and policies in this domain. Several country reports and eGovernment factsheets are available on the Observatory website: https://joinup. ec.europa.eu/collection/national-interoperability-framework-observatory-nifo. 51 52

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

51

across various systems, thereby increasing the reliability of a match and of the subsequent identification of a person. A similar and equally reliable outcome could be reached through a common umbrella repository of biometric data automatically connected to each information tool. In both cases, biometric data could help identify a person of interest even if he/she appears under multiple identities.57 Although, at first sight, interoperability might appear to be confined to the technical arena, it is inherently political, as it paves the way for more effective crime prevention, detection and investigation. However, it also raises concerns regarding the protection of the rights of the persons affected and the balance of powers between the various national and EU actors involved.58 Technical solutions to overcome the current “silo mentality” underpinning existing databases would grant considerable added value to police cooperation between Member States. Judicial cooperation would be partially concerned, as mutual recognition mechanisms are grounded primarily in the exchange of pre-determined and specific information, such as the existence of previous convictions in another Member State. At the same time, access to more comprehensive information could be beneficial to the execution of a foreign decision when the information provided by the issuing authority is unclear or incomplete. Easier and more reliable identification of a person or the availability of more precise information on a seized or confiscated object, including elements such as its location and owner, could speed up cooperation procedures and support compliance with the duty to provide the (issuing or executing, depending on the situation) foreign judicial authorities with all information deemed necessary for the fruitful completion of a cooperation request. From a fundamental rights perspective, however, interoperability could lead to abuses and violate core data protection principles, such as data minimization and purpose limitation. For instance, an officer could have access to data that he/she is not authorized to consult or that may exceed the objective of the search. Compliance with the specific rules governing each database and access to the information stored in them will be a key concern. Moreover, the current Europol information exchange regime could be extended to conduct searches in various databases. Indeed, Article 20(2) of the new Europol Regulation59 provides for the so called “flagged hits system”, on the basis of which the requesting authority is made aware of the existence of additional relevant data, though access to them is conditional to respect of the rules governing that specific database. As pointed out by the EU Agency for

 European Union Agency for Fundamental Rights (2017).  de Hert and Guthwirth (2006). In a 2005 Communication, the Commission took a different stance and emphasized that interoperability “is disconnected from the question of whether the data exchange is legally or politically possible or required”. Cf. Communication from the Commission COM(2005) 597 final of 24 November 2005. Improved effectiveness, enhanced interoperability and synergies among the European databases in the Justice and Home Affairs area, p. 3. 59  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2011 on the European Union Agency for Law Enforcement Cooperation (Europol), in OJ L 135 of 24 May 2016, p. 53. 57 58

52

S. Montaldo

Fundamental Rights, interoperability could also amplify the detrimental consequences of access to low quality or unlawfully stored data.60 The current proposals also envisage expanding the scope of interoperability solutions slightly to requesting authorities in third countries. This would first include border databases such as EURODAC, VIS and the new Entry/Exit System,61 to facilitate returns of third-country nationals. Moreover, data stored in SIS II could be transferred outside the European Union by Europol and Eurojust for law enforcement purposes, with the consent of the Member State having issued the alert, as well as of Interpol for checks against its database. Any step in this direction should be carefully assessed in terms of limitation of use and the actual aim for processing the information concerned. This is also because interoperability will likely also involve the aforementioned privately-controlled databases, and in particular EU and extra­EU PNR information flows, as well as some non-criminal systems.62

5  Concluding Remarks European institutions have made intense efforts to push information management for law enforcement purposes forward, while barely managing to ensure its overall coherence.63 Planned proliferation can deteriorate into unbridled fragmentation, since the plurality of instruments increases complexity in accessing data and the use of information systems differs largely from one State to another, depending on factors such as domestic technical capacities and the degree of willingness to cooperate. Broader information cooperation and greater quantities of available data do not necessarily equal greater quality and efficiency of cooperation, especially in terms of crime prevention, detection and prosecution.64 In 2012, following a long and fruitful season of reforms to EU information systems, the Commission stated that “no new EU-level law enforcement databases are […] needed at this stage”.65 Despite this, it soon after promoted the gradual  European Union Agency for Fundamental Rights (2017), p. 29.  Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States, determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011, in OJ L 327 of 9 December 2017, p. 20. 62  For instance, Directive 2011/82/EU of the European Parliament and of the Council of 25 October 2011 facilitating the cross-border exchange of information on road safety related traffic offences, in OJ L 288 of 5 November 2011, p. 1. The legal basis of the Directive refers to the EU policy on transportation. 63  Argomaniz (2012), p. 72. 64  Kreissl (2017), p. 96. 65  Communication from the Commission COM(2012) 735 final of 7 December 2012, Strengthening law enforcement cooperation in the EU: The European Information Exchange Model (EXIM). 60 61

Swords Shielding Security? The Use of Databases in Criminal Cooperation…

53

e­ xpansion of the scope of application of certain databases beyond their primary and original objects and purposes, in particular in the field of borders and migration controls. In this context, public control ambitions have taken priority over pressing migration management needs to the extent that all relevant databases now provide for a law enforcement addendum, including the freshly adopted Entry/Exit System Regulation (EU) 2017/2226.66 This trend is amplified by the processing of data related to everyday life activities via the indirect privatization of security, which is capable of further extending the reach and capacity of controls performed by public authorities. On the one hand, it is illustrative of another paradigm shift from the fight against crime to an overarching emphasis on prevention, putting pressure on the limits of public powers and posing considerable challenges to individual rights. On the other hand, it is generally conceived as perfectly desirable, as it endows law enforcement authorities with more effective tools to cope with increasingly urgent security threats. In this regard, public perception of external intrusions into private life and privacy has changed considerably over the last two decades.67 The collection of fingerprints used to be considered a symbolic threat to human dignity and a stigma of discrimination against migrants. Since then, an enormous transnational security regime has been (and still is being) built through the enhancement of transnational information exchange. In an increasingly societally-friendly environment, internal security concerns have once again gathered consensus towards enhancing inter-State cooperation under the aegis of the EU integration process. At a time when the founding ideals are in crisis, security and control appear to be “big ideas” to mobilize support for the EU.68 The integrative potential of information technology cooperation has proven to be well suited for this purpose.

References Argomaniz, Javier. 2012. A Coordination Nightmare. Institutional Coherence in European Union Counterterrorism. In European Homeland Security. A European Strategy in the Making? ed. Christian Kaunert, Sarah Léonard, and Patryk Pawlak. Abingdon: Routledge. Blasi Casagran, Cristina. 2017. Global Data Protection in the Field of Law Enforcement. An EU Perspective. Abingdon: Routledge. Boehm, Franziska. 2012. Information Sharing and Data Protection in the Area of Freedom, Security and Justice. Towards Harmonized Data Protection Principles for Information Exchange at EU-Level. Heidelberg: Springer-Verlag. Bures, Oldrich, and Helena Carrapico, eds. 2018. Security Privatization. How Non-related-security Private Businesses Shape Security Governance. Cham: Springer International Publishing. Council of the European Union. 2014. Document 10303/14 of 24 May 2014. HENU Workshop on SIENA Implementation.  Cf. footnote No. 62.  Hallinan et al. (2012). 68  Morgan (2003), p. 143. 66 67

54

S. Montaldo

———. 2016. Document 9398/1/16 of 16 June 2016, Roadmap to enhance information exchange and information management including interoperability solutions in the Justice and Home Affairs area. Curtin, Deirdre. 2013. Official Secrets and the Negotiation of International Agreements: Is the EU Executive Unbound? Common Market Law Review 50: 423–458. de Hert, Paul, and Serge Guthwirth. 2006. Interoperability of Police Databases within the EU: An Accountable Political Choice? International Review of Law Computers 20: 21–35. de Hert, Paul, and Bart de Schutter. 2008. International Transfers of Data in the Field of JHA: The Lessons of Europol, PNR and Swift. In Justice, Liberty, Security: New Challenges for EU External Relations, ed. Bernd Martenczuk and Servaas van Thiel. Brussels: Vrije Universiteit Brussels Press. European Council. 2009. The Stockholm Programme. An Open and Secure Europe Serving and Protecting the Citizens. Official Journal of the European Union. European Union Agency for Fundamental Rights. 2017. Fundamental rights and the interoperability of EU information systems: Borders and security. Fletcher, Maria, Robert Loof, and Bill Gilmore, eds. 2008. EU Criminal Law and Justice. Cheltenham: Edward Elgar Publishing. Gutiérrez Zarza, Ángeles, ed. 2015. Exchange of Information and Data Protection in Cross-border Criminal Proceedings in Europe. Heidelberg: Springer-Verlag. Hallinan, Dara, Michael Friedewald, and Paul McCarthy. 2012. Citizensʼ Perception of Data Protection and Privacy in Europe. Computer Law and Security Review 28: 263–272. Kreissl, Reinhard. 2017. Will More Data Bring More Security? Remarks on the Security Union Approach to Interoperability. In Constitutionalising the Security Union. Effectiveness, Rule of Law and Rights in Countering Terrorism and Crime, ed. Sergio Carrera and Valsamis Mitsilegas. Brussels: Centre for European Policy Studies. Mitsilegas, Valsamis. 2016. The External Dimension of Mutual Trust. The Case of Transatlantic Counter-terrorism Cooperation. In Justice and Trust in the European Legal Order. The Copernicus Lectures, ed. Ciro Grandi. Napoli: Jovene Editore. Mitsilegas, Valsamis. 2017. The Security Union as a Paradigm of Preventive Justice: Challenges for Citizenship, Fundamental Rights and the Rule of Law. In Constitutionalising the Security Union. Effectiveness, Rule of Law and Rights in Countering Terrorism and Crime, ed. Sergio Carrera and Valsamis Mitsilegas. Brussels: Centre for European Policy Studies. Montaldo, Stefano. 2017. La scadenza del termine di recepimento della direttiva 2014/41/UE sullʼordine europeo di indagine penale e la sostituzione delle “disposizioni corrispondenti” della convenzione di assistenza giudiziaria fra gli Stati membri del 2000: spunti per la ricostruzione di un quadro normativo complesso. Il diritto dell’Unione europea. Osservatorio europeo. http://www.dirittounioneeuropea.eu/images/osservatorio/Montaldo_Osservatorio.pdf. Morgan, Neil. 2003. Freedom, Security and Justice. In Ten Reflections on the Constitutional Treaty of the European Union, ed. Bruno de Witte. Florence: European University Press. Santos Vara, Juan. 2014. Transatlantic Cooperation Counterterrorism Agreements on the Transfer of Personal Data: A Test for Democratic Accountability in the EU.  In A Transatlantic Community of Law. Legal Perspectives on the Relationship Between the EU and US Legal Orders, ed. Elaine Fahey and Deirdre Curtin. Cambridge: Cambridge University Press. Stefanou, Constantin, and Helen Xanthaki, eds. 2008. Towards a European Criminal Record. Cambridge: Cambridge University Press. Suominen, Annika. 2014. Effectiveness and Functionality of Substantive EU Criminal Law. New Journal of European Criminal Law 2: 388–415. Vermeulen, Gert. 2006. EU Conventions Enhancing and Updating Traditional Mechanisms for Judicial Cooperation in Criminal Matters. Revue Internationale de Droit Pénal 77: 59–95. Vermeulen, Mathias, and Aidan Wills. 2011. Parliamentary Oversight of Security and Intelligence Agencies in the European Union. Brussels: European Parliament.

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems for Law Enforcement Purposes? Andrea Spagnolo

Abstract This Chapter supports the view that human rights can help cutting through the fog of the concept of autonomy in weapons systems for law enforcement purposes. Building on the ongoing debate, it will be argued that an approach based on international human rights law would clarify that the only possible and acceptable definition of autonomy implies a meaningful human control on the activities of autonomous weapons systems, thus fostering the idea that a ban on fully autonomous machines is desirable. Such a conclusion will be reached after an analysis of States’ positive obligations to protect human rights during law enforcement operations, in particular the right to life and the right to privacy.

1  A  utonomous Weapons Systems and International Human Rights Law: An Attempt to Introduce a Primitive Debate The debate on the use of Autonomous Weapons Systems (AWS) mainly focuses on the compatibility of this particular kind of weapons with International Humanitarian Law (IHL). The pace of technological evolution, in fact, is already changing the nature of armed conflicts, making it urgent to discuss the ensuing legal implications.1 The compatibility with International Human Rights Law (IHRL), on the contrary, is nowadays largely unexplored and not fully considered by States. In 2016, the Fifth Review Conference of the Member States of the United Nations (UN) Convention on Conventional Weapons (CCW) decided to include an assessment of the compatibility of AWS with IHRL in the list of issues to be discussed by the newly established open-ended Group of Governmental Experts (GGE) on AWS.2  McLaughlin and Nasu (2014), p. 2.  Final document of the Fifth Review Conference of the High Contracting Parties to the Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May Be 1 2

A. Spagnolo (*) University of Turin, Turin, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_3

55

56

A. Spagnolo

Despite this, the GGE met for the first time in November 2017 and decided not to deal with human rights related issues, as this would have altered its mandate.3 The same approach was followed at the following meetings of the GGE, which were still focused on the definition of AWS and on their potential military applications. Indeed, the Possible Guiding Principles drafted by the GGE and attached to the Final Report of 2018 deal only with preliminary and general IHL issues and do not touch upon any IHRL considerations.4 States’ lack of interest in the compatibility of AWS with IHRL can find a justification in the apparently scarce practice related to the use of AWS outside the context of an armed conflict. Moreover, contrary to IHL, IHRL does not contain specific limitations on the use of weapons and does not foresee any review mechanisms such as that established by Article 36 of the Additional Protocol I to the Geneva Conventions.5 Such a justification, however, seems no more tenable, for at least two reasons. Firstly, despite the absence of specific treaty limitations, States’ freedom to choose the means and methods for law enforcement activities is nonetheless constrained by the standards flowing from the rules enshrined in human rights treaties, as elaborated upon by the case law of international and regional human rights bodies.6 Secondly, States are more and more rapidly going to develop automated systems for performing a wide range of law enforcement operations and are investing significant? economic resources to this end. One of the non-governmental actor that submitted papers to the latest GGE meeting, the ICT for Peace Foundation, precisely pointed out that an approach to AWS entirely focused on wartime related threats is reductive.7 Deemed to Be Excessively Injurious or to Have Indiscriminate Effects (12–16 December 2016) CCW/CONF.V/10, Decision 1. 3  Group of Governmental Experts of the High Contracting Parties to the Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May Be Deemed to Be Excessively Injurious or to Have Indiscriminate Effects, Report of the 2017 session of the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) CCW/GGE.1/2017/ CRP.1, para. 21. 4  Group of Governmental Experts of the High Contracting Parties to the Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May Be Deemed to Be Excessively Injurious or to Have Indiscriminate Effects, Report of the 2018 session of the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) CCW/GGE.1/2018/3, para. 26. 5  Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I), of 8 June 1977, Article 36: “In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party”. 6  This has constantly been affirmed by the European Court of Human Rights in its case-law. See, e.g., Ergi v Turkey (App. Nos. 66/1997/850/1057), ECtHR [GC], judgment of 28 July 1998, para. 79; Isayeva, Yusupova and Bazayeva v Russia (App. Nos. 57947/00, 57948/00 and 57949/00), ECtHR [GC], judgment of 24 February 2005, paras. 195–200. 7  See ICT for Peace Foundation, Artificial Intelligence: Autonomous Technology (AT), Lethal Autonomous Weapons Systems (LAWS) and Peace Time Threats, Zurich, 21 February 2018.

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

57

It is not surprising, therefore, that the need to study the compatibility of AWS with IHRL is becoming an issue in the scholarly debate. Christopher Heyns—­ former United Nations Special Rapporteur on extrajudicial, summary or arbitrary executions—deserves the credit of bringing the topic to the attention of the Human Rights Council in his 2013 Annual Report.8 In 2016, he also published an article on the compatibility of AWS with IHRL.9 On the same year, the European Parliament commissioned a study that was authored and published by Nils Melzer, who devoted a section of his work to the compatibility of AWS with IHRL.10 One year after, in 2014, Human Rights Watch (HRW) published a report11 on this issue. The present UN Special Rapporteur on extrajudicial, summary or arbitrary executions, Agnes Callamard, decided to deal with AWS in her 2016 Report to the General Assembly, although she did not directly touch on the compatibility of these weapons with IHRL.12 More recently, in 2017, the Geneva Academy of International Humanitarian Law and Human Rights published an extensive research authored by Maya Brehm,13 while Helmut Aust published an article on the impact of the exercise of “algorithmic authority” on human rights.14 Last but not least, the Human Rights Committee stressed the importance of the compatibility of AWS with the right to life in the recently adopted General Comment n. 36.15 The literature approaches the compatibility of AWS with IHRL from a twofold perspective. The first aims to answer the question of whether AWS are compatible with already existing IHRL (and, if yes, to what extent). This is, particularly, the approach followed by Heyns, Melzer and Brehm, who conclude that AWS are hardly compatible with human rights standards, particularly when it comes to consider the respect of the right to life (Heyns). According to a second perspective, followed by Aust in his a recent piece, IHRL, as it stands, cannot help limiting what he calls the “de-humanising tendencies of algorithmic authority”, which can be regulated only through a political process.16 If one tries to track the roots of the two above-mentioned perspectives, the first appears to be more grounded on a positivistic attitude towards AWS than the second, which underpins the realistic idea that society must adapt to the new phenomenon of AWS, and that the law—amongst which IHRL makes no exception—should follow. The two perspectives are perfectly compatible, because they imply that law  UNCHR, “Report of the Special Rapporteur on extrajudicial, summary or arbitrary executions, Christof Heyns” (2013), UN Doc. A/HRC/23/47, p. 16, paras. 82–85. 9  Heyns (2016), p. 350 ff. 10  Melzer (2013). 11  HRW, “Shaking the Foundations. The Human Rights Implications of Killer Robots” (12 May 2014), www.hrw.org/report/2014/05/12/shaking-foundations/human-rights-implications-killerrobots. 12  UNCHR, “Report of the Special Rapporteur on extrajudicial, summary or arbitrary executions” (2016), UN Doc A/71/372, p. 13. 13  Brehm (2017). 14  Aust (2019). 15  UNCHR, “General Comment No. 36 on Article 6 of the International Covenant on Civil and Political Rights, on the right to life” (2018), UN Doc. CCPR/C/GC/36, para. 65. 16  Ibid., p. 17. 8

58

A. Spagnolo

reforms are necessary in order to cope with the increasing role of Artificial Intelligence (AI) in everyday life. However, they differ on the role that human rights should play in this process. Heyns considers human rights as fundamental parameters for regulating the conduct of AWS in law enforcement, while Aust doubts that human rights could ever have an effective role. Against this background, the aim of this Chapter is to present more arguments in support of the view that human rights can help regulating AWS. Particularly, it will be maintained that an approach based on IHRL helps clarifying that the only possible and acceptable definition of autonomy implies a meaningful human control on the activities of AWS, thus fostering the idea that a ban on fully autonomous machines is desirable. From a methodological standpoint, this conclusion will be reached through an analysis of the positive obligations to protect human rights of the States. The reasons for this methodological choice are essentially two: (1) compliance with negative obligations to respect human rights is covered in the already-mentioned articles and studies, in particular in those published by Heyns, Melzer and Brehm; (2) positive obligations to protect human rights detail the legislative and procedural framework within which States’ action is tolerated. The second reason will be particularly illustrative of the impossibility to conceive fully autonomous technology in law enforcement operations.

2  H  uman Rights Implications of the Use of Autonomous Weapons Systems for Law Enforcement Purposes Ahead of presenting the content of States’ human rights positive obligations, it is useful—and even necessary—to identify the rights at stake, in order to better refine the following steps of the inquiry. Technological evolution, in fact, is already changing the way in which Governments exercise their authorities in respect of individuals. AI, in fact, has rapidly been imposing automated decision-making processes that regard many—if not all—of the aspects of everyone’s life.17 This statement applies to business related conduct as well as law enforcement operations.18 With regard to the latter area of governmental action, the introduction of AWS will be the most sensible consequence of the evolution of AI. Law enforcement is traditionally meant to cover “traditional public forces or police services […] with the primary objectives of maintaining law and order in civil society, and who are empowered by State to use force and/or special powers for these purposes”.19 As a consequence, the following reflections are applicable if and  See generally Johns (2016).  It is not possible to scrutinize the impact of the evolution of AI on the conduct of business-related activities. See, in this regard, Lopucki (2018). 19   This definition was coined by the Committee of Ministers of the Council of Europe: “Recommendation Rec(2001)10 of the Committee of Ministers to member States on the European Code of Police Ethics” (2001) Rec(2001)10, Appendix. 17 18

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

59

when robots come to substitute for or be employed by law enforcement officials, as defined by the United Nations Code of Conduct.20 If one tries to match the definition of law enforcement with that of AWS, he or she would inevitably discover that what is at stake is the relationship occurring between Governments and individuals; a relationship that must be assessed through the prism of human rights. In fact, the logic of human rights is precisely based on the relationship between an individual and the authority that exercises jurisdiction upon them. As Tomuschat pointed out, human rights “are designed to reconcile the effectiveness of state power with the protection against the same state power”.21 When it comes to consider the use of AWS for law enforcement operations, the protection of the right to life is the most immediate concern. This is perfectly understandable: the right to life is deemed to be the cornerstone of the whole set of rules governing the use of force in law enforcement activities.22 Should machines be tasked with law enforcement duties, the life of civilians would be endangered by a decision-making process affected by an unpredictable degree of autonomy. However, the use of lethal force—and the respect for the right to life—does not represent the only reason for concern. The impact that AWS is going to have in the near future on domestic law enforcement will probably cover most—if not all—the dimensions of the exercise of States’ authority: from police operations involving the use of lethal force to patrolling activities across international borders or in crowded squares during a manifestation. Should this be the future, machines will be able to decide on their own on the basis of automated processes. Consequently, during such a process data will be collected, stored, analyzed and used through algorithms. In order to take autonomous decisions, machines will probably decide on the basis of software that will help them in predicting the likelihood of a given scenario.23 In fact, it is reasonable to opine that, when AWS are tasked with law enforcement duties, they must be aware of all the details of an operative scenario. Paradoxically, from the perspective of the protection of the right to life, this would even be desirable, as a perfect understanding of a scenario is crucial to avoid unintended killings. This would inevitably imply a preliminary screening of individuals and places, which involves mass surveillance operations and an automatic processing of data.24

 “The term ‘law enforcement officials’ includes all officers of the law, whether appointed or elected, who exercise police powers, especially the powers of arrest or detention”. See UNGA Resolution 169 “Code of Conduct for Law Enforcement Officials” (1979), GAOR 34th Session, Article 1 (“UN Code of Conduct”). 21  Tomuschat (2008), p. 8. 22  See Melzer (2009), p. 91 ff. 23  This is admitted by anti-ban scholars and experts of artificial intelligence. See, for example, Arkin (2009), p. 30: robots will have the technical ability “of independently and objectively monitoring ethical behavior in the battlefield by all parties and reporting infractions that might be observed”. 24  See on this Brehm (2017), pp. 52–54. 20

60

A. Spagnolo

The employment of AWS can have a fueling impact on States’ recourse to new technologies for law enforcement purposes, contributing to the so-called “bulk collection of data”.25 The impact of the use of AWS on the right to privacy might have a cascade effect on other rights. In fact, once AWS will be required to collect and—eventually— store data, they will probably be equipped with software that will enable them to process such data. It cannot be excluded that such software will permit AWS to make predictions. Perhaps, they could be used to help in determining when the use of lethal force is necessary or proportionate. This scenario is even admitted by the scholars who do not call for a complete ban on AWS. Schmitt and Thurnher, in fact, refers to “pattern of life analysis”, which will enable machines to detect individuals who possess certain attributes.26 Such a conduct would probably constitute a “profiling” activity that, according to a Council of Europe’s recommendation, can be defined as: an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.27

Profiling of personal data would bear a risk of violating not only the right to life and the right to privacy, but also the right not to be discriminated against,28 which is affirmed in all human rights treaties.29 A failure to limit the bulk collection of data, therefore, could ultimately have tremendous implications on democracy.30 The debate related to the impact of technological evolution on the right to privacy is topical as recent States’ programs are showing a dangerous attitude towards the treatment of personal data. The evolution of technologies, in fact, allows private and public entities to collect and store individual data. It is no coincidence that the Human Rights Council appointed, in 2015, a Special Rapporteur on the Right to Privacy31 and that the United Nations General Assembly approved, in 2013, a resolution on this delicate topic.32  See, for instance, “Technological convergence, artificial intelligence and human rights”, Report of the Committee on Culture, Science, Education and Media of the Parliamentary Assembly of the Council of Europe, Doc. 14288 of 10 April 2017, para. 53. 26  Schmitt and Thurnher (2013), p. 268. 27  Recommendation CM/Rec(2010)13 of the Committee of Ministers to member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling, Adopted by the Committee of Ministers on 23 November 2010 at the 1099th meeting of the Ministers’ Deputies. See the Appendix at 1, (e). 28  See for example: UNCHR, “Report of the Special Rapporteur on contemporary forms of racism, racial discrimination, xenophobia and related intolerance” (2015), UN Doc A/HRC/29/46. 29  ICCPR, Article 17; ECHR, Article 8; ACHR, Article 11. 30  Klass and Others v Germany (App No. 5029/71), ECtHR [GC], judgment of 6 September 1978, para. 49: “the Court stresses that this does not mean that the Contracting States enjoy an unlimited discretion to subject persons within their jurisdiction to secret surveillance. The Court, being aware of the danger such a law poses of undermining or even destroying democracy on the ground of defending it”. 31  HRC, “Resolution adopted by the Human Rights Council” (2015), UN Doc A/HRC/RES/28/16. 32  UNGA, ‘The right to privacy in the digital age” (2014), UN Doc A/RES/68/167. 25

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

61

The major issues of concern regarding the right to privacy in the digital age lie in the constant and rapid technological development, which is going to enable individuals all over the world to use new information and communication technologies, while enhancing the capacity of governments to undertake surveillance, interception and data collection.33 Data protection is at the core of a debate on the risks that new technologies pose on the enjoyment of the right to privacy; in the European Union a thorough reform of EU data protection rules is feeding the discussion.34

3  T  he Positive Dimension of Human Rights in the Regulation of Autonomous Weapons Systems The findings of the previous Section help identifying the most critical aspect of the “effectiveness of State power” when AWS are used: the automation of the decision-­ making process in the context of law enforcement activities. The absence—whether absolute or relative—of human intervention in such a process risks to deprive machines of the appropriate sensibility to deal with a given scenario. Yet, the antidote—the collection of data—can be the source of another major problem: the bulk collection of data, which might represents a violation of the right to privacy. The following questions should therefore be: what can States do to regulate the use of AWS in order to comply with human rights standards? The answer goes clearly beyond the mere abstention from violating human rights. In fact, according to IHRL, States must not only abide by negative obligations flowing from universal and regional covenants and conventions, but also by positive duties arising from the same sources.35 In fact, States are bound to ensure and to secure human rights to individuals under their jurisdiction. To this end, international jurisprudence has referred to the due diligence standard, interpreted as “the reasonable measure of prevention that a well-administered government could be expected to exercise in similar circumstances”.36 It is therefore useful to briefly sum up the main corollary of the positive obligation to protect the right to life and the positive steps that States should endeavor to accomplish in order to respect the right to privacy.

 Ibid.  European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L 119/1. See also European Parliament and Council Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JH (2016) OJ L 119/89. 35  See more in general Shelton and Gould (2013), pp. 564–568. 36  Shelton (2013), p. 23. 33 34

62

A. Spagnolo

3.1  The Positive Obligation to Protect the Right to Life IHRL imposes on Governments a duty to protect the life of individuals under their jurisdiction.37 This obligation applies both when the harmful conduct is performed by a State’s agent or by a private person or entity38 and extends to “any activity, whether public or not, in which the right to life may be at stake”.39 Such a duty has broadly been interpreted by the European Court of Human Rights (ECtHR), which has constantly affirmed that: The positive obligation to take all appropriate steps to safeguard life for the purposes of Article 2 entails above all a primary duty on the State to put in place a legislative and administrative framework designed to provide effective deterrence against threats to the right to life.40

That being so, domestic authorities have the “primary duty to secure the right to life by putting in place effective criminal-law provisions to deter the commission of offences against the person”,41 but also the duty “to take preventive operational measures to protect an individual whose life is at risk from the criminal acts of another individual”.42 This statement has several implications. The positive duty of States to put in place operational measures translates into a more specific obligation to strictly supervise the conduct of their law enforcement agents, particularly in the course of operations involving—or potentially involving—the use of force.43 The ECtHR, in this regard, has explicitly affirmed that: as well as being authorised under national law, policing operations must be sufficiently regulated by it, within the framework of a system of adequate and effective safeguards against arbitrariness and abuse of force, and even against avoidable accident.44

Such a framework, according to the ECtHR, includes training for members of the police forces “not only on the basis of the letter of the relevant regulations but also

 See in general on this issue Pisillo Mazzeschi (2008), p. 390 ff.  See UNCHR, “General Comment No. 31. The Nature of the General Legal Obligation Imposed on States Parties to the Covenant” (2014), UN Doc CCPR/C/21/Rev.1/Add. 13, para. 8. UNCHR, “General Comment No. 6: Article 6 (Right to Life)” (1982), para. 3: “The Committee considers that States parties should take measures not only to prevent and punish deprivation of life by criminal acts, but also to prevent arbitrary killing by their own security forces”. 39  Öneryildiz v Turkey (App No. 48939/99), ECtHR [GC], judgment of 30 November 2004, para. 71. 40  Ibid., para. 89. 41  Osman v. the United Kingdom (App. No. 23452/94), ECtHR [GC], judgment of 28 October 1998, para. 115. 42  Ibid. 43  McCann and Others v the United Kingdom (App No. 18984/91), ECtHR [GC], judgment of 27 September 1995, para. 153; Nachova and Others v Bulgaria (App. No 43577/98), ECtHR [GC], judgment of 6 July 2005, para. 95; Makaratzis v Greece (App No. 50385/99), ECtHR [GC], 20 December 2004, para. 11. 44  Again Makaratzis cit., para. 58. 37 38

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

63

with due regard to the pre-eminence of respect for human life as a fundamental value”.45 The positive obligation to protect life extends also to the situations in which the life of individuals is at risk because of dangerous activities carried on or controlled by States. Here the ECtHR has established that States have the duty to adopt suitable regulations governing the licensing, setting up, operation, security and supervision of the activity and making it compulsory for all those concerned to take the necessary practical measures.46 On a different level, and to a certain extent, States bear the positive duty to protect individuals in their horizontal relations. According to the test developed by the ECtHR, States are responsible if they “knew or ought to have known at the time of the existence of a real and immediate risk to the life of an identified individual”.47 Last, but not least, the positive obligations of States to protect life entail a duty to investigate into an alleged deprivation of life. Although it is clear in the case law of international courts that this is an obligation of means, rather than an obligation of result,48 investigations must be immediate, exhaustive and impartial, as well as independent in hierarchical, institutional and practical terms.49 The Human Rights Committee’s General Comment n. 36  on the right to life goes even further by requesting that “investigations into allegations of violation of article 6 [of the International Covenant of Civil and Political Rights] must always be independent, impartial, prompt, thorough, effective, credible and transparent”.50 This means that investigations can either be publicly available or result in securing accountability.51 The publicity of the investigations are explained by the ECtHR with great clarity in the Nachova judgment, where it held that: There must be a sufficient element of public scrutiny of the investigation or its results to secure accountability in practice as well as in theory, maintain public confidence in the authorities’ adherence to the rule of law and prevent any appearance of collusion in or tolerance of unlawful acts.52

 Nachova and Others cit., para. 97.  Oneryildiz cit., para. 90; L.C.B. v United Kingdom (App. No. 23413/94), ECtHR [GC], judgement of 9 June 1998, para. 36. 47  Osman cit., para. 116; Demiray v Turkey (App No. 27308/95), ECtHR [GC], judgment of 21 November 2000, para. 45. 48  Pisillo Mazzeschi (2008), pp. 414–417. The ECtHR put it clearly in Kelly and Others v United Kingdom (App. No. 30054/96), ECtHR [GC], judgment of 4 May 2001, para. 96. The same approach is adopted by the Inter-American Court of Human Rights in Velasquez Rodriguez Case, Series C No. 4, IACtHR, judgment of 29 July 1988, paras. 176–177. 49  This is confirmed in international jurisprudence. See, for example, Isayeva, Yusupova and Bazayeva v Russia (App Nos. 57947/00, 57948/00 and 57949/00) ECtHR [GC], judgment of 24 February 2005, para. 210. See also Report No. 55/97, Case No. 11.137: Argentina, Inter-American Commission on Human Rights, OEA/ Ser/L/V/II.98, Doc. 38 (6 December 1997), para. 412. 50  UNCHR, General Comment No. 36, cit., para. 28. 51  Özkan and Others v Turkey (App. No. 21689/93), ECtHR, judgment of 6 April 2004, para. 314. 52  Nachova and Others cit., para. 119. 45 46

64

A. Spagnolo

3.2  T  he Positive Steps in Order to Secure That the Collection of Data Complies with Human Rights Standards According to IHRL, limitations of the right to privacy can take place only if States’ measures respect the principles of legality, legitimacy and proportionality. The principle of legality is the most important among the parameters for evaluating States’ interference with the enjoyment of human rights.53 In fact, violations or limitations can be justified only if they are grounded on a law that can be accessible to individuals. This is a generalized principle which is common to all human rights treaties. The American Convention on Human Rights (ACHR) put it clearly and generally in Article 30: The restrictions that, pursuant to this Convention, may be placed on the enjoyment or exercise of the rights or freedoms recognized herein may not be applied except in accordance with laws enacted for reasons of general interest and in accordance with the purpose for which such restrictions have been established.54

The International Covenant on Civil and Political Rights (ICCPR) and the European Convention on Human Rights (ECHR) do not have such a general clause; nonetheless, the principle of legality is mentioned in relation to the single rights listed therein.55 Interferences with fundamental freedoms and, in our specific case, the right to privacy can be tolerated only if “they take place on the basis of law”.56 The legality test requires that “relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted” (emphasis added).57 This is confirmed in the jurisprudence of international courts and, in particular, in that of the ECtHR that introduced the concept of the “quality of the law”, adding that “there must be a measure of legal protection in domestic law against arbitrary interferences by public authorities with the rights safeguarded by paragraph 1 [of Article 8 of the ECHR]” (emphasis added).58 States are asked to pay attention to the revision of their existing laws in order to cope with the evolution of modern technologies. This has been recently affirmed by the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism in its 2014 Annual Report to the

 Tomuschat (2008), pp. 93–94.  ACHR, Article 30. 55  ECHR, Article 8(2). The ICCPR in Article 17 prohibits “arbitrary or unlawful interference with his privacy” (emphasis added). 56  UNCHR, “General Comment No. 16” in “Note by the Secretariat, Compilation of General Comments and General Recommendations adopted by Human Rights Treaty Bodies” (1988), UN Doc HRI/GEN/1/Rev.1, Vol. I, 191, para. 4. 57  Ibid., para. 8. 58  See, for example, Rotaru v Romania (App. No. 28341/95), ECtHR [GC], judgment of 4 May 2000, para. 55. 53 54

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

65

UN General Assembly.59 The Special Rapporteur did not simply reaffirm one of the requisites of the so-called “quality of the law” principle, firmly established in the jurisprudence of the ECtHR, but went a step further affirming that: A public legislative process provides an opportunity for Governments to justify mass surveillance measures to the public. Open debate enables the public to appreciate the balance that is being struck between privacy and security. A transparent law-making process should also identify the vulnerabilities inherent in digital communications systems, enabling users to make informed choices […] it is also a valuable means of ensuring effective public participation in a debate on a matter of national and international public interest.60

A legal basis is not the only requirement for considering acceptable a limitation on the right to privacy; rather, interferences must also pursue a legitimate aim and be proportional. The first requirement is usually interpreted by international courts in a broad sense. Law enforcement activities to maintain public order are normally regarded as legitimate aims that justify a limitation of the right to privacy. However, this approach was recently challenged by the UN Special Rapporteur on the Freedom of Expression, who stated that: The use of an amorphous concept of national security to justify invasive limitations on the enjoyment of human rights is of serious concern. The concept is broadly defined and is thus vulnerable to manipulation by the State.61

This is an interesting statement for the purposes of the present inquiry. In fact, if AWS were to be deployed for a constant surveillance action, the law enforcement justification would be perennial and, as a result, individuals would be subjected to a constant monitoring activity by their Governments.62 By contrast, international courts—in particular the ECtHR—discussed deeply the requirement of proportionality, according to which a limitation on the right to privacy is tolerable when there are adequate and effective guarantees against abuse. The assessment that the ECtHR usually makes depends on all the circumstances of a given case, such as the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to authorise, carry out and supervise them, and the kind of remedy provided by the national law.63 Recently, the ECtHR delivered some important judgments that specify the content of States’ obligation to respect privacy in the context of their surveillance programs. In the Szabo and Vissy v Hungary case, the Court declared that the  UNCHR, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism” (2014), UN Doc A/69/397, para. 35 ff. 60  Ibid., para. 39. 61  UNCHR, “Report of Special Rapporteur on the Freedom of Expression” (2013), UN Doc A/ HRC/23/40, para. 58. 62  In this regard, the words of Christopher Heyns in his 2013 Report are rather paradigmatic: “The danger here is that the world is seen as a single, large and perpetual battlefield and force is used without meeting the threshold requirements. LARs could aggravate these problems”. See UNCHR, “Report of the Special Rapporteur on extrajudicial, summary or arbitrary executions, Christof Heyns”, para. 83. 63  Klass and Others cit., para. 50. 59

66

A. Spagnolo

anti-terrorist Hungarian surveillance legislation was contrary to the ECHR because it had enabled the Government to use new technologies to intercept masses of data without offering any reasonable guarantee to individuals.64 In the Zakharov v Russia judgment, the Court found that the Russian legal provisions governing interception of communications did not provide for adequate and effective guarantees against arbitrariness and the risk of abuse. For example, critical factors were identified in: the circumstances in which public authorities in Russia are empowered to resort to secret surveillance measures; the duration of such measures; the procedures for authorising interception as well as for storing and destroying the intercepted data; and, finally, in the supervision mechanism of the interception.65 It derives that the positive dimension of the right to privacy requires States to ensure, at least, that victims of violations have an effective remedy. The case law of the ECtHR clarified that for a remedy to be effective it must be capable of ending ongoing violations, ordering the deletion of data or other forms of reparation.66 As a preliminary issue, the individual whose data are collected should be able to realize that she or he is under surveillance67 in order to activate remedial mechanisms. Such mechanisms could well be of a non-judicial character, provided that they are independent and governed by due-process guarantees.68 Recent practice of the ECtHR— reference is, again, to the Zakharov and the Szabo and Vissy cases—showed that it is incumbent upon the Government to demonstrate that a remedy, or an oversight mechanism, comply with this scheme.

4  A Human Rights Oriented Regulation In the absence of any specific regulations on the use of AWS for law enforcement purposes—or operations—, the rules and principles described in the previous paragraph imposes on States certain procedural obligations that needs to be follow in order to comply with IHRL. As seen, States’ positive obligations vary according to the type of States’ activities and to the nature of the rights, but seem to pose an undeniable duty on States to avoid that interferences happen outside a legal framework. Thus, States are not relieved from respecting human rights solely because they delegate their authority to machines.  Szabo and Vissy v Hungary (App. No. 37138/14), ECtHR [GC], judgment of 12 January 2016, para. 82. 65  Roman Zakharov v. Russia (App. No. 47143/06), ECtHR [GC], judgment of 4 December 2015, para. 231. 66  UNGA, “The right to privacy in the digital age” cit., para. 40. 67  Szabo and Vissy v Hungary cit., paras. 85–87. 68  See Klass and Others cit., para. 56. See also Joint Declaration on surveillance programs and their impact on freedom of expression, issued by the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression and the Special Rapporteur for Freedom of Expression of the Inter-American Court of Human Rights, June 2013, para. 9. 64

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

67

This duty imposes on Governments, as a corollary, an obligation to plan, organize and control a law enforcement operation to minimize the use of lethal force. To the same end, this also implies that law enforcement officials must be trained to cope with emergency scenarios.69 Applying this preliminary finding to the use of AWS for law enforcement purposes, it appears quite clearly that States bear the obligation to control and to supervise any actions realized by the machines. The positive obligation to protect the right to life translates in two specific duties: (1) there must be an adequate legal framework that regulates the use of AWS that foresees the possibility of humans to monitor machines’ conduct; (2) when the State’s agent that remotely controls or supervises a drone or a robot notices an imminent threat to the life of a person, he or she should intervene to halt the machine. The majority of non-governmental actors that submitted position papers for the last-in-time meeting of the GGE on LAWS in Geneva seems to be inspired by a similar approach. In fact, the International Panel on the Regulation of Autonomous Weapons recommended that “the ability for humans to actively intervene prior to the ultimate use of force should be a default feature”.70 On similar tones, according to the ICT for Peace Foundation: “[p]rinciples guiding AI research could require programmers and engineers only to develop technological artefacts whose outcomes will stay controllable for humans”.71 Although it is possible to count a dissenting voice among the non-governmental actors intervened,72 it is difficult to deny that civil society tends to consider necessary a human supervision in the conduct of AWS. The positive obligation to protect life could in principle entail also a duty to avoid malfunctioning in the machines’ performance. During the Fifth Conference of the States Parties to the CCW, it was highlighted that: one of the dangers is that these weapons could lead to strategies diluting or concealing true responsibilities in case of collateral damages. If armed machines provoke such damages it is easy and tempting, on the part of those who use them, to invoke technical malfunctions rather than face their responsibility.73

This appears to be a manifestation of the principle of due diligence to prevent human rights violations.74 One might wonder whether the principle of due diligence can force States to scrutinize the performance of the machines since the moment of their inception and, therefore, to liaise with industrial companies in order to avoid  Nachova and Others cit., para. 97; see also the Court’s criticism of the “shoot to kill” instructions given to soldiers in McCann and Others, paras. 211–214. 70  ICT for Peace Foundation, Artificial Intelligence cit., p. 19. 71  Ibid., p. 22. 72  See the paper of the Center for Autonomy and Artificial Intelligence, of the Center for Naval Analysis, authored by Larry Lewis, pp. 23–24. 73  Comments Supporting the Prohibition of Lethal Autonomous Weapons Systems Working Paper submitted by the Holy See, 7 April 2016, p. 2. 74  See again Pisillo Mazzeschi (2008), p. 394, specifically. See also Pisillo Mazzeschi (1992), p. 9. See also Barnidge (2006), p. 81. 69

68

A. Spagnolo

the development of machines that could potentially act contrary to human rights. Although a duty to monitor the transfer of arms might appear to be a far-reaching interpretation of the positive obligation to protect the right to life,75 it is clear that States should be bound, at least, to a pro-active review of the AWS at their disposal. Another layer of positive obligations is represented by the duty to investigate deprivations of life and to provide effective remedies when personal data are indiscriminately collected. Applying such a duty in cases where the use of AWS for domestic law enforcement purposes causes lethal, or quasi-lethal, incidents might prove to be a difficult task for States, notably in the event that completely automated machines were employed. Indeed, accountability would hardly be secured: one cannot envisage a “court for robots”, given that cannot be punished.76 Proposals to hold accountable commanders and programmers have already been criticized as incompatible with the mens rea requirement.77 The least a Government can do is to properly assess the decision-making process that leads to civilian casualties. The preceding analysis is true for the protection of the right to life, but if States want to employ AWS for performing law enforcement duties, they should also strictly regulate the collection of data to which machines will inevitably contribute. Should AWS carry out mass surveillance programs, States must provide a clear and accessible legislative framework for protecting individuals under their jurisdiction from abuses. Such a duty adds another layer of protection in the legislative framework that States must create for complying with IHRL. Furthermore, enforcement duties performed by AWS might see the involvement of private companies. At present, this is normal practice in the treatment of data. It happens frequently, in fact, that data are stored by private actors and requested by States when needed.78 Moreover, States would also be required to establish effective remedies for the cancellation of data. This is the approach followed in the newly adopted EU General Data Protection Regulation, which establishes the right to object at any time to the processing of data (Article 21) and the right not to be subject to a decision based solely on automated processing of data (Article 22). These two rights might create the legal basis for judicial actions that could challenge automated decision-making processes, such as those that would characterize the use of AWS. Both the right to life and the right to privacy demand a regulation of the use of AWS in domestic law enforcement that must meet the “quality of the law” threshold; a threshold that is met by domestic laws that are accessible, that make future

 See accordingly Brehm (2008), pp. 382–383.  See HRW, “Shaking the Foundations. The Human Rights Implications of Killer Robots”, p. 19. See more in depth on this issue Sparrow (2007), p. 72. 77  For a discussion on this see Amoroso and Tamburrini (2018), pp. 6–7. See also HRW, “Shaking the Foundations” cit., p. 20. 78  Haase and Peters (2017), p. 126 ff. 75 76

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

69

Governmental actions predictable and that provide adequate and effective guarantees against abuse. In other words, laws that make the recourse to AWS “transparent”.79 A call for transparency has already been made by several Governments of States Parties to the Convention on Certain Conventional Weapons in 201580 and by NGOs such as Human Rights Watch, Article 36 and Amnesty International.81 Christopher Heyns, in his capacity as UN Special Rapporteur, has already brought the attention of the UN to the issue of transparency in his 2013 Report, recommending that “it will be important to ensure that transparency, accountability and the rule of law are placed on the agenda from the start” and emphasizing “the need for full transparency regarding all aspects of the development of robotic weapon systems”.82 The European Union Parliament, that recently engaged with robotics, pointed to the principle of transparency in a Report published in 2017. Transparency is described as requiring that it should always be possible to supply the rationale behind any decision taken with the aid of AI that can have a substantive impact on one or more persons’ lives; considers that it must always be possible to reduce the AI system’s computations to a form comprehensible by humans; considers that advanced robots should be equipped with a ‘black box’ which records data on every transaction carried out by the machine, including the logic that contributed to its decisions.83

As regards the use of AWS in domestic law enforcement, although no weapons review mechanisms are foreseen in IHRL, the “quality of the law” requirement apparently entails a duty of reviewing the use of new weapons. Be that as it may, one might ask if a call for (more) transparency really satisfies the requirements of positive obligations posed by IHRL.  For example: would an explanation based on complex probabilistic and algorithmic analytics be acceptable for the relatives of a victim?84 The demands for justice by relatives of civilians killed as a result of the conduct of AWS will likely remain unanswered. Or, and this is even worse, the answer may  See, generally, Knuckey (2016), p. 164 ff. and Bhuta and Pantazopoulos (2016), p. 299. See also Sassoli (2014), p. 338. 80  Germany, statement on Transparency to the 2015 CCW Meeting of Experts on Lethal Autonomous Weapons Systems (17 April 2015); Sweden, statement on Transparency and the Way Forward to the 2015 CCW Meeting of Experts on Lethal Autonomous Weapons Systems (17 April 2015); Ghana, statement to the 2015 CCW Meeting of Experts on Lethal Autonomous Weapons Systems (17 April 2015). 81  Article 36, “Structuring debate on autonomous weapons systems: memorandum for delegates to the Convention on Certain Conventional Weapons” (November 2013) 3; Amnesty International, “Moratorium on fully autonomous robotics weapons needed to allow the UN to consider fully their far-reaching implications and protect human rights”, written statement to the 23rd session of the UN Human Rights Council (22 May 2013); HRW, “Shaking the Foundations” cit., p. 47. 82  UNCHR, “Report of the Special Rapporteur on extrajudicial, summary or arbitrary executions, Christof Heyns” cit., paras. 111 and 115. 83  European Parliament, Report with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)), 27 January 2017, p. 10, para. 12. 84  See on this point Burrell (2016), p. 1. 79

70

A. Spagnolo

be totally unintelligible, making it impossible to understand the process that led to a certain event. The same goes for all the individuals whose data will be collected by AWS for law enforcement duties; a right to obtain an explanation, in fact, does not seem to exist even in the EU General Data Protection Regulation.85 In April 2017, the Science and Technology Committee of the Parliament of the United Kingdom launched an inquiry into algorithmic decision-making.86 The written evidence received so far from technology experts is interesting. One expert said that “Algorithms used in decision-making can be too complex to describe in clear English” and that “Data used in algorithms can go through multiple levels of abstraction such that it is impossible to determine the original input”.87 Another expert proposed the introduction of a “lingua franca” that institutions should adopt “to explain their decisions in cases where humans are affected and involved […] to make sure that non-experts, courts and media can understand what went on”.88 Finally, an expert warned that “alone, transparency mechanisms can encourage false binaries between ‘invisible’ and ‘visible’ algorithms, failing to enact scrutiny on important systems that are less visible”.89 Transparency, therefore, is not enough if it leads to unintelligible sources. It may satisfy the principle of legality, but it does not help, as such, to ensure accountability.

5  Conclusive Remarks The findings of the previous Sections clearly show that an approach to the regulation of AWS based on human rights makes it inevitable to keep some degree of human intervention. This appears to be the result of the positive obligations that States must respect in the framework of IHRL. In particular, this brief inquiry proves that the jurisprudential characterization of States’ duty to protect the right to life and the right to privacy implies a human supervision of AWS. This inevitably excludes any forms of fully autonomous weapons being compliant with IHRL. It is possible to ground this conclusion on two considerations that  See accordingly Wachter et al. (2017), p. 76 ff.  See www.parliament.uk/business/committees/committees-a-z/commons-select/science-andtechnology-committee/news-parliament-2015/algorithms-in-decision-making-inquiry-launch16-17/. 87  Written evidence submitted by Dr. Janet Bastiman (ALG0029) http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/algorithms-indecisionmaking/written/68990.html. 88  Written evidence submitted by Simul Systems Ltd (ALG0007) http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/algorithms-indecisionmaking/written/49780.html. 89  Written evidence submitted by Dr Alison Powell (ALG0067) http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/algorithms-indecisionmaking/written/69121.html. 85 86

What Do Human Rights Really Say About the Use of Autonomous Weapons Systems…

71

emerge from the investigation presented in this Chapter. First, States are bound to strictly regulate the use of AWS and the content of the regulation must entail the duty of States to activate themselves to establish safeguarding systems and mechanisms that enable States’ agents to prevent human rights abuses, particularly when the life of individuals is endangered. This consideration extends to the protection of the right to privacy, though with a different degree of States’ engagement. States’ regulation must, in fact, be apt to limit the bulk collection of data and to prevent such a collection from being indiscriminately used for law enforcement purposes; this inevitably means that the human supervision is necessary. A second consideration is common to both the positive obligation to protect the life and the right to privacy: the duty to make available effective remedies. As seen before, without a human intervention—hence, a person that can be held accountable for wrongdoings—any attempt to explain a fully automated decision-making processes would inevitably collide with an unintelligible language. It derives that States should endeavor to regulate only weapons systems that foresee a human control. This is currently under discussion as far as the use of AWS in armed conflicts is concerned, but is still absent from States’ agenda when it comes to considering other scenarios, such as domestic law enforcement ones. The mandate of the GGE established by States Parties to the CCW should therefore be modified in order to include an approach based on human rights.

References Amoroso, Daniele, and Guglielmo Tamburrini. 2018. The Ethical and Legal Case against Autonomy in Weapon Systems. Global Jurist 18: 1–20. Arkin, Robert. 2009. Governing Lethal Behaviour in Autonomous Robots. London: Chapman & Hall/CRC. Aust, Helmut. 2019. “The System Only Dreams in Total Darkness”: The Future of Human Rights Law in the Light of Algorithmic Authority. German Yearbook of International Law 60: 71–90. Barnidge, Robert P., Jr. 2006. The Due Diligence Principle under International Law. International Community Law Review 8: 81–121. Bhuta, Nehal, and Stavros-Evdokimos Pantazopoulos. 2016. Autonomy and Uncertainty: Increasingly Autonomous Weapons Systems and the International Legal Regulation of Risk. In Autonomous Weapons Systems: Law, Ethics, Policy, ed. Nehal Bhuta et  al., 284–300. Cambridge: Cambridge University Press. Brehm, Maya. 2008. The Arms Trade and States’ Duty to Ensure Respect for Humanitarian and Human Rights Law. Journal of Conflict & Security Law 12: 359–387. ———. 2017. Defending the Boundary. Constraints and Requirements on the Use of Autonomous Weapon Systems under International Humanitarian and Human Rights Law. Geneva Academy of International Humanitarian Law and Human Rights (Briefing No. 9). Burrell, Jenna. 2016. How the Machine “Thinks”: Understanding Opacity in Machine Learning Algorithms. Big Data & Society 3: 1–12. Haase, Adrian, and Emma Peters. 2017. Ubiquitous Computing and Increasing Engagement of Private Companies in Governmental Surveillance. International Data Privacy Law 7: 126–136. Heyns, Christopher. 2016. Human Rights and the Use of Autonomous Weapons Systems (AWS) During Domestic Law Enforcement. Human Rights Quarterly 38: 350–378.

72

A. Spagnolo

Johns, Fleur. 2016. Global Governance through the Pairing of List and Algorithm. Environment and Planning D: Society and Space 34: 126–149. Knuckey, Sarah. 2016. Autonomous Weapons Systems and Transparency: Towards an International Dialogue. In Autonomous Weapons Systems: Law, Ethics, Policy, ed. Nehal Bhuta et al., 164– 184. Cambridge: Cambridge University Press. Lopucki, Lynn M. 2018. Algorithmic Entities. Washington University Law Review 95: 887–953. McLaughlin, Robert, and Hitoshi Nasu. 2014. Introduction: Conundrum of New Technologies in the Law of Armed Conflict. In New Technologies and the Law of Armed Conflict, ed. Robert McLaughlin and Hitoshi Nasu, 1–17. The Hague: TMC Asser Press. Melzer, Nils. 2009. Targeted Killings in International Law. Oxford: Oxford University Press. ———. 2013. Human Rights Implications of the Usage of Drones and Unmanned Robots in Warfare. Directorate-General for External Policies of the Union. Directorate B.  Policy Department. Study. EXPO/B/DROI/2012/12. www.europarl.europa.eu/RegData/etudes/ etudes/join/2013/410220/EXPO-DROI_ET(2013)410220_EN.pdf. Pisillo Mazzeschi, Riccardo. 1992. The Due Diligence Rule and the Nature of the International Responsibility of States. German Yearbook of International Law 35: 9–51. ———. 2008. Responsabilité de l’État pour violation des obligations positives relatives aux droits de l’homme. Recueil des Cours de l’Académie de Droit International de La Haye 333: 171–506. Sassoli, Marco. 2014. Autonomous Weapons and International Humanitarian Law: Advantages, Open Technical Questions and Legal Issues to be Clarified. International Legal Studies 90: 308–340. Schmitt, Michael N., and Jeffrey S.  Thurnher. 2013. “Out of the Loop”: Autonomous Weapon Systems and the Law of Armed Conflict. Harvard National Security Journal 1: 231–281. Shelton, Dinah. 2013. Private Violence, Public Wrongs and the Responsibility of States. Fordham International Law Journal 13: 1–34. Shelton, Dinah, and Ariel Gould. 2013. Positive and Negative Obligations. In The Oxford Handbook of International Human Rights Law, ed. Dinah Shelton, 562–586. Oxford: Oxford University Press. Sparrow, Robert. 2007. Killer Robots. Journal of Applied Philosophy 24: 62–77. Tomuschat, Christian. 2008. Human Rights Between Idealism and Realism. Oxford: Oxford University Press. Wachter, Sandra, Brent Mittelstadt, and Luciano Floridi. 2017. Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation. International Data Privacy Law 7: 76–99.

Training and Education of Armed Forces in the Age of High-Tech Hostilities Marco Longobardo

Abstract  In recent decades, new technologies have so radically changed current warfare that, as a consequence, the very law of armed conflict had to be applied to new means and methods of warfare, such as unmanned aerial vehicles and cyber attacks, as well as autonomous weapon systems. This Chapter explores the impact of this high-tech trend on the education and training of the personnel of armed forces from two different perspectives. First, it explores what military training duties States have with respect to high-tech means and methods of warfare and, in particular, whether the law of armed conflict requires that States employing them provide specific military training to their armed forces. It is argued that States may be held responsible for the inadequate training of their soldiers in situations where this results in a violation of the principle of precaution. Second, the analysis aims at establishing whether a duty to provide international humanitarian law education and training exists with specific regard to high-tech means and methods of warfare, in light of State practice regarding the dissemination of international humanitarian law. Arguably, although a significant trend regarding the supply of specific instructions and education pertaining to high-tech means and methods of warfare does exist, the lack of a specific international humanitarian law education and training focusing on high-tech means and methods of warfare may not be considered a violation of international humanitarian law in every case.

M. Longobardo (*) University of Westminster, London, UK e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_4

73

74

M. Longobardo

1  Introduction This Chapter focuses on the education and training of the personnel of armed forces in relation to high-tech hostilities1 from the perspectives of States’ obligations and responsibilities under international humanitarian law.2 Usually, States’ international humanitarian law obligations are analysed in light of the actual conduct on the battlefield, with particular attention given to the decisions and actions of commanders. Contrary to this trend, this Chapter explores one topic that, par excellence, is preparatory with respect to the participation in an armed conflict: the training and education of armed forces under international humanitarian law in the context of high-tech hostilities. For the purposes of this study, “military training” refers to “the process of learning the skills you need to” conduct hostilities3 and, in particular, to employ high-­ tech means and methods of warfare, while “international humanitarian law training” and “education” refer to “the process of teaching or learning”4 the rules of international humanitarian law applicable to high-tech hostilities. In principle, both military and international humanitarian law training may be seen as sustained by conflicting rationales: while military training appears directly linked to the attainment of a military advantage, the international humanitarian law training seems more concerned with the reduction of the impact of hostilities upon individuals, in particular civilians and persons hors de combat. However, reducing the relationship between these two kinds of training to the tension between the two principles at the basis of international humanitarian law—the principle of military necessity and the principle of humanity—5 would be incorrect: a proficient military training enhances the humanitarian aspects of hostilities, while a thorough international humanitarian law training may contribute to the attainment of military advantages.6 Accordingly, the two kinds of training are often combined and are analysed here separately only for the limited purposes of this Chapter.

 The expression “high-tech” hostilities is employed in this work a-technically, as referred to all the means and methods of warfare that became available or commonplace in the last two decades, or which are under development at the time of the writing of this chapter, thanks to the developments of technology (such as cyber operations, unmanned aerial vehicles, and autonomous weapons). 2  In this work, the expressions “international humanitarian law”, “jus in bello”, and “law of armed conflict” are employed interchangeably as synonyms. On this terminology, see Kolb (2013), para. 1. 3  “Training”, Cambridge Dictionary online, https://dictionary.cambridge.org/dictionary/english/ training. 4  “Education”, Cambridge Dictionary online, https://dictionary.cambridge.org/dictionary/english/ education. 5  See Sandoz et al. (1987), para. 2206. On the principle of military necessity see, among others, Venturini (1988), Salvadego (2016). On the principle of humanity, see Cassese (1979) and Meron (2000). 6  Garraway (2002), p. 955. 1

Training and Education of Armed Forces in the Age of High-Tech Hostilities

75

After a preliminary section on the relationship between international humanitarian law and recent technological developments (Sect. 2), this Chapter first explores the evolution of military training and its relevance to the respect for international humanitarian law (Sect. 3). It demonstrates that, notwithstanding the fact that an effective military training is in the interest of the belligerents in order to achieve a military advantage, an inadequate military training may be relevant in the assessment of State responsibility regarding violations of international humanitarian law. The Chapter goes on to analyse the duty to disseminate the knowledge of international humanitarian law and its relevance with regard to the assessment of international responsibility arguing that, although international case law supports the idea that a lack of international humanitarian law training may involve State responsibility, the duty to provide adequate international humanitarian law education and training is not as well defined as to demand specific training with regard to high-tech hostilities (Sect. 4).

2  P  reliminary Reflections on New Technologies and the Regulation of Armed Conflicts In recent decades, the debate regarding the impact of new technologies on the legal regulation of armed conflict has monopolised the international legal discourse regarding international humanitarian law. For instance, the possibility of conducting hostilities in cyberspace has raised the question of whether the traditional rules developed to regulate hostilities on land, water, and sea are applicable in the cyber domain;7 the debate was articulated in particular with respect to the law applicable to cyber operations, that may be defined as “operations that involve the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace”.8 Similarly, the increasing employment of unmanned aerial vehicles—namely, “small aircraft that fly by remote control or autonomously” which are “also known as remotely piloted aircraft or ‘drones’”9—sparked a huge debate regarding the right to life of the targeted individuals in light of both international humanitarian law and international human rights law.10 Even greater emphasis is placed upon the risks for international humanitarian law posed by autonomous weapons, the killer robots under development, which may be defined as “weapon system(s) that, once activated, can select and engage targets without further

 See, among many others, Harrison Dinniss (2012), Roscini (2014), Woltag (2014) and Schmitt (2017). 8  US Department of Defence, Law of War Manual (June 2015, update December 2016), Sect. 16.1.2. 9  US Department of Defence, Directive 3000.09 (21 November 2012), www.dtic.mil/whs/directives/corres/pdf/300009p.pdf. 10  See, among others, O’Connell (2012), Wagner (2014), Barela (2015) and Lucas (2016). 7

76

M. Longobardo

intervention by a human operator”.11 Similar weapons present the challenge of hostilities conducted without any human discernment—the element traditionally placed at the basis of many international humanitarian law rules.12 In the absence of any new specific treaty regulation,13 the general attitude of international humanitarian lawyers is to consider the law of armed conflict as applicable to these new phenomena.14 This idea is sound: what is perceived to be as a technological revolution today is only the most recent process in a never-ending evolution of the ways in which men kill other men. For instance, the rules on the protection of civilians are the same regardless of whether hostilities are conducted with swords, bows, muskets, bombers, drones, or robots; simply, civilians must not be made the object of attacks, period.15 In this sense, most international humanitarian law rules are “technology-indifferent”, that is, they govern “the conduct of hostilities and offer[] protection to persons not taking part in hostilities [] all quite irrespective of the means and methods of warfare the belligerents adopt and other technology that they use. As these rules seek to achieve certain (humanitarian) ends, all manner of technology may be involved in either breaching these rules or, conversely, securing compliance with them”.16 Several military manuals endorse this approach, considering the existing rules of international humanitarian law to be applicable to high-tech means and methods of warfare.17 Nihil novum sub sole, then? If one looks at the evolution of means and methods of warfare, similar challenges that contemporary international humanitarian lawyers are facing have been experienced for centuries every time a new means or method of warfare has become available thanks to new technical knowledge.18 The very idea at the basis of the employment of cyber operations, drones, autonomous weapons systems and similar high-tech means and methods of warfare—that is “the construction of the technological capacity to produce lethal results while exposing the operator to the least amount of risk of death or injury”19—is not new, but rather,  UN Office for the Coordination of Humanitarian Affairs, docs.unocha.org/sites/dms/Documents/ Unmanned%20Aerial%20Vehicles%20in%20Humanitarian%20Response%20OCHA%20 July%202014.pdf. 12  See, generally, Sassòli (2014), Bhuta et al. (2016) and Harris (2016). 13  On the different proposals regarding new treaty law to govern high-tech hostilities, see, generally, Liivoja (2015), pp. 1160–1161. 14  See, generally, Doswald-Beck (2002), p. 163; Saxon (2013), p. 2; Nasu and McLaughlin (2014), pp. 5–6; Roscini (2014), p. 281; Heintschel von Heinegg et al. (2018), pp. 6–7. 15  Today, this rule is codified by Article 51(2) AP I, and it is a parcel of the principle of distinction. 16  Liivoja (2015), p. 1168. 17  See infra Sect. 4. 18  See, e.g., Canons of the Second Lateran Council of 1139 (during the Pontificate of Innocent III), which decreed that “[w]e prohibit under anathema that murderous art of crossbowmen and archers, which is hateful to God, to be employed against Christians and Catholics from now on” (available at www.papalencyclicals.net/councils/ecum10.htm). 19  Ohlin (2017), p. 15. 11

Training and Education of Armed Forces in the Age of High-Tech Hostilities

77

it is the same rationale at the basis of the development of ranged weapons as technologically more sophisticated devices than close combat weapons.20 Accordingly, existing international humanitarian law may apply in these circumstances, with slight practical adaptations. However, some others rules applicable in times of armed conflict are “technology-specific”, in the sense that they address particular types of technology (e.g., the Convention on Cluster Munitions)21 and, accordingly, new rules of the law of armed conflict may be necessary.22 With this context in mind, this Chapter focuses on one of the less explored topics pertaining to the application of international humanitarian law to high-tech hostilities: the military training and the international humanitarian law education and training of the personnel of the armed forces that are tasked with the employment of high-tech means and methods of warfare. The crux is whether international humanitarian law regulates both these kinds of training and which legal challenges high-­ tech hostilities pose with regard to such activities, if any, in comparison with more traditional means and methods of warfare.

3  T  he Relevance of Military Training for the Respect of International Humanitarian Law The military training of armed forces is comprised of different components, which aim to provide each soldier with a pool of theoretical and practical knowledge and skills that may vary depending on the rank and function of each soldier. Since the dawn of humanity, warriors’ training has played a pivotal role in the determination of the outcome of an armed conflict: more experienced warriors may be able to prevail even over an enemy numerically superior but less skilled.23 In particular, when armies became comprised of professional soldiers, military training became the most important peacetime activity of the members of the army.24 Obviously, military training evolved along with the evolution of the means and methods of warfare: although every soldier needs some basic skills irrespective of the means and methods of warfare employed, as in the case of hand-to-hand combat techniques and problem-solving skills, technology has altered the training of the armed forces. Just to mention an extremely clear-cut example, the common use of airplanes nowadays requires the training of pilots, whereas the capacity to ride horses is increasingly marginal, being cavalries largely obsolete in contemporary warfare.  For more on this, see Ohlin (2017).  See Liivoja (2015), p. 1167. On the notions of “technology-specific” law, “technology-neutral” law, and “technology-indifferent” law, see Koops (2006). 22  Nasu and McLaughlin (2014), p. 5. 23  The battle of Alesia (52 BC), which was fought between Roman legions led by Julius Ceaser and a confederation of Gallic tribes, is a famous example. The Romans, albeit outnumbered by the enemy, won thanks to their better training and the genius of their commander. 24  In Europe, this shift was marked by the reforms of the Roman consul, Gaius Marius (107 BC). 20 21

78

M. Longobardo

The interplay between training and technology presents different aspects. On the one hand, technology offers new educational and training methods that are currently employed in a military context. For instance, computer assisted instructions and simulations are today increasingly employed to develop military skills and to test military training in specific technologically-reproduced environments.25 There is evidence that learning through simulation allows soldiers to better develop military skills and to experience, in advance, very complex scenarios that could arise during military operations.26 The use of simulations is so commonplace in the army that, even in the 1985, a famous novelist warned about the confusion that this may create between actual loss of lives in the hostilities and video game settings.27 On the other hand, new technology influenced military training in the sense that the ability to employ high-tech means and methods of warfare has led to the ultra-specialisation of soldiers, which are today trained to perform specific high-tech tasks following very different individual training. Accordingly, as noted by a prominent observer, today it is difficult to identify an “average soldier”28 among different very highly specialised units. It should be noted that no international humanitarian law rule prescribes States to deploy only well-trained soldiers, and that providing military training has thus been considered an activity covered by State domestic jurisdiction;29 indeed, belligerents are assumed to have a strong interest in ample military training to increase their likelihood of military success. However, the disinterest of international humanitarian law for military training may have unintended negative consequences: for instance, a lack of adequate training may result in some harm indirectly brought to legal interests protected by international humanitarian law rules, in particular when high-tech means and methods of warfare are involved. In a number of cases, soldiers with inadequate military training regarding a specific high-tech means and methods of warfare could, inadvertently, produce effects that are contrary to international humanitarian law. Let’s imagine, as an example, the case of a cyber attack launched with the aim of disrupting the computer network system governing a military base from which bombers depart. Such an attack would be legal under international humanitarian law because it is launched against a military objective.30 However, quid juris if the same cyber attack is launched by insufficiently trained operators and, as a consequence, the civilian air control system is disrupted, resulting in civilian casualties and destruction of civilian objects? Is the State that provided inadequate military t­ raining  See State of Israel, The Operation in Gaza (27 December 2008 – 18 January 2009): Factual and Legal Aspects (July 2009), para. 2012; State of Israel, The 2014 Gaza Conflict (7 June – 24 August 2014): Factual and Legal Aspects (May 2015), para. 237; Macedonia (2002) and Fletcher (2009). 26  Ibid. 27  The reference is to the novel Ender’s Game, the sci-fi masterpiece by Scott Card (1985). 28  Garraway (2002), p. 950. 29  The different issue of whether international law permits individuals not to take part into military training due to their freedom of conscience is, clearly, outside the scope of this Chapter. 30  See Schmitt (2017), p. 434. 25

Training and Education of Armed Forces in the Age of High-Tech Hostilities

79

then liable under international law in light of the technological specificities of a certain means or method of warfare? A real case very similar to this fictitious example has been addressed by a decision of the Eritrea-Ethiopia Claims Commission on the responsibility of Eritrea for an aerial attack that targeted the Ethiopian civilian neighbourhood of Mekele. Although the Eritrea-Ethiopia Claims Commission acknowledged that a civilian neighbourhood was attacked, the Commission was “not convinced that Eritrea deliberately targeted a civilian neighbo[u]rhood”, because “Eritrea had obvious and compelling reasons to concentrate its limited air assets on Ethiopia’s air fighting capability” and “it is not credible that Eritrea would see advantage in setting the precedent of targeting civilians, given Ethiopia’s apparent air superiority”.31 However, the Commission took into account the fact that the aircraft were armed with high-tech weapons and the inadequate training of the pilots. Indeed, the Commission, after having noted that the relevant aircraft had “computerized aiming systems”,32 affirmed that: The Commission must also take into account the evidence that Eritrea had little experience with these weapons and that the individual programmers and pilots were utterly inexperienced, and it recognizes the possibility that both computers could have been loaded with the same inaccurate targeting data. It also recognizes that the pilots could reprogram or could drop their bombs without reliance on the computer. For example, it is conceivable that the pilot of the third sortie simply released too early through either computer or human error or in an effort to avoid anti-aircraft fire that the pilots of the previous sorties had reported. It is also conceivable that the pilot of the fourth sortie might have decided to aim at the smoke resulting from the third sortie. The governing legal standard for this claim is best set forth in Article 57 of Protocol I.33

Despite the scant attention this dictum received in international scholarship,34 this passage has a central role for the debate regarding the relevance of military training under international humanitarian law. Indeed, the Eritrea-Ethiopia Claims Commission considered that the inadequate military training of the pilots was likely behind the errors in the employment of those high-tech weapons; in the Commission’s opinion, this circumstance changed the applicable legal framework from a violation of the principle of distinction to a violation of the principle of precaution. Because this is the leading case in which military training in relation to high-tech means and methods of warfare is taken into account in the ascertainment of State responsibility, the soundness of this conclusion deserves particular scrutiny. The Eritrea-Ethiopia Claims Commission considered that Article 57 of the 1977 Additional Protocol I (AP I), which is labelled “precautions in attack”,35 governs the provision of inadequate military training. According to Article 57(2)(a)(ii) AP I:  See EECC, Partial Award: Central Front – Ethiopia’s Claim 2, 28 April 2004, para. 108.  Ibid, para. 103. 33  Ibid, paras. 109–110 (emphases added). 34  For two notable exceptions, see Vierucci (2006), pp. 719–723; Roscini (2014), p. 235. 35  On the principle of precaution under international humanitarian law, see, generally, Quéguiner (2008), Corn (2015) and Sassòli and Quintin (2014). 31 32

80

M. Longobardo those who plan or decide upon an attack shall: […] take all feasible precautions in the choice of means and methods of attack with a view to avoiding, and in any event to minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects.36

In the Commission’s view, a military training that is adequate to the technological devices employed in warfare is one of the feasible precautions that must be taken by attackers in advance of launching an attack. Following the Commission’s reasoning, one has to conclude that, especially when dealing with high-tech means of warfare, the personnel of the armed force must be trained in the employment of those specific high-tech means of warfare.37 In other words, operators of cyber attacks, pilots of drones and programmers of autonomous weapons systems must be experts in the employment of such technologies in order to reduce errors that could result in civilian casualties and damages to civilian objectives. This conclusion strengthens the idea that the principle of precaution, albeit strictly related to the principles of distinction and proportionality, is an autonomous source of obligations under international humanitarian law. In particular, it has the peculiar capacity to allow a scrutiny of the preparatory conduct that anticipates actual hostilities, even though such conduct has been traditionally considered outside the scrutiny of international law.38 With specific reference to the topic of this Chapter, the EritreaEthiopia Claims Commission’s decision strongly supports the idea that an adequate military training is required by international humanitarian law when high-tech hostilities are conducted. In this context, it should be noted that Article 57(2)(a)(ii) AP I prescribes the undertaking of only those precautions that are “feasible”, that is “those precautions which are practicable or practically possible taking into account all circumstances ruling at the time, including humanitarian and military considerations”.39 Accordingly, such an obligation is an obligation of conduct which requires States to “deploy adequate means, to do the utmost, to obtain [the] result” prescribed by this provision.40 However, States may not be held responsible if, notwithstanding their

 Emphases added.  See Scovazzi (2005), p. 715, footnote No. 32; Vierucci (2006), pp. 720–721. 38  On the autonomous character of the obligations arising from the principle of precaution, see Kolb (2014), p. 168; Longobardo (2017). 39  See Article 3(4) of Protocol II annexed to the 1980 Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May Be Deemed to Be Excessively Injurious or to Have Indiscriminate Effects. 40  Responsibilities and Obligations of States Sponsoring Persons and Entities with Respect to Activities in the Area, Advisory Opinion, 1 February 2011, ITLOS Reports 2011, p. 10, para. 110. The distinction between obligations of means or conduct and obligations of result has been introduced in the debate regarding the law of international responsibility by the special rapporteur Roberto Ago (draft Articles 20 and 21 in Report of the International Law Commission on its 29th Session (1977), p.  11). Even if Ago’s proposal was not included in the DARS, the distinction between obligations of means or conduct and obligations of result has attracted the attention of many scholars (see Combacau (1981), Conforti (1989), Dupuy (1999), Marchesi (2003), Economides (2010) and Wolfrum (2010)). 36 37

Training and Education of Armed Forces in the Age of High-Tech Hostilities

81

diligent conduct, the result is not obtained.41 Accordingly, States’ conduct must be assessed in light of the “due diligence” required by the specific duty, rather than in light of the attainment of a certain result.42 The nature of obligations of conduct of Article 57(2)(a)(ii) AP I places upon the attacking State the burden to prove that it has acted in a diligent manner, that is, with regard to the topic of this Chapter, to demonstrate that the State has trained its armed forces in a diligent way. With reference to the principle of precaution, the Eritrea-Ethiopia Claims Commission’s conclusion is correct and constitutes an authoritative precedent piercing the veil of the idea that military training is not regulated by international humanitarian law. In the future, other international courts and tribunals may follow in the Commission’s decision in their case law. Accordingly, even if international humanitarian law does not prescribe directly adequate military training for armed forces personnel, nonetheless that military training may be evaluated in the assessment of the State’s compliance with the principle of precaution in the attack. Finally, it is worth pointing out that the deliberate employment of insufficiently trained units may also amount to a violation of the ban on indiscriminate attacks under Article 51(5)(b) AP I. Attacks launched by soldiers not sufficiently trained in the employment of a certain high-tech means or methods of warfare may result in attacks “which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated”.43 Unfortunately, the Eritrea-Ethiopia Claims Commission failed to explore the legality of the Mekele bombing under this rule.44 However, if the employment of inadequately trained personnel is not deliberate, the conduct is not a violation of Article 51 AP I, which requires the intention to target civilians “as such” (Article 51(2) AP I) or the expectation of an excessive harm to civilians (Article 51(5)(b) AP I).45

 See ICJ, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro), Judgment, 26 February 2007, ICJ Reports 2007, p. 43, para. 430. 42  On due diligence, see Pisillo Mazzeschi (1989), Pisillo Mazzeschi (1992), Lozano Contreras (2006), Koivurova (2013) and Kulesza (2016). For more on the principle of due diligence in international humanitarian law, see Longobardo (forthcoming). 43  Emphasis added. 44  See the critical remarks offered by Vierucci (2006), p. 722. 45  See Dinstein (2016), pp. 144–145. 41

82

M. Longobardo

4  T  he Duty to Provide Adequate International Humanitarian Law Education and Training and High-­Tech Hostilities States’ duty to educate and train their armed forces with respect to international humanitarian law is uncontested.46 There is room to wonder whether the application of this duty to high-tech hostilities raises any peculiar legal issues. Since the Oxford Manual—one of the earliest, albeit non-binding, codifications of jus in bello—States have believed that one of the most effective ways to implement international humanitarian law is to disseminate it among soldiers and civilians.47 The idea behind this position is that there is a clear link between knowledge of international humanitarian law and international humanitarian law implementation, especially in consideration of the fact that the institutional mechanisms of international humanitarian law implementation have not worked effectively.48 Accordingly, education and training in international humanitarian law constitutes one of the most important preventive measures to be taken in peacetime in order to implement international humanitarian law.49 However, there is no single duty to disseminate international humanitarian law, but rather, the different provisions focus on a wide range of different activities. First, States must issue “instructions” regarding compliance with international humanitarian law, including different binding and non-binding official documents such as military manuals, directives, policies, codes of conduct and so on.50 For instance, Article IV of the 1907 Hague Convention posits that “[t]he Contracting Powers shall issue instructions to their armed land forces which shall be in conformity with the Regulations respecting the laws and customs of war on land, annexed to the present Convention”,51 while according to Article 87(2) of the AP I, “High Contracting Parties and Parties to the conflict shall require that, commensurate with their level of responsibility, commanders ensure that members of the armed forces under their command are aware of their obligations under the Conventions and this

 On this duty, see, generally, Hampson (1989), Garraway (2002), Stubbins Bates (2014) and Mikos-Skuza (2015). 47  According to the Preamble of the Oxford Manual, “It is not sufficient for sovereigns to promulgate new laws. It is essential, too, that they make these laws known among all people, so that when a war is declared, the men called upon to take up arms to defend the causes of the belligerent States, may be thoroughly impregnated with the special rights and duties attached to the execution of such a command”. 48  On the link between knowledge of international humanitarian law and respect for international humanitarian law, see German Federal Ministry of Defence, Law of Armed Conflict: Manual (2013), Sect. 1504; Surbeck (1984), pp. 540–543; Stubbins Bates (2014). On the mechanisms of implementation of international humanitarian law, see, generally, Benvenuti and Bartolini (2012). 49  See Sassòli (2007), p. 46. 50  Spoeri (2013), p. 115. 51  Emphasis added. See, also, Article 83 AP I. 46

Training and Education of Armed Forces in the Age of High-Tech Hostilities

83

Protocol”.52 The term “instructions” pertains to the normative function of States with regard to the organisation of the military, which must be made aware of international humanitarian law rules and principles and of the way they must be implemented during military operations; it also refers to the vertical relationship between commanders and the armed forces under their command. Such a duty is considered to be customary in nature.53 Second, States must include international humanitarian law in the “programmes of military instruction”. For instance, according to Article 47 of the 1949 I Geneva Convention, States undertake, in time of peace as in time of war, to disseminate the text of the present Convention as widely as possible in their respective countries, and, in particular, to include the study thereof in their programmes of military and, if possible, civil instruction.54

Article 30 of the 1999 Second Protocol to the Hague Convention of 1954 for the Protection of Cultural Property in the Event of Armed Conflict specifies that: the Parties shall, as appropriate: (a) incorporate guidelines and instructions on the protection of cultural property in their military regulations; (b) develop and implement, in cooperation with UNESCO and relevant governmental and non-governmental organizations, peacetime training and educational programmes.55

Accordingly, there is a duty to provide adequate education to the personnel of armed force regarding international humanitarian law rules and principles, both at theoretical and operational levels, in order to provide an effective training.56 This duty does not require the adoption of official documents that summarise international humanitarian law rules; it rather demands the inclusion of international humanitarian law courses in the educational programmes of the armed forces. The International Committee of the Red Cross and the national federations help States in providing international humanitarian law education to their armed forces, in compliance with the Committee’s mandate.57 Finally, international humanitarian law must be integrated in the aforementioned military training, in order to foster a proper ethos of conducting hostilities while

 Emphases added.  Henckaerts and Doswald-Beck (2005), rule 142: “States and parties to the conflict must provide instruction in international humanitarian law to their armed forces”. 54  Emphases added. See also Article 48 of the 1949 II Geneva Convention; Article 127 of the 1949 III Geneva Convention; Article 144 of the 1949 II Geneva Convention; Article 25 of the 1954 Hague Convention for the Protection of Cultural Property in the Event of Armed Conflict; Article 6 of the 1980 Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons. 55  Emphases added. 56  Verri (1984), p. 615; Spoeri (2013), pp. 118–119; Mikos-Skuza (2015), pp. 607–608. 57  See Article 4(1)(g), Statutes of the International Committee of the Red Cross (adopted on 21 December 2017 and came into force on 1 January 2018): “The role of the ICRC shall be in particular: […] to work for the understanding and dissemination of knowledge of international humanitarian law applicable in armed conflicts and to prepare any development thereof”. 52 53

84

M. Longobardo

respecting international humanitarian law.58 For instance, Article 6(1) AP I requires High Contracting Parties to “train qualified personnel to facilitate the application of the Conventions and of this Protocol”,59 while Article 4(3) of the 1996 Protocol on Prohibitions or Restrictions on the Use of Mines, Booby-Traps and Other Devices prescribes that “armed forces personnel receive training commensurate with their duties and responsibilities to comply with the provisions of this Protocol”.60 In this context, the need to take into account international humanitarian law is envisaged as one of the conditions under which military operations may be conducted. In this respect, many States have adopted technological means and methods of training, including tactical software and computer simulations, which provide military training and international humanitarian law training simultaneously.61 The fact that international humanitarian law education and training is prescribed as an international obligation is indisputable, as results from the wording of the relevant provisions.62 However, many authors have criticised the way in which this duty is embodied in the relevant conventions. One author, with reference to the oldest conventions, laments that such an obligation “is simply stated and discretionary”,63 while other commentators note that the obligation under Article 6(1) AP I “is weak [since] the High Contracting Parties are not obliged but only ‘shall endeavour’ to train qualified personnel”.64 Although it is undisputed that States enjoy a large discretion with respect to the means in which they may provide international humanitarian law education and training,65 this discretion does not mean that there is no such a duty under international law. On the contrary, a duty to provide international humanitarian law education and training does exist, but it is a duty of conduct, which means, as mentioned afore, that this duty does not require every soldier to study, learn and inwardly digest the entire international humanitarian law, but rather, soldiers should be made aware of international humanitarian law rules of direct relevance to their tasks.66 If the training and education does not prove effective, States may not be considered liable if they manage to demonstrate that they have diligently provided adequate forms of international humanitarian law education and

 See Spoeri (2013), pp. 119–120.  Emphasis added. 60  Emphasis added. 61  See Spoeri (2013), pp. 119–120; Müller (2016), para. 2776. According to Fletcher (2009), p. 72, “[b]oth education and training are needed: training to provide the knowledge and skills needed to perform military tasks and jobs, and education to help military personnel at all levels decide when and how to apply the knowledge and skills that they acquire through training”. 62  Müller (2016), para. 2759. 63  Stubbins Bates (2014), p. 796. 64  Bothe et al. (1982), p. 83. 65  See Australian Defence Forces, Law of Armed Conflict (2006), section 13.9: “The manner of dissemination is left to the states themselves and may be by means of orders, courses of instruction, commentaries or manuals”. See, also, Junod (1984), p. 360. 66  Garraway (2002), p. 950. 58 59

Training and Education of Armed Forces in the Age of High-Tech Hostilities

85

training.67 As any teacher knows, students sometimes simply fail to learn something irrespective of the education and training received. International case law demonstrates that the duty to provide international humanitarian law education and training is relevant as a legal obligation. For instance, in a number of international criminal law decisions, the existence of such a training has been evaluated in order to assess commanders’ international criminal responsibility.68 More directly linked to State responsibility is the Eritrea-Ethiopia Claims Commission’s case law, which evaluated the responsibility of Eritrea and Ethiopia with regard to the duty to provide an adequate and effective international humanitarian law education and training.69 Finally, the International Court of Justice, in the Nicaragua v. USA case, affirmed that the dissemination of a military manual that embodied instructions contrary to international humanitarian law is a source of international responsibility,70 even if the Court failed to examine this conduct in light of the duty to provide adequate international humanitarian law education and training. However, in order to understand how such holdings are applicable to high-tech hostilities, it is necessary to explore who are the recipients of this international humanitarian law education and training, and then to verify whether high-tech hostilities require particular international humanitarian law education and training. With regard to the recipients of international humanitarian law education and training, humans directly control most high-tech means and methods of warfare, as in the case of drones, which are remotely piloted. In these cases, the operators of the high-tech weapons are the main recipients of international humanitarian law education and training, along with those involved in the creation of the weapon, if they are members of the armed forces. For instance, with regard to cyber attacks, not only the operators responsible for the launching of the attack and the persons deciding to launch it must be aware that civilian objectives may not be targeted; also those who programmed the relevant software needed to understand international humanitarian law, in order to create devices that may respect the principle of distinction. The issue is more irksome with autonomous weapons, because they are intended to conduct hostilities without the intervention of human operators: the latter are by definition the recipients of international humanitarian law education and training.71 If a ­general  See Mikos-Skuza (2015), pp. 612–613.  See, e.g., ICTY, The Prosecutor v. Aleksovski, Case No. IT-95-14/1-A, Judgment, 24 March 2000, para. 114; ICTY, The Prosecutor v. Hadžihasanović & Kubura, Case No. IT-01-47-T, Judgement, 15 March 2006, paras. 856; ICC, The Prosecutor v. Jean-Pierre Bemba Gombo, Case No. ICC-01/05-01/08-3343, Judgment pursuant to Article 74 of the Statute, 21 March 2016, paras. 735–741. For more on this, see Blank (2017). 69  EECC, Eritrea’s Claim 17, Partial Award, 1 July 2003, para. 60; EECC, Ethiopia’s Claim 4, Partial Award, 1 July 2003, para. 67. 70  See Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. USA), Judgment, 27 June 1986, ICJ Reports 1986, p. 14, paras. 118–122 and 255–256. 71  Interestingly, the US Department of Defence, Law of War Manual (June 2015, update December 2016), Sect. 6.5.9.3 affirms that international humanitarian law rules “impose obligations on persons [rather than] on the weapons themselves; of course, an inanimate object could not assume an 67 68

86

M. Longobardo

consensus will solidify around the idea, supported by a number of States, that only autonomous weapons with a certain degree of human control are lawful,72 then all the individuals involved from the very project of the autonomous weapon to the activation and subsequent controls thereof must receive adequate international humanitarian law education and training. A related issue is whether States are under an obligation to issue specific instructions and to disseminate international humanitarian law in a specific way regarding high-tech hostilities. On the one hand, one could argue that generic international humanitarian law education and training is sufficient at least with regard to technology-­indifferent international humanitarian law rules: if a soldier is taught that civilians must not be attacked, that could be considered sufficient, leaving to that soldier the duty to apply that rule whether they is employing a knife or a drone. On the other hand, however, one could argue that, since international humanitarian law education and training must be effective,73 then a more specific approach would be required, because it is more likely to be effective. Both approaches are followed in State practice: based on my personal experience with the personnel of the Italian armed forces, the teaching of international humanitarian law may include or not modules specifically devoted to the use of high-tech means and methods of warfare. Most recent State practice suggests that there is a significant trend in favour of specific international humanitarian law education and training regarding high-tech hostilities. With regard to instructions, many military manuals clarify how international humanitarian law applies to high-tech hostilities. For instance, the US Military Manual explores the relationship between international humanitarian law and high-­ tech means and methods of warfare regarding autonomous weapon systems,74 cyber operations,75 and unmanned aerial systems.76 Likewise, the German Military Manual touches upon cyber operations77 and unmanned aerial systems.78 Similarly, the UK

‘obligation’ in any event. […] The law of war does not require weapons to make legal determinations, even if the weapon (e.g., through computers, software, and sensors) may be characterized as capable of making factual determinations, such as whether to fire the weapon or to select and engage a target. […] Rather, it is persons who must comply with the law of war”. 72  See Report of the 2017 Group of Governmental Experts on Lethal Autonomous Weapons Systems, 20 November 2017, https://www.unog.ch/80256EDD006B8954/(httpAssets)/B5B99A4 D 2 F 8 B A D F 4 C 1 2 5 8 1 D F 0 0 4 8 E 7 D 0 / $ f i l e / 2 0 1 7 _ C C W _ G G E . 1 _ 2 0 1 7 _ C R P. 1 _ Advanced_+corrected.pdf, paras. 15–17. On the issue of sufficient human control, see Chengeta (2017). 73  Garraway (2002), p. 952. 74  US Department of Defence, Law of War Manual (June 2015, update December 2016), section 659. 75  Ibid., Sect. 16. 76  Ibid., Sect. 6.5.8. 77  German Federal Ministry of Defence, Law of Armed Conflict: Manual (2013), Sect. 486. 78  Ibid., Sects. 110–111.

Training and Education of Armed Forces in the Age of High-Tech Hostilities

87

Air and Space Doctrine takes into account cyber operations79 and unmanned aerial systems.80 Despite the increasing presence in State military manuals of provisions regarding high-tech hostilities, this practice is not as uniform as to argue that States have the duty to provide international humanitarian law education and training with specific regard to high-tech means and methods of warfare since instructions and education pertaining to the respect of international humanitarian law in every circumstance may be sufficient for the training of non-specialised units. Indeed, international humanitarian law conventions do not expressly suggest that education and training should be provided in a certain, specific way with reference to new means and methods of warfare. Similarly, even authoritative private codifications such as the Tallinn Manual 2.0—which is, inherently, a useful tool of dissemination regarding the application of international humanitarian law to cyber operations—do not address dissemination and training specifically in high-tech contexts.81 Clearly, the crux is evaluating the effectiveness of the education and training on a case-by-case basis. One could argue that the effectiveness of international humanitarian law education and training may not be assessed easily ex ante and in abstracto, but rather, only ex post facto.82 Such a solution, which is in line with the aforementioned case law regarding the role of education and training in relation to the punishment of international crimes, risks shifting the focus from the conduct of education and training to the actual learning and fostering of an international humanitarian law ethos in the armed forces. Such a conclusion, if brought to the extreme, would imply the absurd conclusion that every international humanitarian law violation is evidence of the circumstance that soldiers were provided with inadequate education and training in that respect. Arguably, it is not possible to affirm that the lack of specific international humanitarian law education and training pertaining to high-tech means and methods of warfare is a violation of international humanitarian law in every case. Indeed, it is well accepted that soldiers with different tasks and ranks may receive a different international humanitarian law education and training.83 However, since State responsibility focuses on diligent conduct, a State providing specific training regarding the employment of high-tech means and methods of warfare in a way consistent with international humanitarian law would be more easily able to prove, in cases of allegations, that it has implemented its obligations diligently. Clearly, a State would be liable if it does not provide any education and training to the individuals involved in the hostilities, for instance because the State believes that international humanitarian law does not apply to a specific high-tech means or method of warfare, or if the State instructs and teaches its soldiers that international humanitarian law does not apply. In these cases, the situation is similar to that addressed by the International  UK Ministry of Defence, UK Air and Space Doctrine (2nd edn, 2017), Sects. 2.20 and 4.15.  Ibid., Sects. 2.3, 2.21 and 3.10. 81  See Schmitt (2017). 82  Garraway (2002), p. 952. 83  Pictet (1951), p. 348. 79 80

88

M. Longobardo

Court of Justice in the aforementioned Nicaragua v. USA case, where a deliberately incorrect international humanitarian law education and training was considered a wrongful act.

5  Conclusions The analysis of State duties regarding military training and international humanitarian law training when high-tech hostilities are involved offers the opportunity to return on the more general relationship between technology and the law of armed conflict. With regard to military training, it is undeniable that this activity falls into the discretion of States and that it pursues mainly the interests of the individual State concerned that needs well-trained soldiers in order to gain the desired military advantage. However, such training must be adequate in light of new high-tech means and methods of warfare. Since technological development has dramatically enhanced the harmful potential of means and methods of warfare, States willing to resort to these instruments must ensure that their choice does not affect in an adverse way relevant interests of other States which are protected by international humanitarian law. Accordingly, military training may be evaluated in the context of the assessment of State responsibility, as demonstrated by the Eritrea-Ethiopia Claims Commission’s decision regarding the relevance of inadequate military training specifically pertaining to the conduct of high-tech hostilities in the context of the principle of precaution. With regard to the duty to provide adequate international humanitarian law education and training, it is worth pointing out that a significant trend regarding the supply of specific instructions and education pertaining to high-tech means and methods of warfare does exist. However, the broad discretion granted to States by the relevant international humanitarian law provisions does not permit a conclusion that the lack of a specific international humanitarian law education and training focusing on high-tech means and methods of warfare is per se a wrongful act. However, such a specific education and training may facilitate States to demonstrate that they have diligently implemented their duty to issue instructions and disseminate international humanitarian law. Although military training and international humanitarian law education and training are closely linked to the employment of high-tech means and methods of warfare, the relevant international humanitarian law rules apply in the same way to the context of both traditional and high-tech hostilities. Rules such as the principle of precaution and the duty to provide adequate international humanitarian law education and training are indeed technology-indifferent,84 because they apply irrespective of the technology employed in an armed conflict. Accordingly, States must

84

 See supra Sect. 2.

Training and Education of Armed Forces in the Age of High-Tech Hostilities

89

diligently take into account the peculiarities of high-tech means and methods of warfare in order to apply their existing legal obligations. Acknowledgments  I wish to acknowledge the useful feedbacks this paper has received from the participants to the workshop New Technologies as Shields and Swords: Challenges for International, European Union and Domestic Law, University of Parma, 19–20 June 2017, convened by the Centre for Studies in European and International Law (CSEIA). I have full responsibility for all errors and omissions. Internet references were last accessed on 15 January 2018 when the paper was completed. The text of all the mentioned treaties may be accessed at https://ihl-databases.icrc. org/ihl.

References Barela, Steven J., ed. 2015. Legitimacy and Drones: Investigating the Legality, Morality and Efficacy of UCAVs. Abingdon: Routledge. Benvenuti, Paolo, and Giulio Bartolini. 2012. Is There a Need for New International Humanitarian Law Implementation Mechanisms? In Research Handbook on Human Rights and Humanitarian Law, ed. Robert Kolb and Gloria Gaggioli, 590–627. Cheltenham/Northampton: Edward Elgar. Bhuta, Nehal, Susanne Beck, Robin Geiß, Hin-Yan Liu, and Claus Kress, eds. 2016. Autonomous Weapons Systems: Law, Ethics, Policy. Cambridge: Cambridge University Press. Blank, Laurie R. 2017. Examining the Role of Law of War Training in International Criminal Accountability. Utah Law Review: 747–769. Bothe, Michael, Karl Josef Partsch, and Waldemar A. Solf. 1982. New Rules for Victims of Armed Conflicts. Leiden: Martinus Nijhoff. Cassese, Antonio. 1979. The New Humanitarian Law of Armed Conflict. Napoli: Editoriale Scientifica. Chengeta, Thompson. 2017. Defining the Emerging Notion of ‘Meaningful Human Control’ in Autonomous Weapon Systems (AWS). New York University Journal of International Law & Policy 49: 833–890. Combacau, Jean. 1981. Obligations de résultat et obligations de comportement: quelques questions et pas de réponse. In Mélanges offerts á Paul Reuter, 181–204. Paris: Pedone. Conforti, Benedetto. 1989. Obblighi di mezzi e obblighi di risultato nelle convenzioni di diritto uniforme. In Studi in memoria di Mario Giuliano, 373–380. Padova: Cedam. Corn, Geoffrey. 2015. War, Law, and the Often Overlooked Value of Process as a Precautionary Measure. Pepperdine Law Review 42: 419–466. Dinstein, Yoram. 2016. The Conduct of Hostilities Under the Law of International Armed Conflict. 3rd ed. Cambridge: Cambridge University Press. Doswald-Beck, Louise. 2002. Some Thoughts on Computer Network Attack and the International Law of Armed Conflict. International Law Studies 76: 163–185. Dupuy, Pierre-Marie. 1999. Reviewing the Difficulties of Codification: On Ago’s Classification of Obligations of Means and Obligations of Result in Relation to State Responsibility. European Journal of International Law 10: 371–385. Economides, Constantin. 2010. Content of the Obligation: Obligations of Means and Obligations of Result. In The Law of International Responsibility, ed. James Crawford, Alain Pellet, and Simon Olleson, 371–381. Oxford: Oxford University Press. Fletcher, J.D. 2009. Education and Training Technology in the Military. Science 323: 72–75. Garraway, Charles. 2002. Training: The Whys and Wherefores. Social Research 69: 949–962. Hampson, Françoise. 1989. Fighting by the Rules: Instructing the Armed Forces in Humanitarian Law. International Review of the Red Cross 29: 111–124.

90

M. Longobardo

Harris, Shane. 2016. Autonomous Weapons and International Humanitarian Law or Killer Robots Are Here. Get Used to It. Temple International & Comparative Law Journal 30: 77–83. Harrison Dinniss, H. 2012. Cyber Warfare and the Laws of War. Cambridge: Cambridge University Press. Heintschel von Heinegg, Wolff, Robert Frau, and Tassilo Singer. 2018. Introduction. In Dehumanization of Warfare: Legal Implications of New Weapon Technologies, ed. Wolff Heintschel von Heinegg, Robert Frau, and Tassilo Singer, 1–11. The Hague: Springer. Henckaerts, Jean-Marie, and Louise Doswald-Beck, eds. 2005. Customary International Humanitarian Law. Cambridge: Cambridge University Press. Junod, Sylvie-Stoyanka. 1984. La diffusion du droit international humanitaire. In Études et essais sur le droit international humanitaire et sur les principes de la Croix-Rouge en l’honneur de Jean Pictet, ed. Christophe Swinarski, 359–368. Geneva: International Committee of the Red Cross. Koivurova, Timo. 2013. Due Diligence. In: Wolfrum, Rüdiger (ed.) Max Planck Encyclopedia of Public International Law. http://opil.ouplaw.com. Kolb, Robert. 2013. Human Rights and Humanitarian Law. In: Wolfrum, Rüdiger (ed.) Max Planck Encyclopedia of Public International Law. http://opil.ouplaw.com. ———. 2014. Advanced Introduction to International Humanitarian Law. Cheltenham/ Northampton: Edward Elgar. Koops, Bert-Jaaps. 2006. Should ICT Regulation be Technology-Neutral? In Starting Points for ICT Regulation: Deconstructing Prevalent Policy One-Liners, ed. Bert-Jaaps Koops, Miriam Lips, Corien Prins, and Maurice Schellekens, 77–108. The Hague: Asser. Kulesza, Joanna. 2016. Due Diligence in International Law. Leiden: Brill. Liivoja, Rain. 2015. Technological Change and the Evolution of the Law of War. International Review of the Red Cross 97: 1157–1177. Longobardo, Marco. 2017. L’obbligo per gli Stati di assumere tutte le informazioni necessarie prima di un attacco ai sensi del diritto internazionale umanitario fra nuove e vecchie forme di intelligence. In La responsabilità degli Stati e delle organizzazioni internazionali: nuove fattispecie e problemi di attribuzione e di accertamento, ed. Andrea Spagnolo and Stefano Saluzzo, 37–60. Milano: Ledizioni. ———. forthcoming. Due Diligence and International Humanitarian Law. In Due Diligence in International Law, ed. Anne Peters and Heike Krieger. Oxford: Oxford University Press. Lozano Contreras, José Fernando. 2006. La noción de debida diligencia en derecho internacional public. Alicante: Atelier. Lucas, Rachel. 2016. Les drones armés au regard du droit international. Paris: Pedone. Macedonia, Mihael. 2002. Games, Simulations, and the Military Education Dilemma. In Forum for the Future of Higher Education, 157–167. Forterra System. Marchesi, Antonio. 2003. Obblighi di condotta e obblighi di risultato: contributo allo studio degli obblighi internazionali. Milano: Giuffrè. Meron, Theodor. 2000. The Humanization of Humanitarian Law. American Journal of International Law 94: 239–278. Mikos-Skuza, Elżbieta. 2015. Dissemination of the Conventions, Including in time of Armed Conflict. In The 1949 Geneva Conventions: A Commentary, ed. Andrew Clapham, Paola Gaeta, and Marco Sassòli, 597–614. Oxford: Oxford University Press. Müller, Ines. 2016. Article 47: Dissemination of the Convention. In Updated Commentary on the First Geneva Convention Online, ed. International Committee of the Red Cross. Geneva: International Committee of the Red Cross. Nasu, Hitoshi, and Robert McLaughlin. 2014. Introduction: Conundrum of New Technologies in the Law of Armed Conflict. In New Technologies and the Law of Armed Conflict, ed. Hitoshi Nasu and Robert McLaughlin, 1–17. The Hague: Springer. O’Connell, Mary Ellen. 2012. Unlawful Killing with Combat Drones: A Case Study of Pakistan, 2004–2009. In Shooting to Kill: Socio-Legal Perspectives on the Use of Lethal Force, ed. Simon Bronitt, Miriam Gani, and Saskia Hufnagel, 263–291. Oxford: Hart. Ohlin, Jens David. 2017. Remoteness and Reciprocal Risk. In Research Handbook on Remote Warfare, ed. Jens David Ohlin, 15–49. Cheltenham/Northampton: Edward Elgar.

Training and Education of Armed Forces in the Age of High-Tech Hostilities

91

Pictet, Jean, ed. 1951. Commentary to the I Geneva Convention Relative to the Protection of Civilians in Time of War. Geneva: International Committee of the Red Cross. Pisillo Mazzeschi, Riccardo. 1989. “Due Diligence” e responsabilità internazionale degli Stati. Milano: Giuffrè. ———. 1992. Due Diligence and International Responsibility of States. German Yearbook of International Law 35: 9–51. Quéguiner, Jean-François. 2008. Precautions under the Law Governing the Conduct of Hostilities. International Reviews of the Red Cross 88: 793–821. Roscini, Marco. 2014. Cyber Operations and the Use of Force in International Law. Oxford: Oxford University Press. Salvadego, Laura. 2016. Struttura e funzioni della necessità militare nel diritto internazionale. Torino: Giappichelli. Sandoz, Yves, Swinarski Christophe, and Bruno Zimmermann, eds. 1987. Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949. Leiden: Martinus Nijhoff. Sassòli, Marco. 2007. The Implementation of International Humanitarian Law: Current and Inherent Challenges. Yearbook of International Humanitarian Law 10: 45–73. ———. 2014. Autonomous Weapons and International Humanitarian Law: Advantages, Open Technical Questions and Legal Issues to Be Clarified. International Law Studies 90: 308–340. Sassòli, Marco, and Anna Quintin. 2014. Active and Passive Precautions in Air and Missile Warfare. Israel Yearbook on Human Rights 44: 69–123. Saxon, Dan. 2013. International Humanitarian Law and the Changing Technology of War. In International Humanitarian Law and the Changing Technology of War, ed. Dan Saxon, 1–16. Leiden: Brill. Schmitt, Michael N., ed. 2017. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge: Cambridge University Press. Scott Card, Orson. 1985. Ender’s Game. New York: Tor Books. Scovazzi, Tullio. 2005. Il terrorismo di Stato nell’opera di Giulio Douhet. Rivista di diritto internazionale 88: 703–720. Spoeri, Philip. 2013. From Dissemination Towards Integration: An ICRC Perspective. Military Law & Law of War Review 52: 113–122. Stubbins Bates, Elizabeth. 2014. Towards Effective Military Training in International Humanitarian Law. International Review of the Red Cross 96: 795–865. Surbeck, Jean-Jacques. 1984. La diffusion du droit international humanitaire, condition de son application. In Études et essais sur le droit international humanitaire et sur les principes de la Croix-Rouge en l’honneur de Jean Pictet, ed. Christophe Swinarski, 537–549. Geneva: International Committee of the Red Cross. Venturini, Gabriella. 1988. Necessità e proporzionalità nell’uso della forza militare in diritto internazionale. Milano: Giuffrè. Verri, Pietro. 1984. Institutions militaires: le problème de l'enseignement du droit des conflits armés et de l'adaption des règlements à ses prescriptions humanitaires. In Études et essais sur le droit international humanitaire et sur les principes de la Croix-Rouge en l’honneur de Jean Pictet, ed. Christophe Swinarski, 604–619. Geneva: International Committee of the Red Cross. Vierucci, Luisa. 2006. Sulla nozione di obiettivo militare nella guerra aerea: recenti sviluppi della giurisprudenza internazionale. Rivista di diritto internazionale 89: 693–735. Wagner, Markus. 2014. Unmanned Aerial Vehicles. In: Wolfrum, Rüdiger (ed.) Max Planck Encyclopedia of Public International Law, online edition. Wolfrum, Rüdiger. 2010. Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations. In Looking to the Future: Essays on International Law in Honor of W. Michael Reisman, ed. Mahnoush H. Arsanjani, Jacob Katz Cogan, Robert D. Sloane, and Siegfried Wiessner, 363–384. Leiden: Brill. Woltag, Johann-Christoph. 2014. Cyber Warfare: Military Cross-Border Computer Network Operations under International Law. Antwerp: Intersentia.

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law Claudia Candelmo

Abstract  The use of Unmanned Aerial Vehicles (UAVs) in the military field has become an issue of increasing concern in the international community. As practice grows (notably, due to the frequent use of such equipment in various countries, either involved or not in armed conflicts), so does case law on its contentious aspects. In this respect, the concept of “border” is of paramount importance, both in its physical meaning (territorial border of the State) and in its legal sense (delimitation of the area where sovereignty is exercised and other States’ intrusion is prevented). Against this background, the Chapter examines the responsibility of the State for cross-border activities, in connection with the use of remotely piloted drones in light of three bodies of international law: the law governing the use of force, in relation to the concept of territorial borders and sovereignty of States; international human rights law, as regards the extraterritorial application of human rights treaties; and international humanitarian law, with particular reference to the law of neutrality and the evolving concept of “battlefield” during an armed conflict.

1  Introduction In recent years, the use of Unmanned Aerial Vehicles (UAVs) by States has attracted growing interest in the international law doctrine,1 especially because drones can be used transnationally for both peaceful and military purposes. Whilst the first set of functions encompasses surveillance and agricultural activities, the second one

 Cf., ex multis, International Bar Association (2017); Alberstadt (2014), pp. 221–232; Bergen and Rothenberg (2014); Brooks (2013), pp. 83–104; Colacino (2015), pp. 607–629; Knuckey (2014), MacNab and Matthews (2010), pp.  661–694; O’Connell (2010), pp.  585–600; Qureshi (2017), pp. 91–106; Sharkey (2011), pp. 140–154; Valavanis and Vachtsevanos George (2015). 1

C. Candelmo (*) LUISS Guido Carli University, Rome, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_5

93

94

C. Candelmo

primarily includes targeted killings and deployment of bombs during armed conflicts.2 A UAV, commonly known as “drone”, is “an aircraft without a human operator on board”,3 which is remotely controlled either through the action of operators on the ground or through guidance of computer programs with various degrees of automation.4 Although there can be cases in which UAVs are largely commanded through a computer software, aircraft remotely piloted by human beings are currently the most predominant typology of UAVs used for military purposes. They can range widely from small objects employed for recognition to much bigger aircrafts, with various degrees of autonomy and automation. The common elements of these aircrafts are their capability to fly and the remote control by an operator on the ground5; in other words, they are not entirely autonomous and cannot be considered as working independently from the controlling entity: human supervision on the aircraft is always present, albeit remote. Although this technology has become particularly widespread in recent years, the use of remotely piloted drones by States is not recent. Examples date back to the Vietnam War, when the United States used to rely on them especially for observation and reconnaissance purposes,6 thanks to the possibility of equipping them with cameras. However, in most recent years, and particularly after the terrorist attacks that struck the United States on 9/11, UAVs have been progressively employed for military and attack purposes, especially in the framework of the so-called “global war on terror”. In particular, they have been increasingly used for targeted killings.7 It is now broadly accepted that drones are not illegal crafts as such under an international law perspective, since they do not have characteristics that necessarily violate international law rules.8 Nevertheless, violations may be committed if drones  Although the term “war” is still used at times, especially in the political discourse, the term “armed conflict” replaced it in most international law instruments, because it identifies more precisely a substantial situation as opposed to a formal one. In fact, while the term “war” is usually linked to the existence of a “state of war” declared or accepted between the parties, the term “armed conflict” simply describes the existence of hostilities between two or more States, regardless of the existence of a declaration of war. Cf., on this issue, Crawford (2015). 3  See Wagner (2014). 4  Ibid. 5  Sehrawat (2017), p. 171. 6  O’Connell (2010). 7  Targeted killings are intended as the use of lethal force with the intent to kill individually selected persons, who are not in the physical custody of those who target them. See, on the definition of “targeted killing”, Melzer (2008), p. 5. The United States have greatly relied on targeted killings in the framework of the war on terror and in the fight against the so-called Islamic State, through strikes carried out in many Middle Eastern and North African countries, such as Afghanistan, Pakistan, Somalia and Yemen, but also Libya and Syria. See, on this point, the figures recalled by the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Ben Emmerson, in his 2017 Report, para. 29. Cf. also BrookmanByrne (2017), p. 4. 8  Heyns et al. (2016). 2

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

95

are not used according to the existing limitations that international law prescribes for the employment of military crafts. Therefore, it must be assessed on a case-by-­ case basis whether their employment respects or not the various restrictions required by the jus ad bellum,9 by International Humanitarian Law (hereinafter, IHL) and by International Human Rights Law (hereinafter, IHRL).

2  Issues of Sovereignty and Consent Under jus ad bellum Consent is one of the circumstances precluding wrongfulness, as codified by the Draft Articles on the Responsibility of States for Internationally Wrongful Acts. Article 20 indeed recalls that “valid consent by a State to the commission of a given act by another State precludes the wrongfulness of that act in relation to the former State […]”.10 Without consent, the act would constitute a breach of the international obligation to respect sovereignty of other States. Targeted killings usually involve the implementation of a strike in a different country than that from which the drone has departed: thus, the consent for their employment must be taken into account.11 UAVs can carry weapons and, potentially, they could be used to target groups and individuals in a State that has not given its consent to such operations. In this connection, strikes could amount to a violation of Article 2(4) of the UN Charter, inasmuch as they violate the sovereignty and territorial integrity of another State through armed force. Thus, when drones are employed for military purposes in transnational settings, their use should respect the rules governing interstate use of force, as framed by Article 2(4) and the other norms of the UN Charter (notably, Article 51). As is well known, the use of force can be resorted to only in some selected scenarios.12 First, when an armed attack occurs against a State, this has the right to act in self-defense.13 Second, if a State has received the authorization of the UN Security  Or, more broadly, fulfilling the conditions that regulate the lawful use of force under international law. 10  Cf. Articles on the responsibility of States for internationally wrongful acts, Yearbook of the International Law Commission, Vol. II, Pt. 2, 2001, especially Article 20, which also sets the limits of operations carried out after consent has been given. 11  Strikes carried out by the United States provide some relevant examples of transnational use of drones, especially with reference to the events involving Afghanistan, Pakistan, Somalia and Yemen since 2001. Growing practice includes strikes implemented by the United Kingdom since 2015 in Syria in the fight against the so-called Islamic State and its fighters. On some occasions, also the Pakistani army has used drones within its own territory, but it can be said that the widest practice that has caused more legal debate is that of drones employed internationally. 12  Given the general prohibition of the use of force, codified in Article 2(4) of the UN Charter, which states that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations”. 13  This principle is enshrined in Article 51 of the UN Charter, which refers to “the inherent right of individual or collective self-defense if an armed attack occurs […]”. On self-defense as inherent right, cf. Kretzmer (2013). 9

96

C. Candelmo

Council, its resort to force can be considered lawful.14 When none of these options are fulfilled, the use of force is generally prohibited, unless, as said earlier, the State that “receives” the operations involving armed force gives its consent to them. Under the first scenario, the resort to the use of force through drones for self-­ defense may entail the implementation of force against one State or, at least, against objectives located within its territory, especially when the use of force is targeted on groups or individuals not necessarily affiliated with the State. If that State is directly responsible for an armed attack, then no issue of consent arises. However, if that State is not directly responsible for any armed attack, what about the lawfulness of the implementation of force against its territory? If that State agrees with the operation, again no particular issue arises. In this case, the sovereignty of the State is fully respected and the borders to implement the strike are lawfully crossed. In fact, according to some scholars, formally, consent to the resort of force for self-defense is not needed,15 since nothing in the principles regulating self-defense requires prior consent to respond to an armed attack. While this is a reasonable point of view in case of direct responsibility for the armed attack by a State (which, obviously, would not give its consent to be attacked back),16 this view does not seem to be entirely consistent when it comes to an attack for which the State has no responsibility under international law, such as an attack committed by groups or individuals not affiliated with the State structure.17 In our view, using drone strikes without the impacted State having committed or being involved in any armed attack, or without its full consent, would violate its sovereignty and render the strikes unlawful. Although eroded in some respects,18 sovereignty and equality among sovereign States are fundamental principles of international law and peaceful relations in the international community. An operation of force, such as those described, would inevitably violate or, in any case, impact on the territory inside the borders of a sovereign State. Such an operation needs to be accepted by the State itself, and ­consent by the territorial State to the drone strike must be verified in order to establish its lawfulness.  In both cases, however, the requirements for the lawful implementation of the use of force must be respected, and the use of force cannot exceed the limits set by the law. The UN Security Council may give authorization to use force against a State under Article 42 of the UN Charter, which enables the UN to take measures involving the use of force in case of a threat to international peace and security. 15  In particular, cf. Paust (2010), p. 249 ff. 16  Requiring consent for the lawful resort to force in case of an attack perpetrated directly by a State would basically impair the right of self-defense, because it would render the response impossible, absent consent of the attacking State. 17  Unless it can be demonstrated that a violation of the obligation of prevention or any other kind of acquiescence has been made and, even in that case, the responsibility of the State will be for its own violation and not for the armed attack perpetrated by non-state armed groups. 18  Reference here is made to the potential limitation of State sovereignty in case of protection of human rights deriving from the growing importance of international human rights bodies, which monitor the implementation by States of human rights treaties. 14

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

97

Furthermore, as has been recalled before, consent represents one of the circumstances precluding wrongfulness, and the use of force is no exception to the application of this principle19; in fact, the lawfulness deriving from consent only extends to aspects of the operation that are accepted.20 In other words, consent given to a single drone strike does not amount to consent to strike sine die. Thus, the characteristics of the consent expressed by the competent authorities are a primary element to be verified when assessing the validity of the various strikes. Nevertheless, it should be borne in mind that, while consent renders the operation lawful in connection with the sovereignty of the State where the strike is carried out, it will not operate as a circumstance precluding wrongfulness in case the drone strike violates the rights of third parties (both third States and individuals targeted by the strikes), for which consent of the State is, basically, irrelevant. Rather, issues of shared responsibility may potentially arise, with respect to both the sending State and the State where the strike is materially operated.21 To further clarify the importance and the characteristics of consent, it is useful to have a look at the relevant practice. The United States made an extensive use of drones, carrying out strikes in Afghanistan, Pakistan, Somalia and Yemen. In all these States, the United States relied on the consent given by State authorities to legally justify their conduct. However, if consent for Afghanistan and Pakistan22 may be considered validly given in connection with the effective control that the respective governments exercised over the territories of the two States, the case of Yemen and Somalia is more complex, because their governmental authorities are currently very fragile and could be put into question. However, it seems plausible to conclude that the intervention within the borders of these last two States has been accepted by the de jure authorities of the two countries, which, although not in control of the whole territory of the State, have the formal power to provide consent: strikes could then be considered lawful—at least under the perspective of the jus ad bellum requirements.23 From the point of view of consent, two additional issues arise. Firstly, there are doubts concerning which kind of consent is validly expressed. Indeed, it may not

 Cf. Articles on the responsibility of States for internationally wrongful acts, Article 20.  Ibid. 21  See General Comment No. 36, which, at para. 26, recalls the duty of States parties to take appropriate measures to protect individuals against deprivations of life by other States that operate within their territory. 22  It should be noted that the validity of the consent given by Pakistani authorities was disputed by the findings of the Peshawar High Court in the case 1551-P/2012, of 11 April 2013, which requested the US to stop drone strikes within the airspace and territory of Pakistan and to provide compensation for the loss caused through previous strikes (para. VII). The legal basis put forward by the US, that is the consent given by General Musharraf, was also contested as being unsupported by relevant written documentation. Pakistan decided to openly deny its consent to US strikes in the same year. 23  Brookman-Byrne (2017), pp. 21 and 31. 19 20

98

C. Candelmo

always be the case that the consent is clear and unambiguous. In particular, it may be doubtful whether an implied consent can be regarded as a valid one.24 Secondly, absent consent (and direct attribution of armed attacks stemming from the territory of the receiving State), one should further verify whether, as an exception to the general prohibition to use armed force, a State could be entitled to operate the strikes on the basis that the territorial State is “unable” (because it does not have the necessary resources or means) or “unwilling” (in the sense that, knowingly, it does not want) to remove a threat located on its territory. In other words, lacking direct attribution of an attack or consent to the drone strike, it should be further ascertained whether the territorial State has violated or not the obligation of prevention and suppression of the threat and is therefore unable or unwilling to remove groups or individuals that may constitute an armed threat to other States. In case of affirmative answer, one shall examine whether the launching State is then entitled to operate the strike on the basis that the territorial State is “unable” or “unwilling”.25 It would seem that, in the absence of consent by the territorial State (and of its direct responsibility for the attack), the drone strike is prima facie unlawful. In fact, it is not established—as opposing views exist26—if the use of force, notably in self-­ defense, specifically directed against the individuals or groups that are considered a threat against the State operating the drone strike, is admissible, for example in connection with armed attacks carried out by groups or individuals that are not attributable to the territorial State where the drone strike is operated, in the recalled hypotheses of a State that is either “unable” or “unwilling” (or, perhaps, even both). In this framework, the inability or unwillingness of the territorial State would be the legal basis on which, exceptionally, the State is authorized to use force, provided that the other requirements of self-defence (such as imminence or the existence of an armed attack) are satisfied. Article 51 of the UN Charter, which governs the right of self-defense, does not envisage it exclusively between two or more States. Indeed, the academic debate has put the emphasis on an evolution in recent years’ practice, concerning a more extensive use of force in self-defense and aiming at including reactions to attacks coming from non-State actors.27 However, the International Court of Justice (ICJ) has traditionally interpreted the right to self-defense as an inter-State right,28 although more recent case law has been less straightforward and has left the issue somehow still open for further debate29 and for development of contemporary practice.  This assumption does not exclude the possibility that a State gives its consent in an oral form, for example in a public declaration made by an official of the Government, or that consent is deduced from the material behavior of the State (facta concludentia). Cf., on the issue of consent, Colacino (2015), p. 626, Bethlehem (2012) and Hollis (2005). 25  On the problem of inability and unwillingness, see Corten (2016) and Deeks (2012). 26  See on this debate, among the others, Tams (2009), Lubell (2010) and Paust (2010). 27  Tams (2009). 28  ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgment, 27 June 1986, ICJ Reports 1986, p. 14. 29  On the point, cf. Armed activities on the territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, 19 December 2005, ICJ Reports 2005, p. 168. Cf., in particular, the 24

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

99

For the purposes of using force, however, a difference should be drawn between the case in which the State is “unable” and that in which is “unwilling”. In the first case, the State is not able to contain a threat and may even ask for the help of the international community (as it happened for the Iraqi government against the so called Islamic State).30 In the second case, the State is not simply incapable, but “unwilling”, showing a decision to violate the international obligation to prevent that threats to other States stem from its territory.31 Whether, in this specific case, a right of self-defense is lawful, without further proof of involvement of a State in an armed attack stemming from its territory, is an issue still open to debate. That said, a strike that is lawful under jus ad bellum and has been launched for purposes of self-defense, or State consent has been granted, is not also directly and automatically lawful under IHL and IHRL. The three bodies of law, whilst necessarily interconnected, require indeed three different examinations.

3  D  rones Strikes and the Extraterritorial Applicability of Human Rights Treaties The question of the applicability of human rights treaties extraterritorially is of particular relevance in the case under examination,32 in light of the possibility that States operating transnational drone strikes violate their human rights obligations vis-à-vis individuals that, despite being outside the physical borders of the operating State, can be considered under its jurisdiction. In this connection, specific consideration deserves the right to be protected against arbitrary deprivation of life.33 Being drone strikes potentially lethal for their targets and, in some cases, for people who are not the proper target of the strike (for example, in case of collateral damage), the right to life may be easily breached by the sending State. Against this background, important questions arise, regarding the applicable legal regime and, consequently, the standard of protection that the State must ensure. The physical border of the State does not limit the area where the relevant treaties on human rights are applicable. In some cases, IHRL can find application outside the borders of the State party to the treaty that upholds those rules: one shall separate opinions rendered by Judges Kooijmans and Simma in this case (ICJ Reports, 2005, paras. 306–326 and 334–350). 30  Letter dated 25 June 2014 from the Permanent Representative of Iraq to the United Nations addressed to the Secretary-General (S/2014/440, 25 June 2014) and letter dated 20 September 2014 from the Permanent Representative of Iraq to the United Nations addressed to the President of the Security Council (S/2014/651, 22 September 2014). 31  Furthermore, it cannot be denied that an absolute prohibition to respond to an armed group operating from the territory of the State, without the State’s direct involvement, would make the attacked State substantially blocked to respond to attacks involving the use of force, unless the UN Security Council authorizes it. 32  Frau (2013). 33  Such right is recognized, inter alia, by the International Covenant on Civil and Political Rights, at Article 6.

100

C. Candelmo

t­ herefore verify whether the State has fulfilled its extraterritorial obligations or if, on the contrary, its responsibility for the commission of a wrongful act is triggered. Accordingly, there can be exceptionally a “separation” between the legal and physical border of the State for the purposes of jurisdiction, although, indeed, it remains an extraterritorial application, extraordinary in nature.34 The possibility that human rights treaties apply extraterritorially has been ascertained widely by international case law, both at the universal and at the regional level.35 Human rights monitoring bodies have interpreted and applied extensively the concept of “jurisdiction” contained in most international human rights treaties.36 In the case of drone strikes, the central question is thus to verify whether individuals or groups targeted come under the jurisdiction of the sending State or not.37 In case of internal matters, the jurisdiction is usually not at stake, unless issues of governmental authority arise.38 However, drone strikes have been seldom carried out within the borders of States. Most often, they imply a transnational element and, in that case, jurisdiction can be ascertained through the concept of control and, more specifically, effective control. This requirement can be analysed both in connection with territory (that is, effective control on a portion of a territory, coupled with the concept of authority)39 or with people. Case law has affirmed that the spectrum of control over groups and individuals goes so far as to include cases of non-direct physical control.40 Practice is, however, not conclusive: whilst the case law on  Cf. Al-Skeini and Others v. United Kingdom (App. No. 55721/07), ECtHR [GC], Judgment of 7 July 2011; Bankovic and Others v. Belgium and Others (App. No. 52207/99), ECtHR [GC], Judgment of 19 December 2001. 35  On this issue, see Ryngaert (2012) and De Sena (2002). 36  ICJ, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 9 July 2004, ICJ Reports 2004, p. 136, para. 109; Coard et al. v. United States, Inter-American Court of Human Rights, Report n. 109/99, 29 September 1999, para. 37. Extensive case law has been rendered by the ECtHR, among which cf. Al-Skeini and others v. United Kingdom cit., para. 109 ff.; Loizidou v. Turkey (App. n. 15318/89), ECtHR [GC], Judgment 18 December 1996; Case of Ilaşcu and others v. Moldova and Russia (App. No. 48787/99), ECtHR [GC], Judgment of 8 July 2004, para. 392. 37  This is without prejudice to the responsibility in which the territorial State where the drone strike is carried out may incur for human rights violations. In fact, even if the territorial State has given its consent to the strike, the strike itself does not become automatically lawful under a human rights perspective. 38  Although it is generally presumed that internal matters come within the jurisdiction of the State, there may be cases where the State is not in control or cannot exercise authority on a given portion of its territory. In that case, the ascertainment of jurisdiction may require further examination. 39  For the purposes of the establishment of jurisdiction, one of the leading cases in regional jurisprudence is Loizidou v. Turkey cit. 40  Al-Skeini v. the United Kingdom cit., paras. 149–150, where the ECtHR ascertained that the United Kingdom exercised authority and control over individuals in the course of security operations. This was sufficient to establish a jurisdictional link between those who had lost their lives in the course of such operations and the United Kingdom, for the purposes of Article 1 of the ECHR. More recent case law on the matter includes Jaloud v. the Netherlands (App. No. 47708/08), ECtHR [GC], Judgment 20 November 2014, which goes so far as to establish jurisdiction over 34

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

101

e­ xtraterritorial applicability of human rights treaties is growing,41 there is only a limited number of national cases concerning specifically drone strikes and human rights violations committed outside the sending State’s territory.42 Nevertheless, practice of monitoring bodies, such as the UN Human Rights Committee’s General Comment No. 31,43 is progressively heading towards flexible concepts of “jurisdiction”, whose purpose is to include individuals and groups who are directly affected by extraterritorial acts of the State, within its jurisdiction. In this respect, personal control is particularly relevant: one of the principal features of drone strikes is to be targeted and, although they may cause incidental or collateral damage, they are directed against specific buildings, groups or individuals. They do not require any territorial control, precisely because they can be remotely operated from long distances. In this case, if the State operating the drone strikes has no territorial control over the territory where the strike is being carried out, it may still have jurisdiction over the individuals or groups targeted through personal control over them. In this respect, it cannot be excluded that drone strikes carried out extraterritorially are included under the jurisdiction of the sending State, even when such State lacks territorial control or direct authority over the targeted individuals. The targeting of specific objectives by State officials who remotely operate the drones and the use of lethal force may be sufficient to establish jurisdiction,44 especially when45 States carry out actions that have a “significant and foreseeable impact on the right to life of individuals outside their territory”.46 In this case, they must take appropriate measures to ensure that such actions are consistent, for instance, with the provisions of Article 6 of the ICCPR, which prohibits arbitrary deprivation of life. In this connection, the breadth of jurisdiction and the concept of control must be analysed with respect to the potential and, especially, foreseeable impact that a drone strike

individuals passing through a checkpoint managed by personnel under the command of the Netherlands Royal Army. 41  Cf., in particular, Hassan v. The United Kingdom (App. No. 29750/09), ECtHR [GC], Judgment 16 September 2014, and Jaloud v. The Netherlands cit. 42  See supra footnote No. 28. 43  Cf. Human Rights Committee, General Comment No. 31, The Nature of the General Legal Obligation Imposed on States Parties to the Covenant, 29 March 2004, UN Doc. CCPR/C/21/ Rev.1/Add. 1326, para. 10, which does not refer to territorial control, but to jurisdiction on “those within the power or effective control of the forces of a State Party acting outside its territory, regardless of the circumstances in which such power or effective control was obtained”. 44  On this aspect see Joint Committee on Human Rights, The Government’s policy on the use of drones for targeted killing. Second report of session 2015–2016, paras. 3.58–3.59. https://publications.parliament.uk/pa/jt201516/jtselect/jtrights/574/574.pdf. Accessed 3 January 2018. 45  As remarked by General Comment No. 36. 46  See the latest draft of the General Comment No. 36 on Article 6 of the International Covenant on Civil and Political Rights, on the Right to Life, para. 26, available online at http://www.ohchr.org/ EN/HRBodies/CCPR/Pages/GC36-Article6Righttolife.aspx.

102

C. Candelmo

may have on the life of individuals, in order to verify the compliance of such actions with the required standards of protection.47 Literature48 and very recent national case law49 have also referred to the possibility that human rights obligations which bind the State apply in case of drone strikes, on the basis that, if lethal force is employed, and IHL is not applicable, human rights obligations must always be respected, in particular those that prohibit arbitrary killings. In fact, one should not forget that the objective of human rights treaties is to oblige the State to respect some basic rights of individuals: it would be pointless to allow a State to perpetrate abroad human rights violations (such as arbitrary killings) that are not allowed in its territory.50 In sum, even though the conditions of extraterritorial application of IHRL in connection with drone strikes are still not entirely clear, the expansive interpretative trend with respect to jurisdiction may suggest that State control on people may be the key criterion that shall guide the ascertainment of the responsibility of a State, also in case of unlawful extraterritorial drone strikes.

4  T  he Existence of an Armed Conflict and the Applicability of International Humanitarian Law: Which Implications? In some cases, drones strikes may be carried out in the context of an armed conflict, triggering the application of IHL.51 There may be cases where the existence of an armed conflict is crystal-clear. However, armed conflicts can have a heterogeneous nature. Thus, while it is pretty straightforward to establish the existence of a purely international armed conflict in its traditional meaning (that is, a State-to-State conflict), other forms of conflict may be more subtle and difficult to be determined. For instance, it is also possible that a drone strike takes place in the context of an armed conflict between a State and a non-State actor, that is a non-international  Ibid., para. 66, which clarifies the importance to ensure that the right to life of individuals impacted by military or other activities, in a significant and foreseeable manner, is duly protected. 48  Milanovic (2011) and Melzer (2008). 49  Cf. Al-Saadoon and others v. Secretary of State for Defence [2015] EWHC 715 and Al-Saadoon and others v. Secretary of State for Defence [2016] EWCA Civ. 811. 50  Cf. on this aspect Human Rights Committee, Delia Saldias de Lopez v. Uruguay, Communication No. 52/1979, UN Doc. CCPR/C/OP/1, para. 88 (1984). Cf. also Issa and others v. Turkey (App. No 31821/96), ECtHR, Judgment of 16 November 2004, para. 171. In this respect, targeting groups or individuals that are hit by drone strikes during law enforcement operations at the domestic level would fall within the jurisdiction of the State and, therefore, the conduct will likely be considered a violation of relevant human rights norms, unless the strike was motivated by the absolute necessity to protect life. However, this view does not imply that the State has automatically identical obligations both nationally and extraterritorially. 51  On the application of IHL and drones, cf. Foy (2014) and Lewis and Crawford (2013). On contemporary legal challenges under IHL, cf. Lubell (2017), Gill and Fleck (2010), and Paulus and Vashakmadze (2009). 47

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

103

armed conflict. This may be characterised either by the existence of hostilities within a single State or by armed activities between a State and an armed group, not necessarily operating on the territory of the belligerent State. In both cases, IHL apply: Protocol II will be applicable to the first typology of conflicts, while common Article 3 to the four Geneva Conventions52 applies in case of more general non-­ international armed conflicts. Nevertheless, in both cases specific criteria shall be met. In particular, according to the aforementioned Article 3, as interpreted by the International Criminal Tribunal for former Yugoslavia in the case Prosecutor v. Dusko Tadić,53 in order for a non-­ international armed conflict to exist, the hostilities must reach a minimum threshold of intensity and the group that confronts the State must possess organized armed forces. According to Article 1, para. 1 of the Additional Protocol II to the Geneva Conventions, the field of application of the Protocol is limited to cases in which the following criteria are met: the hostilities take place in the territory of a High Contracting Party, between its armed forces and dissident armed forces or other organized armed groups. These groups must be under responsible command, and exercise control over a part of the State’s territory, in order to be enabled to carry out concerted operations and to implement the Protocol.54 In this case, an armed conflict may be said to exist; otherwise, there is a simple contraposition between two entities, which does not trigger the application of IHL. Both Additional Protocol II and Common Article 3 of the Geneva Conventions apply to non-international armed conflicts.55 The identification of when IHL applies is crucial especially with respect to the standards that shall be respected in connection with human rights. While, in case of an armed conflict, some rights remain inalienable and cannot be limited, not even respecting the criteria of necessity and proportionality, such as the right not to be subject to torture, some other rights can be compressed or limited, proportionally to  Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the field of 12 August 1949; Geneva Convention for the Amelioration of the condition of wounded, sick and shipwrecked members of armed forces at sea of 12 August 1949; Geneva Convention relative to the treatment of prisoners of war of 12 August 1949; Geneva Convention relative to the protection of civilian persons in time of war of 12 August 1949, all entered into force on 21 October 1950. 53  Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, Tadić (IT-94-1-A), Appeals Chamber, 2 October 1995 (“Tadić Decision on Interlocutory Appeal”), para. 70. 54  Article 1, para 1 of the Protocol Additional to the Geneva Conventions of 12 August 1949 and relating to the protection of Victims of Non-International Armed Conflicts (Protocol II), 8 June 1977, states that the Protocol applies to all armed conflicts that take place in the territory of a High Contracting Party “between its armed forces and dissident armed forces or other organized armed groups which, under responsible command, exercise such control over a part of its territory as to enable them to carry out sustained and concerted military operations and to implement this Protocol”. Paragraph 2 of the same Article excludes the application of the Protocol to situations of internal disturbances and tensions that cannot amount to armed conflicts. 55  Article 3 obliges the Parties to the conflict (be it of an international or of a non-international nature) to apply minimum provisions of humanity to protect vulnerable categories and personal dignity of individuals, prohibiting humiliating and degrading treatments. 52

104

C. Candelmo

the end pursued and if necessary, in times of armed conflict. One clear example is the right to life, which is non-derogable during peacetime, while it receives less protected during conflicts, for example when a soldier becomes the legitimate military target of another soldier on the battlefield. In this connection, verifying if IHL finds application in connection with drone strikes is certainly important in order to ascertain which standard of protection applies, but also in connection with the impact that new technologies, and especially UAVs, have on crucial concepts of IHL, such as neutrality and the definition of “battlefield”.

4.1  Drones and Neutrality: New Technologies, Old Questions There are issues concerning sovereignty and borders of the State that have relevance both for the regime of jus ad bellum and for the regime of jus in bello. In this respect, the issue of neutrality shall be taken into consideration, in connection with areas where hostilities are carried out. Neutrality is the concept that identifies the conduct of a State that refrains from taking part in an armed conflict and does not support any of the Parties in the conflict. In this framework, it should be noted that the right to neutrality is a legal concept that finds application exclusively in armed conflicts of international nature. While the overfly of a neutral strait is lawful,56 according to the relevant provisions of international law,57 the overfly of neutral territories is prohibited.58 This prohibition clearly includes also drones used for military activities, during the flight towards their destination, both in connection with the overfly of neutral territories in times of international armed conflicts, and when the drone is used for military purposes, although the existence of an armed conflict is still not clear. As far as neutral territories are concerned, the overfly by a drone toward the destination of its strike is not considered lawful, being a violation of the prohibition of the use of force, unless the consent of the neutral State concerned has been given.59 The neutrality of a State, in fact, requires it not to participate or acquiesce in military acts that may benefit one or the other State at war. Participation does not always substantiate in active or positive acts that support one or the other Party. It may also take the form of acquiescence or lack of prevention and contrast by a neutral State,  Ronzitti (2012), p. 563.  The United Nations Convention on the Law of the Sea (UNCLOS) and, in particular, the provisions regulating the straits used for international navigation, affirms that the overfly of these areas is not prohibited in times of armed conflict (see Articles 34 ff., especially Article 38, regulating the right of transit passage in international straits). 58  Gioia (2006), pp. 188–189. See in particular The Hague Convention V, of 1907, Respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, entered into force on 26 January 1910, especially Article 1, which protects as “inviolable” the territory of neutral Powers. 59  Ronzitti (2012), p. 563. 56 57

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

105

when one belligerent Party is using its territory for military purposes.60 As a consequence of its acquiescence or participation in the hostilities, the neutral State may lose its status of neutrality and be lawfully attacked, especially if it is not opposing the violation of its territory and is abusing of its status of neutrality. Interestingly, the violating State may be lawfully attacked as well, if it is overflying a neutral territory. This prohibition includes all military overflies, with all military crafts, either those targeting an objective when the armed conflict is already in course or those reacting to an armed attack in self-defense.61 Such a strong prohibition, on the other hand, does not exist in connection with the overfly of neutral straits, on which the rights of transit passage can be exercised, also in light of the recent developments included in the 1994 San Remo Manual.62 This document recalls the possibility for belligerent aircrafts to exercise the rights of passage over neutral international straits63 which, although not defined clearly by the Manual, can be understood as international straits comprised by neutral waters.64 The Manual also affirms that the neutrality of the State that borders the strait is not jeopardized by the transit passage of military aircrafts.65 In line with the right of transit passage for ships and aircraft, codified by the UN Convention on the Law of the Sea (UNCLOS),66 the passage of military aircrafts over international straits must be continuous and expeditious. In this respect, the right of transit passage allows the overfly of straits by military aircrafts, even if they are embarking in, or returning from, a military operation, and does not consider the purpose of the transit, provided that no attacks or violations against neutral archipelagic States are carried out.

 Gioia (2006), p. 188. Schmitt (2010), p. 318. In particular, the neutral State has a duty of prevention against acts that may constitute a violation of its neutrality. 61  Provided that all acts of aggressions are prohibited per se, the strike would be unlawful under the jus ad bellum framework, if it was intended as an act of aggression against another State and not as a measure of self-defense. 62  International Institute of Humanitarian Law (1995). 63  Ibid., para. 23. 64  The commentary attached to the San Remo Manual does not define further what is the exact meaning of “neutral international strait”. However, as the commentary explains (para. 23.1, pp. 102–103 of the San Remo Manual), the proposed formulation of para. 23 was initially less detailed but clarified that while the possibility to exercise the right of transit passage in neutral international straits is granted, it is forbidden to carry out any hostile act in “neutral waters comprising an international straits”, where the meaning of neutral waters can be understood as territorial waters of a neutral Power. 65  Ibid., paras. 24–25. 66  UNCLOS, Article 38, para 2. 60

106

C. Candelmo

4.2  The Battlefield and Its Boundaries: No Easy Definition The last meaning of the term “border” may be associated with the concept of battlefield and its boundaries,67 a notion that carries relatively high importance in relation to the areas where two parties—be they of a State or a non-State nature—are fighting. The importance of this aspect is crucial, because the meaning of the term “battlefield” is not readily established. Even IHL treaties mention and make references to the “battlefield areas”,68 but do not define them.69 In fact, as part of the literature has recalled,70 both in the case of international armed conflicts and in the case of non-international armed conflicts, the fact that one State is at war does not necessarily imply that the whole territory of that State becomes a battlefield, purely and simply. In the past, and especially with reference to World War I, it was relatively easy to define the areas of hostilities, given the fact that two armies (or more) would confront directly on the ground and the areas where the two parties were engaged in military operations could be defined in general terms the battlefield. With the advent of World War II, and even more in the following years, two features have emerged in the practice of armed conflicts. First of all, less and less conflicts are taking place between or among States, while non-international armed conflicts in nature are much more common than before.71 Furthermore, this typology of conflicts often takes place among States and non-State actors, that are at times not inside the territory of the first country, but are rather loosely organized groups, often present in several third States. This feature, coupled with the technologically advanced means of warfare that are becoming more and more common, including drones, has raised even more doubts concerning which is the proper—up to date—definition of “battlefield” and what limits apply to this concept. Remotely operated drones, in fact, render the possibility of long-distance attacks a reality and could well be used to target objectives that are far away from the place that would be traditionally seen as the “zone of hostilities”.72 Already now, drone strikes often happen outside the battlefields, have spill-over effects into other States or are carried out in countries where no situation of armed conflict formally exists. However, despite opposite claims, the fact that technology allows remotely controlled attacks does not and cannot imply that the battlefield is potentially in all the countries of the world, where armed groups or individual fighters might find refuge. The most recent example of this assumption is the already recalled “global war on terror” waged by the United States. While the US have stated their willingness to combat terrorism all around the world, it has been remarked frequently that, without  Lewis (2012).  In particular, Article 33, para. 4, of Additional Protocol II. 69  Lubell and Derejko (2013), pp. 73–74. 70  Ibid., p. 66. 71  On the numerous examples of recent and contemporary non-international armed conflicts, see Lubell and Derejko (2013), pp. 70–71; Blank (2010), p. 3. 72  Heyns et al. (2016), p. 793. 67 68

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

107

impairing the right of self-defense against armed attacks,73 the concept of global war is at least controversial, notably in light of the definition of “armed conflict”, which, be it of an international or of a non-international nature, is limited to areas where hostilities are being carried out. Affirming the existence of one global, non-­ international armed conflict, which extends to every place in which a terrorist might be located, would imply that no geographical and legal boundaries to the battlefield exist and, potentially, a war involving all countries that support armed groups, or acquiesce to their activities, could take place. Such a possibility is not consistent with the definition of “armed conflict” itself and does not seem to be legally sound. It is useful to refer again to the international legal framework governing non-­ international armed conflicts, and above all Article 3, common to all four Geneva Conventions, as well as Article 1, paragraph 1 of Additional Protocol II. In particular, as we have seen, this last clause envisages the possibility of a non-international armed conflict taking place “in the territory of a High Contracting Party between its armed forces and dissident armed forces or other organized armed groups”.74 However, while it is not excluded that such conflict may have spill-over effects in other countries (not necessarily neighboring countries), active hostilities at least should be present and organized groups should be involved, for any kind of non-­ international armed conflict to exist, according to both the articles.75 In other terms, if a single individual is engaged in furthering a conflict, principally happening somewhere else, it would be hard to say that the conflict extends even where a single fighter is located.76 The same reasoning would apply, therefore, in connection with the notion of “battlefield”: it would not be sufficient to have a single individual engaged in armed activities against other States to affirm that the battlefield or the area of hostilities extends wherever such individuals may be located. Accordingly, these situations should be treated through operations of law enforcement, and benefit from judicial cooperation among States, if necessary. Therefore, it is important to draw a distinction between the cases which may fall within a non-international armed conflict, allowing the application of IHL, and those that, on the other hand, do not fall in the scope of IHL and, therefore, require the application of IHRL.77 In our view, this distinction should not take into account  As remarked by UN Security Council Resolution 1373, too. See, on the point, UN Doc. S/ RES/1373 (2001), in particular the fourth paragraph of the preamble. 74  Article 1(1) of Protocol II. 75  Ibid. See also Saul (2014), p. 218 and Article 1(2) of Additional Protocol II, which excludes the application of the Protocol to situations of internal disturbances tensions and isolated or “sporadic acts of violence and other acts of a similar nature, as not being armed conflicts”. 76  Ibid. 77  In fact, it should be borne in mind that, while IHRL applies in times of peace, that is when no armed conflict is taking place, IHL applies exclusively in times of armed conflict. However, if IHL does not apply, it will be IHRL norms to protect individuals and their rights internationally recognized, although in times of armed conflict IHRL does not cease to be applicable simply because IHL applies. Furthermore, some basic rights are always protected, no matter the existence of an armed conflict, as recalled by Article 3, common to all four Geneva Conventions, which states that “Persons taking no active part in the hostilities, including members of armed forces who have laid 73

108

C. Candelmo

exclusively geographical proximity, but other criteria, notably the existence of active hostilities in a given location and the presence of organized armed groups. Furthermore, the widening of the concept of battlefield carries with it important consequences, among which one of the most relevant is the fact that, in the area of hostilities (the battlefield), IHL applies, together with IHRL,78 while in peacetime exclusively IHRL will apply. Even though both IHL and IHRL apply concurringly, however, it cannot be denied that the protection against arbitrary deprivation of life will enjoy two different standards of protection, according to the situation. In this connection, as the ICJ has clarified,79 arbitrary deprivation of life is prohibited both in times of conflict and in times of peace. However, in times of armed conflict, that is when IHL applies, the standards provided in IHL will have to be taken into consideration to determine if and when a deprivation of life is arbitrary or not.80 This interplay of regimes and standards does not verify absent an armed conflict. However, IHL standards are more lenient than those applied in times of peace and imply a lowering of human rights protection, especially as far as the right to life is concerned. Widening the scope of the battlefield would imply lower standards of protection for the right to life, thanks to the simultaneous application of IHL and IHRL, instead of law enforcement standards alone, which allow the recourse to lethal force only as last resort. Shifting the protection from law enforcement standards, which apply in peacetime, to IHL levels, allows States to resort to armed force much more easily than in times of peace.81 This is an important feature that should be considered by State authorities when they decide to launch a drone strike. If IHL is applicable, then more lenient standards for targeted killings through drone operations will apply, while if IHRL alone applies resort to lethal force will have to be justified by absolute necessity. Therefore, the expansion of the legal definition of battlefield does have a direct, negative, impact also on the legality of drone strikes. down their arms and those placed ‘hors de combat’ by sickness, wounds, detention, or any other cause, shall in all circumstances be treated humanely, without any adverse distinction founded on race, colour, religion or faith, sex, birth or wealth, or any other similar criteria. To this end, the following acts are and shall remain prohibited at any time and in any place whatsoever with respect to the above-mentioned persons: (a) violence to life and person, in particular murder of all kinds, mutilation, cruel treatment and torture; (b) taking of hostages; (c) outrages upon personal dignity, in particular humiliating and degrading treatment; (d) the passing of sentences and the carrying out of executions without previous judgment pronounced by a regularly constituted court, affording all the judicial guarantees which are recognized as indispensable by civilized peoples”. On the interplay between the application of IHL and IHRL, cf. Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 8 July 1996, ICJ Reports 1996, para. 226, and Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 9 July 2004, ICJ Reports 2004, para. 136. 78  Cf. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, cit., para. 106. 79  Ibid. 80  Borelli (2015), pp. 273–274. 81  Brookman-Byrne (2017), p. 5.

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

109

At the same time, it should be recalled that IHL does not stop being applicable outside the geographical area of hostilities.82 The protection of IHL extends also to areas that are not directly involved in the hostilities and, when IHL does not apply, more stringent human rights principles should be nevertheless respected. In this respect, if IHL does not find application, the reason would not be that no guarantees apply, but that higher standards of protection are applicable, those provided exclusively by IHRL. In this connection, the forcible application of IHL should not be used as a shield to impair the more pervasive protection that could be provided by IHRL standards, if applied alone. Therefore, IHL should find application only in scenarios and contexts of armed conflict, either of an international or a non-international nature. The strikes perpetrated when IHL does not apply should remain subject to the rules that regulate the use of force and to IHRL.

5  Concluding Remarks This Chapter analysed the responsibility of the State for cross-border activities with respect to the use of drones for military purposes. By so doing, three relevant areas of international law have been identified and briefly examined. The first meaning is identified in the framework of two notions that are of paramount importance in international law: the prohibition of the use of force and sovereignty. When States use drones for self-defense, consent is not needed to lawfully carry out a drone strike; however, when States are not responsible for armed attacks stemming from their territory, consent is needed in order for other States to lawfully implement a drone strike on their territory. Otherwise, a drone strike may entail a violation of the sovereignty of the targeted States. The second meaning concerns the concept of extraterritorial application of human rights treaties, in relation to which the case law of human rights courts, such as the ECtHR, and bodies, like the UN Human Rights Committee, has played a key role. The analysis has shown that the notion of jurisdiction, underlying the applicability of human rights treaties extraterritorially, has been progressively widened so as to encompass, as comprehensively as possible, even the challenges to fundamental rights posed by growing technological means, among which drones have a particularly important place. The third is the case in which both general international law and IHL find application. On the one hand, the implications and applicability of the notion of neutrality to drone strikes and to their overfly of neutral territories have been analysed. On the other, the challenges posed by the broadening of the notion of “battlefield” and its boundaries are relevant too, as they become particularly important in connection with the potentials of long-distance attacks carried out through drone strikes.

82

 ICTY, Tadić Decision on Interlocutory Appeal, para. 70.

110

C. Candelmo

As far as the first issue is concerned, it can be safely affirmed that the current legal framework governing neutrality and the overfly of neutral straits and territories must be applied to the transit of military drones as well, in order to protect and safeguard the rights of neutral States. With respect to the second issue, it has been shown that, although IHL applies to all the areas where the hostilities take place, the notion of global battlefield cannot be sustained, since hostilities should be ongoing, basically, in all territories of the world, in order to justify the existence of a single, world-wide battlefield. The extension of such notion, furthermore, is not even advisable, as the potential consequences are dangerous83: implications of imagining a global battlefield go so far as to establish universal application of IHL, even in cases where only IHRL, and the relevant standards of protection, would be applicable instead.

References Alberstadt, Rachel. 2014. Drones Under International Law. Open Journal of Political Science 4: 221–232. Bergen, Peter L., and Daniel Rothenberg. 2014. Drone Wars. Transforming Conflict, Law and Policy. Cambridge: Cambridge University Press. Bethlehem, Daniel. 2012. Self-Defense Against an Imminent or Actual Armed Attack by Nonstate Actors. The American Journal of International Law 106: 769–777. Blank, Laurie R. 2010. Defining the Battlefield in Contemporary Conflict and Counterterrorism: Understanding the Parameters of the Zone of Combat. Georgia Journal of International and Comparative Law 39: 1–38. Borelli, Silvia. 2015. The (Mis)-Use of General Principles of Law: Lex Specialis and the Relationship Between International Human Rights Law and the Laws of Armed Conflict. In General Principles of Law – The Role of the Judiciary, ed. Laura Pineschi, 265–293. Dordrecht: Springer. Brookman-Byrne, Max. 2017. Drone Use ‘Outside Areas of Active Hostilities’: An Examination of the Legal Paradigms Governing US Covert Remote Strikes. Netherlands International Law Review 64: 3–41. Brooks, Rosa. 2013. Drones and the International Rule of Law. Ethics & International Affairs 28: 83–103. Colacino, Nicola. 2015. From Just War to Permanent Self-defense: The Use of Drones in Counterterrorism and its Questionable Consistency with International Law Standards. Ordine internazionale e diritti umani 4: 607–629. Corten, Olivier. 2016. The ‘Unwilling or Unable’ Test: Has it Been, and Could it be, Accepted? Leiden Journal of International Law 29: 777–799. Crawford, Emily. 2015. Armed Conflict, International. Max Planck Encyclopaedia of Public International Law. http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/ law-9780199231690-e429. De Sena, Pasquale. 2002. La nozione di giurisdizione statale nei trattati sui diritti dell’uomo. Torino: Giappichelli. Deeks, Ashley. 2012. ‘Unwilling or Unable’: Toward a Normative Framework for Extraterritorial Self-Defense. Virginia Journal of International Law 51: 483–550.

83

 Lubell and Derejko (2013), pp. 86–87.

Drones at War: The Military Use of Unmanned Aerial Vehicles and International Law

111

Foy, James. 2014. Autonomous Weapons Systems: Taking the Human Out of International Humanitarian Law. Dalhousie Journal of Legal Studies 23: 47–70. Frau, Robert. 2013. Unmanned Military Systems and Extraterritorial Application of Human Rights Law. Groningen Journal of International Law 1: 1–18. Gill T. D., and Fleck Dieter. 2010. The Handbook of the International Law of Military Operations. Oxford: Oxford University Press. Gioia, Andrea. 2006. Neutrality in Air Warfare. In The Law of Air Warfare. Contemporary Issues, ed. Natalino Ronzitti and Gabriella Venturini, 181–223. Utrecht: Eleven International Publishing. Heyns, Christof, Dapo Akande, Lawrence Hill-Cawtorne, and Thompson Chengeta. 2016. The International Law Framework Regulating the Use of Armed Drones. International and Comparative Law Quarterly 65: 791–827. Hollis, Duncan B. 2005. Why State Consent Still Matters – Non-State Actors, Treaties, and the Changing Sources of International Law. Berkeley Journal of International Law 23: 137–174. International Bar Association. 2017. The Legality of Armed Drones Under International Law. Background Paper by the International Bar Association’s Human Rights Institute. http://www. ibanet.org/Document/Default.aspx?DocumentUid=b0b8af88-fd20-44f8-a920-634484645113. International Institute of Humanitarian Law. 1995. In San Remo Manual on International Law Applicable to Armed Conflicts at Sea, ed. Louise Doswald-Beck. Cambridge: Cambridge University Press. Knuckey, Sarah, ed. 2014. Drones and Targeted Killings. Ethics, Law and Politics. New  York: IDEBATE Press. Kretzmer, David. 2013. The Inherent Right to Self-Defence and Proportionality in Jus Ad Bellum. The European Journal of International Law 24: 235–282. Lewis, Michael. 2012. Drones and the Boundaries of the Battlefield. Texas International Law Journal 47: 293–314. Lewis, Michael, and Emily Crawford. 2013. Drones and Distinction: How IHL Encouraged the Rise of Drones. Georgetown Journal of International Law 44: 1127–1166. Lubell, Noam. 2010. Extraterritorial Use of Force Against Non-State Actors. Oxford: Oxford University Press. ———. 2017. Fragmented Wars: Multi-Territorial Military Operations against Armed Groups. International Law Studies 93: 216–250. Lubell, Noam, and Nathan Derejko. 2013. A Global Battlefield? Drones and the Geographical Scope of Armed Conflict. Journal of International Criminal Justice 11: 65–88. MacNab, Molly, and Megan Matthews. 2010. Clarifying the Law Relating to Unmanned Drones and the Use of Force: The Relationship Between Human Rights, Self-defense, Armed Conflict, and International Humanitarian Law. Denver Journal of International Law and Policy 39: 661–694. Melzer, Nils. 2008. Targeted Killing in International Law. Oxford: Oxford University Press. Milanovic, Marko. 2011. Extraterritorial Application of Human Rights Treaties. Law, Principles and Policy. Oxford: Oxford University Press. O’Connell, Mary Ellen. 2010. The International Law of Drones. American Society of International Law Insights 37. Paulus, Andreas, and Mindia Vashakmadze. 2009. Asymmetrical War and the Notion of Armed Conflict – A Tentative Conceptualization. International Review of the Red Cross 91: 95–125. Paust, Jordan. 2010. Self-defense Targetings of Non-state Actors and Permissibility of U.S. Use of Drones in Pakistan. Journal of Transnational Law & Policy 19: 237–280. Qureshi, Waseem Ahmad. 2017. The Legality and Conduct of Drone Attacks. Notre Dame Journal of International & Comparative Law 7: 91–106. Ronzitti, Natalino. 2012. Modern Means of Warfare: The Need to Rely Upon International Humanitarian Law, Disarmament and Non-Proliferation Law to Achieve a Decent Regulation of Weapons. In Realizing Utopia. The Future of International Law, ed. Antonio Cassese, 553– 595. Oxford: Oxford University Press.

112

C. Candelmo

Ryngaert, Cedric. 2012. Clarifying the Extraterritorial Application of the European Convention on Human Rights. Merkourios. Utrecht Journal of International and European Law 28: 57–60. Saul, Ben. 2014. Terrorism and International Humanitarian Law. In Research Handbook on International Law and Terrorism, ed. Ben Saul, 208–231. Cheltenham: Edward Elgar. Schmitt, Michael N. 2010. Drone Attacks under the Jus ad Bellum And Jus in Bello: Clearing the ‘Fog of Law’. International Yearbook of Humanitarian Law 13: 311–326. Sehrawat, Vivek. 2017. Legal Status of Drones Under LOAC and International Law. Penn State Journal of Law & International Affairs 5: 164–206. Sharkey, Noel. 2011. Automating Warfare: Lessons Learned from the Drones. Journal of Law, Information & Science 21: 140–154. Tams, Christian J. 2009. The Use of Force Against Terrorists. The European Journal of International Law 20: 359–397. Valavanis, Kimon P., and J.  Vachtsevanos George, eds. 2015. Handbook of Unmanned Aerial Vehicles. Dordrecht: Springer. Wagner, Markus. 2014. Unmanned Aerial Vehicles. Max Planck Encyclopaedia of Public International Law. http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/ law-9780199231690-e2133.

Part II

The Role of Courts and Other Actors in Defining Normative Standards for Technology-Related Challenges

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third Countries Stefano Saluzzo

Abstract  The Chapter analyses the framework on the basis of which data collected in the European Union (EU) can be legitimately transferred to a third country, as well as the role of EU and national authorities in the context of the adequacy procedure. It also gives an account of recent developments in the context of data transfers, looking especially at the Schrems judgment and at the recently adopted Privacy Shield framework. The aim of the Chapter is to understand the potential role of the adequacy mechanism in the development of a common standard of fundamental rights protection, based on the concept of the EU as a normative power on the international level.

1  Introduction The history of international law offers many examples of unilateral appropriation of spaces by States. One of the most relevant cases is the emergence of England as a maritime power during the seventeenth century, which led to a redefinition of spatial orders in the dichotomy between land and sea. In the absence of precise boundaries, such as those identifying territorial sovereignty, oceans were seen at the time as a free area suitable to be controlled by means of commercial and military powers. In this context, the control of traffic and communication routes played a prominent role and envisaged the future developments of what we today call globalisation.1 Similar developments have been fostered in the last decades by the advent of the Internet and the creation of the cyberspace. In particular, the rise of digitalisation of trade has created a completely new landscape in the field of economic and commercial relations among countries, calling for an update of the existing rules. In particular, the last phase of the development of international trade has been characterised by  Vegetti (2017), p. 9.

1

S. Saluzzo (*) University of Piemonte Orientale, Alessandria, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_6

115

116

S. Saluzzo

digitalisation processes and has produced an increase in supply of goods and services across the borders.2 The movement of data around the globe is at the core of such developments, as it provides new means of sharing information, reducing costs and foster competitiveness of companies (including small and medium enterprises). Some have claimed that through data flows, globalisation has entered a new era in which digital platforms may create more efficient and transparent global markets.3 In this context, data flows are also the major enabler of the creation of big data sets,4 raising numerous questions concerning privacy and consumer protection. The International Telecommunication Union (ITU)5 has highlighted the connection between data collection throughout transmissions and the capacity to build and analyses huge amount of data, while warning against a number of challenges arising from these processes, especially in terms of heterogeneity and incompleteness in the construction of big data sets and of privacy protection in the processing of data.6 Such issues have arisen also with regard to governments’ capacities to foster security and surveillance programs through the construction of big data sets, mainly collected by relying on data transfers between private companies.7 Notwithstanding general optimistic views on the potential of data flows for international trade, many countries have started to introduce measures to restrict such flows for the need to protect their citizens’ privacy or for cybersecurity reasons. Restrictions to data flows are often considered as falling within the phenomenon of data localization, meaning any law that limits the ability of data to move globally and that prescribes the need for data to remain within the State’s territorial jurisdiction.8

 Gonzàlez and Jouanjean (2017), pp. 7–8.  Data flows would even generate more economic value than traditional trade in goods. See McKinsey Global Institute, Digital Globalisation: The New Era of Global Flows, March 2016. 4  See Kuner (2013), pp. 4–7; Davenport et al. (2012), pp. 22–23. For instance, cross-border data flows are one of the main features of cloud computing services. See, in this regard, Svantesson and Clarke (2010), p. 391. 5  The ITU is the United Nations specialized agency for information and communication technologies. Its main purposes are to maintain and extend international cooperation in the use of telecommunications of all kind, and to promote the development of technical facilities and efficacy of telecommunications services. The ITU has recently revised its International Telecommunications Regulations (ITRs), an ITU treaty adopted in 1988, with the aim of providing a comprehensive regulatory framework for Internet governance. See International Telecommunication Regulations, in Final Acts of the World Conference on International Telecommunications, Dubai, 2012. 6  See ITU, Big data—Cloud Computing Based Requirements and Capabilities, Recommendation ITU-T Y.3600, 2015, pp. 3–4. See also United Nations Conference on Trade and Development, Data Protection Regulations and International Data Flows: Implications for Trade and Development, United Nations, 2016. 7  Andrejevic and Gates (2014) and Lyon (2014). 8  See Chander and Lê (2015). For an overview of domestic data localization measures currently in place, see Information Technology Industry Council, Data Localization Measures, 19 January 2017, available at https://www.itic.org/public-policy/SnapshotofDataLocalizationMeasures119-2017.pdf. 2 3

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

117

This Chapter deals with the measures adopted by the EU in order to regulate the transfer of personal data collected within the Union to third States. The lack of a comprehensive multilateral framework in international law dealing with data transfers has led many countries to resort to unilateral regulatory measures in this field. However, the EU has been one of the first to adopt a specific set of rules based on the protection of personal data. The rationale behind the EU approach in the regulation of cross-border data transfers lies essentially in the need to protect the fundamental rights to privacy and data protection, today codified in the Charter of Fundamental Rights of the EU (Charter). Nevertheless, these objectives are attained only insofar as the EU is able to exercise its own market power in a normative sense, indirectly imposing certain restrictions on third countries. From this perspective, the case of the EU regulation on data transfers may constitute a bright example of the so-called “Brussels Effect”, that is the capacity of the Union to set common standards in foreign jurisdictions through unilateral regulatory measures.9

2  R  estrictions to Cross-Border Data Transfers Under EU Law International norms dealing with cross-border data flows are today limited to regional systems. In particular, the Council of Europe adopted in 1981 a Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (No. 108),10 whose Article 12 sets forth some basic rules on international data transfer. However, the original formulation of Article 12 was limited in scope, as it only applied to transfers between parties to the Convention and was expressed in negative terms, providing a general prohibition on restrictions to data flows.11 The case of data transfers to States not party to the Convention has been later regulated by the 2001 Protocol to Convention No. 108, drafted on the pattern of EU legislation.12

 Bradford (2012).  Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, ETS. No. 108. 11  The only exception is provided by Article 12(3)(b), according to which a State party could prohibit the transfer of data when “the transfer is made from its territory to the territory of a nonContracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph”. 12  Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, 8 November 2001, ETS. No. 181, Article 2: “Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer”. 9

10

118

S. Saluzzo

Given the absence of a comprehensive international regime, the EU has regulated the transfer of data from the territory of its Member States towards third countries in a purely unilateral manner. Since the adoption of Directive 95/46 on the p­ rotection of personal data, the Union has set forth a complex mechanism subjecting the transfer of data collected within EU territories to strict requirements. These rules were originally provided by Articles 25 and 26 of the Directive,13 which have been recently replaced by the new General Data Protection Regulation (GDPR).14 The transfer of data from the EU to third countries is allowed under different legal bases, all of them requiring as a common feature the evaluation of the level of protection of personal data guaranteed by the legal order of the third country concerned.15 Moreover, recent developments in the case-law of the Court of Justice of the EU (CJEU) has enhanced the system protecting data transferred in third countries’ jurisdiction, due to the particular nature of data protection rights, which have acquired the status of “constitutional” rights under the Charter of Fundamental Right of the EU.16 According to Article 25 of Directive 95/46 (the content of which is essentially replicated in Article 44 of the GDPR), the first basis on which private companies can rely for transferring data collected within the EU to third countries is the so called “adequacy decision”, an implementing act adopted by the Commission. The latter issues the decision in relation to a single third State on the grounds of the level of protection afforded to personal data17 by the receiving State’s domestic legislation, which must be “adequate” according to the Directive and the Regulation. The advantages deriving from an adequacy decision for a receiving third State are multiple, but they essentially derive from the fact that the decision allows the automatic transfer of data of every natural or legal person in the EU to any natural or legal person in the territory of a third State. This mechanism constitutes a valuable  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in OJ L 281, p. 31. 14  Regulation (EU) 2016/678 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and of the free movement of such data, and repealing Directive 95/46/EC (General data Protection Regulation), in OJ L 119/1 [2016]. 15  Note that the protection of personal data on the Internet will be addressed in a separate but complementary regulation (so called “E-Privacy Regulation”). However, the limits to data transfers outside the EU will remain entirely disciplined by the GDPR. See COM(2017) 10 final of 10 January 2017, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). 16  See Kokott and Sobotta (2013) and Gonzáles Fuster (2014). 17  The notion of personal data under EU law is particularly extensive and it covers the majority of data used in international online transactions. Cf. the definition of Article 4(1) of the GDPR; see also recently Case C-582/14 Patrick Breyer, judgment of 19 October 2016, EU:C:2016:779. Even if businesses activities may rely on the exchange of non-personal data, the relevance of personal data transfers between companies for global trade is extensively acknowledged in the literature. See e.g. Esteve (2017), p. 36. 13

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

119

i­nstrument to enhance cross-border supply of goods and services not only for big companies but also for small and medium enterprises. EU Member States, in fact, are obliged not to impede data flows from their territory once the adequacy decision is adopted in relation to a certain country.18 Besides the adequacy decision, the Directive sets forth other legal bases for transferring data outside the EU territory, then replicated in the new GDPR in a more detailed manner. Article 46 of the GDPR provides for a number of safeguards allowing the transfer of data outside the EU in cases where an adequacy decision is lacking. The most relevant of them are the model contract clauses: these are protection clauses drafted and adopted by the Commission that have to be included in a contract providing for a transfer of data between controllers or between controllers and processors.19 The role of the Commission entails a presumption of conformity of these clauses (and, thus, of transfers based on them) with EU law,20 even if the connected obligations can be particularly onerous for companies.21 Amongst other instruments, companies may also rely on binding corporate rules, a set of provisions legally binding for all entities constituting the enterprise.22 However, they may only be used for transferring data within the same company group.23 Finally, under Article 49, single transfer operations are legitimate when one of the derogations listed by the provision applies. The first and most relevant is the express consent of the data subject to the transfer operation, a consent that can be  The GDPR also includes the possibility to assess the adequacy of a portion of the territory or of a specific sector of a third country. 19  See in particular Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, in OJ L 181, p. 19 (amended by Commission Decision C(2004) 5271); Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, in OJ L 39, p. 5. According to Article 46(2)(d) of the GDPR, cross-border transfers of data may also take place on the basis of model clauses adopted by single EU Data Protection Authorities in compliance with the GDPR. 20  However, model contract clauses are currently under the scrutiny of the Court of Justice for their alleged contrast with Articles 7 and 8 of the Charter of Fundamental Right of the EU. See Irish Data Protection Commissioner, Update on litigation involving Facebook and Maximilian Schrems. Explanatory Memo, available at https://www.dataprotection.ie/docs/16-03-2017-Update-on-Litigation-involving-Facebook-and-Maximilian-Schrems/1598.htm. 21  For instance, in terms of applicable law and of attribution of responsibility in cases of data breach. 22  Article 47 of the GDPR specifies the structure and the content binding corporate rules must present in order to be considered compatible with the data protection regime. Other grounds are available for justifying the transfer of data outside the EU, but they deal with rather specific situation (such as an agreement between public authorities, an approved code of conduct or an approved mechanism of certification) and they are only valuable for single transfer operations. 23  On binding corporate rules see Bender and Ponemon (2006), p. 154. See also Article 29 Data protection Working Party, Working Paper. Transfers of Personal Data to Third Countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, 11638/02/EN, WP74, 3 June 2003; Id., Explanatory Document on the Processor Binding Corporate Rules, 00658/13/EN, WP204, 19 April 2013 (revisited on 22 May 2015). 18

120

S. Saluzzo

particularly difficult to obtain in relation to subsequent and unforeseeable transfers between different companies. Other cases are related to transfers of data necessary for the performance of a contract between the data subject and the controller or of a contract concluded between the controller and another entity in the interest of the data subject. All remaining derogations refer to exceptional situations, such as reasons of public interest, the establishment and the defense of legal claims and the need to protect a vital interest of the data subject or of other persons. As it is evident, in these situations the legal basis allows for single transfers of specific personal data and they do not entail the commercial and economic advantages offered by an adequacy decision.

3  The Adequacy Assessment As already mentioned, the adequacy decision adopted by the Commission under Article 45 GDPR allows the automatic transfer of data for commercial purposes from the Union to a third country whose data protection system has been deemed “adequate”. In the evaluation of the adequacy of protection offered by the third country concerned, the Commission can take into consideration a number of factors deriving from the third country’s legislation and administrative procedures, as well as the international commitments the third country concerned has entered into, especially those on the protection of human rights.24 Since the very beginning, however, the standard of adequacy, already enshrined in Article 25 of Directive 95/46, has posed several problems in terms of its concrete meaning. Some of these issues have been recently dealt with by the CJEU in the Schrems case.

3.1  The Schrems Judgment and the New Privacy Shield On the basis of Article 25 of the Directive, the Commission adopted in 2000 a decision in relation to the United States, acknowledging the adequacy of the so called Safe Harbour.25 The latter consisted of seven principles US companies could commit in order to receive data collected by EU-based companies. The Schrems judgment originated from a claim submitted to the Irish Data Protection Commissioner by an Austrian national against Facebook in the wake of the Snowden revelations on a mass surveillance program conducted by the US National Security Agency (NSA)  A detailed list of elements forming the object of the adequacy assessment can be found in Article 45(2)(a), (b) and (c). 25  Commission Decision 2000/520/EC of July 26 2000, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, OJ L 215/7. 24

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

121

through the use of data collected in Europe by private companies. In its preliminary reference decision, the Court clarified two fundamental aspects of the adequacy mechanism.26 First, the Court intervened on the role of national supervisory authorities, recognizing their power to scrutinize “with all due diligence” the legitimacy of an adequacy assessment adopted by the Commission and eventually to bring a challenge against the decision before a national court,27 that will be able to make a preliminary reference to the CJEU.28 The Court, however, has also confirmed that until the Commission’s decision is not declared invalid, Member States are precluded from adopting acts contrary to that decision. In this perspective, the adequacy assessment is an exclusive competence of the Commission.29 The main findings of the Court are related to the invalidity of the Commission’s adequacy decision in the light of Articles 7, 8 and 47 of the Charter. The evaluation of the Court starts from the interpretation of the adequacy standard and of the elements the Commission has to take into account when assessing the protection offered by a third country to data collected in the Union. The Court made clear that the term “adequate” cannot be interpreted as requiring on the part of the third country concerned a level of protection identical to that provided by EU law. Indeed, in the Court’s view adequacy means that the level of protection of fundamental rights and freedoms must be “essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter”.30 In assessing the validity of the Safe Harbour decision, the Court has then recognized that a system of self-certification is not necessarily incompatible with EU law standards, but it must provide sufficient guarantees in terms of effectiveness and enforcement at the domestic level. The focus of the Court’s reasoning, however, lies in the derogations provided by the Safe Harbour Framework to the principles established therein, according to which US national authorities retained a wide power of accessing data received from EU-based companies for national security and law enforcement purposes. According to the judgment, such derogations were formulated in a way that constituted an indiscriminate and disproportionate interference of US agencies in fundamental rights of subjects whose data have been transferred to the US.31 The declared invalidity of the Safe Harbour led the Commission to negotiate a new framework to allow the transfer of data collected in the EU to US companies. These efforts have resulted in the adoption by the US Department of Commerce of  On the Schrems case see Azoulai and van der Sluis (2016) and Kuner (2017).  Case 362/14 Maximilian Schrems v. Data Protection Commission, judgment of 6 October 2015, EU:C:2015:650, paras. 64–65. 28  Whose competence on the validity of EU acts is exclusive. See Case 314/85 Foto-Frost, judgment of 22 October 1987, EU:C:1987:452, paras. 15–20. 29  Schrems case cit., para. 52. 30  Ibid., para. 73. 31  Ibid., paras. 91–95. The Court also identified a violation of Article 47 of the Charter, due to the lack in the US system of a proper judicial redress mechanism in the case of violations of data protection rights attributable to public agencies. 26 27

122

S. Saluzzo

a new system of self-certification based on the Privacy Shield principles. In 2016, the Commission has recognized the adequacy of this new framework,32 also in the light of recent amendments adopted in the US legislation with regard to data protection in the context of public authorities activities.

3.2  A  Fundamental Rights Framework for Assessing Adequacy The construction offered by the CJEU of the adequacy assessment will have major consequences both at the internal and at the external plane of the EU legal order. Indeed, it is now clear that the adequacy decision is based on a standard of equivalence of the level of protection, whose legal parameters flow directly from the Charter of Fundamental Rights. In other words, the Commission will have to evaluate whether the third country’s legislation offers a level of protection compatible with the standards of EU primary law. This also entails a remarkable restriction of the margin of discretion of the Commission. In fact, the adequacy assessment is conceived as a comparative evaluation between the level of protection offered by EU law and the one offered by the third country. In this context, the construction of the adequacy test as an equivalence test inevitably reduces the possibility of taking into consideration the peculiarities of a given domestic framework.33 In this perspective, it is necessary for the third country concerned to demonstrate that its system offers guarantees of privacy and data protection comparable to that of EU law in terms of effectiveness. This assessment will of course include also the verification of limits imposed on fundamental rights protection in the third country and their legitimacy in the light of EU primary law. In fact, the Court has made clear that a legislation “permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”.34 Moreover, it has highlighted that derogations to fundamental rights cannot be deemed strictly necessary when they authorize, on a generalized basis, the storage of all the personal data of all the persons whose data has been transferred from the European Union to a third country “without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes  See Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield, OJ L 207/1 [2016]. 33  Kuner (2017), pp. 900–901, highlighting that such a task is all the more difficult for national data protection authorities and individuals willing to challenge an adequacy decision adopted by the Commission. 34  Schrems case cit., para. 94. 32

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

123

which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail”.35 Finally, under Article 47 of the Charter, the third country’s legislation must also provide for adequate judicial remedies in cases of violation of privacy and data protection rights. The findings of the Court in the Schrems case are perfectly in line with its previous case-law on derogations to fundamental rights,36 today also enshrined in Article 52 of the Charter.37 This kind of construction is developed on the basis of one major concern, namely the need to avoid that guarantees provided by EU law as regards personal data are circumvented by the transfer of such data outside the legal space of the Union. Such a system will of course strengthen the protection of data in foreign jurisdictions together with the negotiating power of the Commission, but will also be difficult to justify, especially in political terms, in the eyes of third countries.

4  T  he Adequacy Assessment in Data Transfers for Non-­commercial Purposes Data transfers from one country to another do not only serve commercial purposes and they are not limited to partnerships between private companies. Indeed, the exchange of data between public authorities has gained more and more relevance in the field of police and judicial cooperation in criminal matters. However, the adequacy mechanism has remained for a long time confined to the commercial sector. More than a decade after the adoption of Directive 95/46, EU law started to regulate data protection rights in the context of criminal and police cooperation. The Framework Decision 2008/977 on data protection in criminal and police cooperation matters allowed Member States to transfer data to public authorities of  Ibid., para. 93.  See, especially as regards privacy and data protection rights, Joined Cases 293/12 and 594/12 Digital Rights Ireland and Others, judgment of 8 April 2014, EU:C:2014:238, para. 52. See more recently Joined Cases C-203/15 and C-698/1521 Tele2 Sverige AB and Watson, judgment of 21 December 2016, EU:C:2016:970; Court of Justice, Opinion 1/15, 26 July 2017, ECLI:EU:C:2917:592. See also Article 29 Data Protection Working Party, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees), 13 April 2016. 37  According to Article 52 of the Charter “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”. See generally Lenaerts (2012), p. 375; Peers and Prechal (2014), p. 1455. A similar construction of derogations to fundamental rights has been developed by the case-law of the European Court of Human Rights. See recently Roman Zakharov v Russia (App. No. 47143/06), ECtHR, Grand Chamber, judgment of 4 December 2005; Bărbulescu v. Romania (App. No. 61496/08), ECtHR, Grand Chamber, judgment of 12 January 2016. 35 36

124

S. Saluzzo

third countries only under certain requirements. More specifically, the transfer must be “necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”, while the third country concerned shall provide safeguards which are deemed adequate by the transferring Member State according to its national law”.38 However, the Framework Decision was only applicable to data a Member State received by another Member State and did not mention the case of data transfers to third countries.39 Member States remained free to exchange such data with a third country without having the duty to assess the level of protection offered by the receiving State.40 An adequacy test was introduced for specific agencies dealing with police and criminal cooperation, such as Europol and Eurojust. Yet, the content of this adequacy procedure remained highly unclear and in most cases exchange of data between these agencies and foreign public authorities has been justified on the basis of exceptional circumstances.41 Moreover, these procedures were not meant to impact on the competences retained by Member States with regard to data transfer to a third country. With the adoption of Directive 680/2016 on data protection in the police and justice sectors, an adequacy procedure has been specifically introduced for the transfer of data to third country or to an international organization by Member States’ public authorities.42 The Directive sets forth a detailed list of requirements that must be met in order to proceed with the transfer of data to public authorities in a third country. Under Article 35, the transfer must serve the purposes of “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” and the receiving authority must be competent for such purposes. Moreover, when data have been collected by another Member State and then exchanged with the sending Member State, the former has to give its prior authorization to the transfer to a third country. The elements that the Commission has to take into account in assessing the adequacy of data protection in a given third country are by large similar to those listed  See Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350/60 [2008], art. 13. 39  Council Framework Decision 2008/977, Article 1(2). 40  De Busser (2017), p. 624. 41  See Council Decision of 27 March 2000 authorising the Director of Europol to enter into negotiations on agreements with third States and non-EU related bodies—Council declaration concerning the relations between Europol and third States and non-European Union-related bodies—Council declaration concerning the priority to be given to third States and non-European Union-related bodies, OJ C106/1 [2000]. 42  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L119/89 [2016]. 38

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

125

by Article 45 of the GDPR. One might wonder, then, whether a single adequacy assessment by the Commission would be sufficient to cover data transfers both for commercial and for non-commercial purposes. A closer look at the two procedures seems to exclude such a possibility. First of all, it is worth recalling that adequacy assessments in both the GDPR and the Directive may also cover only part of the territory of a third country or a specific sector. This means that an adequacy assessment conducted for commercial purposes do not necessarily cover the same territory or sector in relation to which a transfer for non-commercial purposes is needed. Moreover, Directive 680/2016 states that, amongst the relevant factors of an adequacy procedure, the Commission “should also take into account any relevant Commission adequacy decision adopted in accordance with Article 45 of Regulation (EU) 2016/679”.43

5  A  dequate Protection in the Context of National Security Exceptions: The Case of Onward Transfers The guarantees provided by new EU law instruments in the case of transfers outside the Union certainly constitute a major development in the protection of fundamental rights related to personal data. However, some concerns arise when looking at the precise material scope of application of the GDPR and Directive 680/2016. None of the two addresses the issue of data transfers in the context of national security and intelligence activities.44 This is not surprising, given that national security is qualified under Article 4(2) TFEU as an exclusive competence of the Member States. However, distinguishing the purposes for which data have been collected and transferred can be particularly difficult, especially for the fact that in other countries outside the EU the difference between law enforcement and intelligence activities is often blurred. This may ultimately produce some gaps in EU legislation and help escaping obligations deriving from EU law by means of a transfer outside the Union. These risks are particularly evident in the case of onward transfers, that is operations involving the re-export of data received from one country to another third country.

 See Recital 68 of Directive 680/2016.  Under recital 16 the GDPR “does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security” and to “the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union”. Recital 14 of the Directive 680/2016 expressly excludes national security activities from the scope of application of the Directive. 43 44

126

S. Saluzzo

5.1  Onward Transfers Under EU Law The entire mechanism regulating data transfers outside the Union’s territory focusses on the first transfer operation and, in particular, it takes into consideration the level of protection afforded to data collected in the EU by the first country of destination. The issue raised by onward transfers necessarily derives from this element and it requires an assessment of how the extension of protection of data leaving the EU can also apply to third countries of subsequent destination. Onward transfers, in fact, might potentially involve a considerable number of different jurisdictions and they risk producing a lowering in the protection guaranteed to transferred data once they leave the first country of destination to be re-transferred. In the Convention No. 108 of the Council of Europe, onward transfers to countries not party to the Convention (and thus not subject to the level of protection provided by it) are considered with a certain degree of suspicion. Indeed, they can be prohibited by the contracting party if there is the risk that they might be used for circumventing the rules of the Convention itself.45 The Directive 95/64 was silent on the matter and, as we shall see, the issue had been addressed at the time on a case-by-case basis, especially leaving the burden of the regulation of onward transfers on the receiving State. In the GDPR, however, the European legislator has inserted a reference to onward transfers, whose concrete effects need peculiar attention. According to Article 44 of the GDPR, any transfer of data outside the EU shall take place only if: the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.46

At a first glance, it would seem that EU law should regulate also the case of onward transfers, at least by equating the level of protection of re-transferred data to the one required for the first transfer operation. And yet, a closer look at other provisions of the GDPR reveals that this is not properly the case. Indeed, Article 45, dealing with transfers based on an adequacy decision, only refers to rules on onward transfers when identifying the elements that the Commission has to consider when assessing the level of protection afforded by a  See Convention No. 108, Article 12(3)(b), according to which parties to the Convention are entitled to derogate form the obligation dealing with free data transfers “when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph”. 46  Recital 101 of the GDPR highlights the rationale for including the reference to onward transfers in the opening provision of the chapter dedicated to data transfers: “[…] when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation”. 45

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

127

third country. In this context, rules on onward transfers are not provided by the EU but by the country of destination and they can only be scrutinized by the Commission amongst all the other aspects of the adequacy assessment. This seems to imply that country of destination’s rules on onward transfers have not to provide necessarily the same level of protection of data of the one afforded by the EU, but they can contribute to the general assessment by the Commission as far as this level of protection is concerned. This, however, may also reduce the relevance that onward transfers regulations may have in the Commission’s determinations, since they can be balanced with other aspects of the third country’s national system of protection. This is particularly true as far as the nature of these rules is at stake. In fact, as already observed, even if the level of protection shall be the “essentially equivalent” in the country of destination, this does not mean that the letter has to enact a legislation which is identical to that of the EU in order to meet such requirement. Thus, one can assume that the provision does not prescribe the third country to regulate onward transfers of data in the same way as the EU regulates first transfer operations. The relevance of onward transfers in the adequacy assessment, however, seems confirmed by the practice of the Commission. In a number of cases, the latter has requested the third country to expressly regulate the case of onward transfers as a condition for receiving an adequacy determination. This is for instance the case for Canada and United States adequacy decisions.47 As far as onward transfers in police and criminal cooperation matters are concerned, the new Directive 680/2016 provides a procedure which to a certain extent mirrors the one set forth in the GDPR. Article 35 of the Directive, in fact, specifies that even in the case of transfers based on an adequacy decision the competent authority that carried out the original transfer or another competent authority of the same Member State authorises the onward transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred.

Provisions on onward transfers can also be found in international agreements concluded by the EU in the field of police and judicial cooperation in criminal matters. Some of them have undergone several developments, especially after the Court of Justice annulled the one concluded with the US in 200648 and declared the one concluded with Canada incompatible with EU fundamental rights in the recent

 See Commission Decision 2002/27/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act; Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield. 48  Case C-317/2004, Parliament v. Council, judgment of 30 May 2006, EU:C:2006:346. 47

128

S. Saluzzo

Opinion 1/15 of July 2017.49 In the latter, the Court made clear that agreements on exchange of data with third countries’ authorities must be compatible with the standard of the Charter, the same standard the Commission has to apply in conducting the adequacy assessment. Although no issue regarding onward transfers was raised in these proceedings, this would not mean that onward transfer operations are irrelevant in this context. The recent EU-US PNR agreement, for instance, has a detailed provision on onward transfers of PNR data to third countries, as it requires that such transfers “shall occur pursuant to express understandings that incorporate data privacy protections comparable to those applied” to the EU and the US by means of the agreement.50 A similar mechanism is provided in other PNR agreements, such as that concluded by the EU with Australia in 2012.51 Another example is to be found in the so-called EU-US Umbrella Agreement, the aim of which is to enhance the exchange of personal data between the EU and the US in relation to the prevention, investigation, detection or prosecution of serious criminal offences, including terrorism.52 Article 7 of the Umbrella Agreement sets forth certain requirements for onward transfers, which are allowed only in so far as the original sending authority has consented to them. The first sending authority has to take into account whether the third country of destination of the onward transfer ensures “an appropriate level of protection to personal information” and it may also request that the transfer be subjected to further conditions. These rules are to be read in conjunction with the principles enshrined in the agreement, covering any type of data transfer and especially that of the purpose limitation under Article 6.53 Interestingly, then, Article 7 also has an “external” consequence for the parties to the agreement. In fact, while the above-mentioned mechanism applies to single onward transfers in relation to a specific judicial case, in order to proceed with more general flows of data to third countries (“other than in relation to specific cases”) in the form of onward transfers the parties have to  Opinion 1/15 cit. See in particular paras. 95–104, where the Court recognised that, given the close interconnection between crime prevention and data protection, the PNR agreement with Canada should be based on both Article 16(1) and Article 87(2) of the TFEU. 50  Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ L 215/5 [2012], Article 17. 51  Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, OJ L 186/4 [2012], Article 19. 52  Council Decision (EU) 2016/2220 of 2 December 2016 on the conclusion, on behalf of the European Union, of the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences. The purpose of the agreement is outlined in Article 1. 53  Article 6(1) of the Agreement limits the transfer of personal information to “specific purposes authorized by the legal basis for the transfer (…)”, while Article 6(5) adds that the processing must be conducted “in a manner that is directly relevant to and not excessive or overbroad in relation to the purposes of such processing”. The protection is enhanced by the possibility under Article 14(2) to discontinue the transfer when purpose limitation or onward transfer conditions are not complied with. 49

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

129

c­ onclude a separate international agreement with specific conditions and “due justifications” for onward transfers operations.54 This essentially entails a limitation of the parties’ treaty-making power, in order for them to ensure consistency of their international action in the field of criminal cooperation and, at the same time, not to elude the protection afforded originally by the Umbrella Agreement. A softer regulation for onward transfers is to be found in the 2010 Agreement on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program.55 The possibility for the US to re-transfer data to other authorities in third countries or to international organizations is subject to the consent of the competent authority in one of the EU Member States, but only when the data belongs to a EU citizen or to a EU resident.56

5.2  Onward Transfers in the New Privacy Shield The complexity of regulating the case of transfers for non-commercial purposes, especially when dealing with national security exceptions, is exemplified by the new Privacy Shield framework adopted by the US.  As already mentioned, the Privacy Shield is not an international agreement, but—as the previous Safe Harbour—it is composed of a series of unilateral acts adopted by the Commission and by the US government aimed at regulating the transatlantic flows of data between private companies. It consists of a number of Principles to which US companies may voluntarily accede in order to obtain a certification by the US Federal Trade Commission and, consequently, to receive data collected in the territory of the EU.  Private companies undertaking the commitments enshrined in the Privacy Shield are also subject to various instrument of compliance and enforcement. The Privacy Shield regulates the case of onward transfers by means of the “Accountability for Onward Transfers Principle”. According to the Principle, a US company wishing to re-transfer the data received from the EU to a third country has to conclude with the subsequent importer (a controller in this case) a contract by means of which the latter undertakes the obligation to use the data for a specific and defined purpose and to guarantee a level of protection equivalent to that provided by the Privacy Shield. Similar rules are provided when onward transfer occurs between a US company and an organisation acting as its agent in a third country, even if in this case a contractual ad hoc regime is not required.  EU-US Umbrella Agreement, Article 7(3). The EDPS has warned against the risk of this situation as a potential case of bulk transfer of personal data. See European Data Protection Supervisor, Opinion 1/2016, Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences, 12 February 2016, p. 12. 55  Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, OJ L 195/5 [2010]. 56  Ibid., Article 7. 54

130

S. Saluzzo

If one assumes that the level of protection afforded by the Privacy Shield is essentially equivalent to that of the EU—as acknowledged by the Commission— that same level is guaranteed to EU data transferred in third country through the Accountability for Onward Transfer Principle. However, this scenario shows a progressive shift in the nature of the sources used to afford such a protection. The entire regime, in fact, is left to the contractual terms negotiated between the first receiver and the second one, with no mention as to the level of protection guaranteed by the national system of the third country involved in the onward transfer. Indeed, no adequacy assessment is deemed necessary in relation to subsequent third countries of destination, being it sufficient the transit across the US through the collection conducted by a US company. It is noteworthy that a system which originates in the regulatory power of the Commission (and the US government as well) such as the Privacy Shield turns in this case to the contractual capacity of private parties. This approach, which to a certain extent resembles the one followed for model clauses, has of course a number of consequences in terms of applicable law, responsibility and enforcement. It is not unlikely for a conflict to arise between different regulations due to the fact that the processing of personal data in EU is subject entirely to EU law, while the Privacy Shield principles are considered as being part of US law. At the time of the Safe Harbour, for instance, some DPAs in Europe took the position that onward transfers from the US must still have a legal basis in EU Member States national law (and in the GDPR in the future) and have to comply with EU data protection rules, such as the proportionality requirement.57 Today, Principle 1(7) of the Privacy Shield makes clear that: US law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Privacy Shield organizations, except where such organizations have committed to cooperate with European data protection authorities.58

The statement, however, is not capable of solving all the issues arising from the potential clash of different applicable laws and this is especially so after the entry into force of the GDPR. The extended territorial reach of the Regulation, enshrined in its Article 3, may in fact subject Privacy Shield organizations also to the regime of EU data protection law.59 Furthermore, also third countries’ organizations having received EU data by means of onward transfers may face an overlap between the legal regime provided in the contract and the one set forth by EU law, provided that their activities fall within the territorial scope of application of the GDRP.60

 See in this regard Kuner (2009), p. 4.  See Commission Implementing Decision (EU) 2016/1250, Annex II—EU-U.S. Privacy Shield Principles issued by the U.S. Department of Commerce. 59  On the territorial application of the GDPR see the Chapter of A. Miglio in this volume. See also De Hert and Czerniawski (2016), p. 230; Gömann (2017), p. 567. 60  This is further complicated by the fact that, from the standpoint of EU enforcement procedures, the GDPR can be considered as enshrining overriding mandatory provisions in the sense of conflict of laws. See Brkan (2016), pp. 333–334. 57 58

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

131

Some of these problems have been overcome by the more detailed regulation of the Privacy Shield, whose rules on onward transfers must be read in conjunction with other Principles, such as the one on Notice and the one on Choice.61 According to these provisions, data subjects can object the onward transfer and, in the case of sensitive data, their consent is required. Moreover, Principle 7 has also introduced a presumption of responsibility for US companies in cases of breaches of rules on onward transfers, although it is solely applicable to the case of onward transfers to third parties acting as agents of a US-based organisation.62 A relevant issue, which has gained attention after the adoption of the Privacy Shield is that of the applicable legal framework to onward transfers of data that are subsequently accessed by third countries’ public authorities. Different scenarios can be identified: first, a US organization may re-transfer data to private companies in third countries which do not provide strict rules on access to data by public authorities; alternatively, there can be situations in which a US agency accedes data transferred by the EU to a US company and then re-transfers those data to a third country agency, in the framework of a judicial or intelligence cooperation mechanism. As regards the first scenario, according to the Article 29 WP, rules on onward transfers are applicable as well, and they would oblige the US organization willing to re-transfer EU data to take into account not only the general level of protection, but also domestic rules on access to data by public agencies and to evaluate the risk to which data subjects are exposed due to the onward transfers.63 Far more complex appears the second situation, in which a US public agency transfers data received by a US private company on the basis of the Privacy Shield to a foreign administration. In this context, the onward transfer occurs entirely between public authorities, but the original collection and transfer have been realized between private parties. One could maybe rely on the rules on onward transfers provided in the already mentioned EU-US Umbrella Agreement, although this would require an application by analogy, given that the data have not been originally transferred by a EU public authority. Moreover, it is unclear whether the Umbrella Agreement covers also exchange of data for intelligence purposes or it is instead limited—as it seems—only to judicial assistance in criminal matters. This analysis seems to demonstrate that, notwithstanding the recent efforts and reforms, the case of transfers and access to data in a foreign territory based on national security exceptions is still problematic. It is likely that regulatory gaps in  See Commission decision on the adequacy of the Privacy Shield, Recital 22.  See Commission decision on the adequacy of the Privacy Shield, Annex II, EU-U.S.  Privacy Shield Framework Principles Issued by the US Department of Commerce, Principle 7(d): “In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage”. 63  Article 29 Working Party, Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision, WP 238, 13 April 2016, para. 2.2.3. 61 62

132

S. Saluzzo

this area may create convenient loopholes in order to evade obligations deriving from data protection regulations. At the same time, the adequacy procedure may be useful only to a limited extent. In fact, the Union lacks the necessary competence to compel Member States to a certain standard when they exchange data with third countries for intelligence purposes. Moreover, it has proven extremely difficult for the Commission to assess the concrete adequacy of foreign national measures dealing with public agencies’ intelligence powers.64 Nonetheless, the lack of EU competences in the field of national security must not be considered as an absolute obstacle. Member States are still bound to respect EU fundamental rights when they implement EU law. Transfer of data falling under the scope of EU data protection rules—as those operated by EU private companies—are also covered by the Charter. This entails an obligation upon Member States to ensure that the Charter is respected even when data are transferred by private companies outside the Union for the purpose of intelligence activities.65

6  Conclusive Remarks In the late nineties, international relations theory started to describe the EU as a normative power on the international plane. In the words of Rosecrance, “Europe’s attainment is normative rather than empirical (…). It is perhaps a paradox to note that the continent which once ruled the world through the physical impositions of imperialism is now coming to set world standards in normative terms”.66 Few years later, Manner argued that EU constitutional norms represented crucial constitutive factors determining its international identity.67 The analysis conducted in the present contribution has tried to demonstrate that the adequacy procedure can be a useful tool not only for the protection of fundamental rights within the EU legal order, but also for the action of the Union as a global standard-setting actor. Through the adequacy requirement, the EU is capable of influencing standards of protection in foreign jurisdictions and of acquiring a leading role in the development of a global framework for cross-border data flows. In this sense, it has shown its ability to produce the so-called “Brussels Effect”, that is shaping the legal order of foreign countries by means of the exercise of a unilateral regulatory power.68 In the context of data protection standards, this approach has been criticized for creating the “exalting illusion” that the EU can protect data transfers on a global

 See Article 51 of the Charter. On the scope of application of the Charter with regard to Member States see Craig and de Búrca (2015), pp. 410–419; Fontanelli (2014), p. 193. 65  Kuner (2017), pp. 895–896. 66  Rosecrance (1998), p. 22. 67  Manner (2002), p. 241. 68  Bradford (2012), p. 3. 64

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third…

133

basis.69 It is certainly true that one should not put too much emphasis on the results of such instruments. Regulatory gaps may always exist, particularly when the action of the legislature is constrained by competence limitations. These gaps are likely to emerge especially at the moment of enforcement of data protection rights. However, this does not rule out the possibility for the Union to take a clear stance as regards cross-border data flows, given their relevance for both fundamental rights protection and development of global markets. EU regulation of data transfers may draw strength in terms of effectiveness from a series of factors that cannot be underestimated. The combination of objectives pursued by EU regulation, namely the protection of fundamental rights, and the market power the Union can exercise in this field will guarantee a prominent role for the EU in the struggle for common global standards on data protection.

References Andrejevic, Mark, and Kelly Gates. 2014. Big Data Surveillance: Introduction. Surveillance & Society 12: 185–196. Azoulai, Löic, and Marijn van der Sluis. 2016. Institutionalizing Personal Data Protection in Times of Global Institutional Distrust: Schrems  – Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, Joined by Digital Rights Ireland, Judgment of the Court of Justice (Grand Chamber) of 6 October 2015, EU:C:2015:650. Common Market Law Review 53: 1343–1372. Bender, David, and Larry Ponemon. 2006. Binding Corporate Rules for Cross-Border Data Transfers. Rutgers Journal of Law and Urban Policy 3: 154–171. Bradford, Anu. 2012. The Brussels Effect. The Northwestern University Law Review 107: 1–68. Brkan, Maja. 2016. Data Protection and Conflict-of-Laws: A Challenging Relationship. European Data Protection Law Review 3: 324–341. Chander, Anupam, and Uyên P. Lê. 2015. Data Nationalism. Emory Law Journal 64: 677–739. Craig, Paul, and Gráinne de Búrca. 2015. EU Law. Text, Cases and Materials. Oxford: Oxford University Press. Davenport, Thomas H., Paul Barth, and Randy Bean. 2012. How ‘Big Data’ Is Different. MIT Sloan Management Review 54: 22–24. De Busser, Els. 2017. Adequate Transatlantic Data Exchange in the Shadow of the NSA-Affair. In Privacy and Power, ed. Russell A. Miller, 615–639. Cambridge: Cambridge University Press. De Hert, Paul, and Michal Czerniawski. 2016. Expanding the European Data Protection Scope Beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Scope. International Data Privacy Law 6: 230–243. Esteve, Asunción. 2017. The Business of Personal Data: Google, Facebook, and Privacy Issues in the EU and the USA. International Data Privacy Law 7: 36–47. Fontanelli, Filippo. 2014. The Implementation of European Union Law by Member States Under Article 51 of the Charter of Fundamental Rights. Columbia Journal of European Law 20: 193–247.

 Kuner (2017), p. 910. See also Severson (2015), according to whom some of the reforms adopted in the US after the Datagate have offered only a “cosmetic change”, although the new adequacy decision by the Commission on the Privacy Shield also gave account of such developments in the US domestic legislation. 69

134

S. Saluzzo

Gömann, Merlin. 2017. The New Territorial Scope of EU Data Protection Law: Deconstructing a Revolutionary Achievement. Common Market Law Review 54: 567–590. Gonzáles Fuster, Gloria. 2014. The Emergence of Personal Data Protection as a Fundamental Right of the EU. Heidelberg: Springer. Gonzàlez, Javer López, and Marie-Agnes Jouanjean. 2017. Digital Trade: Developing a Framework for Analysis. OECD Trade Policy Papers, No. 205. Kokott, Juliane, and Chritoph Sobotta. 2013. The Distinction Between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR. International Data Privacy Law 3: 222–228. Kuner, Christopher. 2009. Onward Transfer of Personal Data Under the U.S.  Safe Harbour Framework. Privacy and Security Law Report: 1–6. ———. 2013. Transborder Data Flows and Data Privacy Law. Oxford: Oxford University Press. ———. 2017. Reality and Illusion in EU Data Transfer Regulation Post Schrems. German Law Journal 18: 881–918. Lenaerts, Koen. 2012. Exploring the Limits of the EU Charter of Fundamental Rights. European Constitutional Law Review 8: 375–403. Lyon, David. 2014. Surveillance, Snowden and Big Data: Capacities, Consequences, Critique. Big Data and Society 2: 1–13. Manner, Ian. 2002. Normative Power Europe: A Contradiction in Terms? Journal of Common Market Studies 40: 235–258. Peers, Steve, and Sacha Prechal. 2014. Article 52  – Scope of Interpretations of Rights and Principles. In The EU Charter of Fundamental Rights, ed. Steve Peers, Tamara Hervey, Jeff Kenner, and Angela Ward, 1455–1522. Oxford: Beck/Hart Publishing. Rosecrance, Richard. 1998. The European Union: A New Type of International Actor. In Paradoxes of European Foreign Policy, ed. Jan Zieloka, 15–23. The Hague: Kluwer Law International. Severson, Daniel. 2015. American Surveillance of Non-U.S. Persons: Why New Privacy Protection Offer Only Cosmetic Change. Harvard International Law Journal 56: 465–514. Svantesson, Dan, and Roger Clarke. 2010. Privacy and Consumer Risks in Cloud Computing. Computer Law and Security Review 26: 391–397. Vegetti, Matteo. 2017. L’invenzione del globo. Spazio, potere, comunicazione nell’epoca dell’aria. Torino: Giulio Einaudi Editore.

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues in Light of CJEU’s Opinion 1/15 Valentina Nardone

Abstract  On 26 July 2017 the Court of Justice of the European Union issued Opinion 1/15 on the compatibility with EU fundamental rights of the draft agreement between the European Union and Canada on the transfer of Passenger Name Record data. In particular, it is the first ruling concerning the compatibility of a draft international agreement with the EU Charter of Fundamental Rights, notably with its Articles 7 and 8, on the right to respect for private life and the right to the protection of personal data. The Opinion, which found a profound incompatibility between the agreement and the Charter, apparently entails significant consequences for the international relations of the Union and the fate of the EU Passenger Name Record framework as a whole, including the regional scheme recently introduced by Directive 2016/681/UE.

1  Introduction In the last 15 years, the engagement of the European Union in policy developments in the areas of borders control and homeland security has grown considerably, even envisaging the use of digital means to store noteworthy information.1 In this respect, initiatives in the field of asylum and external borders control are amongst the most significant examples. Counter-terrorism strategies developed in the aftermath of 9/11 are also playing a very important role. These include the negotiation and conclusion of bilateral agreements aiming at ensuring the transfer of Passenger Name

 Cf. MacKenzie (2012).

1

V. Nardone (*) University of Rome “La Sapienza”, Rome, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_7

135

136

V. Nardone

Record (PNR) data from the EU Member States to non-EU countries, namely Australia,2 Canada3 and the United States.4 The expression “PNR data” refers to unverified information recorded by an air carrier for each journey booked by or on behalf of any passenger, necessary for the control and processing of any reservation, and can include, among others, information related to passengers’ identity, travel itinerary, payment and baggage information, meal preferences. Originally collected by air companies for commercial and operational purposes in performing transportation services, PNR data has easily shown their potential contribution (if appropriately processed, integrated and analysed) in assessing whether certain air passengers—willing to travel from a part of the globe to another—are involved in terrorist or criminal activities.5 For this reason, the transfer of PNR data has proven to be a useful means to tackle the growing phenomenon of Foreign Terrorist Fighters (FTFs), as also proved by the President of the United Nations Security Council’s encouragement6 towards UN Member States to provide PNR data to competent national authorities where appropriate.7 Between 2002 and 2003, the negotiation and conclusion of the abovementioned agreements by the EU became necessary to ensure legal certainty, since air companies operating flights from the EU to Australia, Canada and the US were bound to abide by different obligations: on the one hand, national legislations of those countries started to require the transfer of PNR data; on the other hand, EU data protection laws8 called (as they still do) for the transfer of PNR data to be contingent upon  See Council Decision 2012/381/EU of 13 December 2011 on the conclusion of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data air carriers to the Australian Customs and Border Protection Service, OJ 2012  L 186/3. 3  For the first EU-Canada PNR Agreement, expired in September 2009, see Council Decision 2006/230/EC of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/Passenger Name Record data, OJ 2006 L 82/14. 4  See Council Decision 2012/472/EU of 26 April 2012 on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security, OJ 2012 L 215/4. 5  Cf., inter alia, Bakker and Singleton (2016), Bonfanti (2016), De Kerchove and Höhn (2016) and Nucera (2015). 6  UN Doc. S/PRST/2014/23, 19 November 2014, para. 16. 7  It should be underlined that, in terms of legal force, the recalled exhortation, contained in a statement of the President of the United Nations Security Council is different from the obligation provided for in the United Nations Security Council Resolution 2178(2014) (UN Doc. S/ RES/2178(2014)) in which Member States are called upon “to require that airlines operating in their territories provide advance passenger information to the appropriate national authorities in order to detect the departure from their territories, or attempted entry into or transit through their territories, by means of civil aircraft”. 8  See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31 (Data Protection Directive). See also Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matter, OJ 2008 L350/60 (Framework 2

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

137

the verification that the receiving country was able to guarantee an adequate level of protection of the rights of the people concerned.9 In this situation, air carriers found themselves stuck between a rock and a hard place: if they had failed to transfer the data, they would have faced fines imposed by national authorities of the requesting countries or even loosed their landing rights; on the other hand, if they had breached the Data Protection Directive, they could have faced fines from the EU. To overcome legal uncertainty for airlines, in 2003 the EU started to develop a “global EU approach”10 on the transfer of PNR data. This resulted into the conclusion of three bilateral agreements with Australia, Canada and the US and the, subsequently, into the adoption of a PNR Directive.11 Since the introduction of the aforementioned legal instruments, scholars12 and EU bodies, such as the European Data Protection Supervisor (EDPS), the Fundamental Rights Agency (FRA)13 and the European Parliament (EP), have raised strong criticism regarding their compatibility with fundamental rights.14 Most recently, thanks to the intervention of the EP15 the new draft EU-Canada agreement Decision). The Data Protection Directive has been replaced by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ 2016 L 119/1 (General Data Protection Directive). 9  Article 25(4) of the Data Protection Directive. 10  See, in particular, Communication from the Commission to the Council and the Parliament on transfer of air passenger name record (PNR) data: a global EU approach, COM(2003) 826 final, 16 December 2003, and Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries, COM(2010) 492 final, 21 September 2010. 11  The Author is aware that the adoption of a dedicated PNR Directive was not envisaged in the Communications recalled previously, see supra footnote No. 10. However, an ex post oversight of the EU strategy on PNR data transfer demonstrates that this global approach has shaped into a twofold result. The adoption of the PNR Directive, and the consequent establishment of an EU PNR system, of course demonstrates the “increasing role of the EU in homeland security, and the influence of the US over the EU” (MacKenzie 2012, p. 104) but, at the same time, it demonstrates at least the willingness (doubts remain on its successfulness, see Sect. 4) to effectively manage the interplay between the respect of human rights and the fight against terrorism and transnational crime. The first proposal of the Commission on a EU PNR Directive was presented in February 2010, rejected three years after by the negative vote of the Civil Liberties, Justice and Home Affairs (LIBE) Committee. Directive 2016/681/UE, as it is today, has been adopted on 27 April 2016, OJ 2016 L 119/132. 12  Cf., inter alia, Di Francesco Maesa (2016) and Lowe (2017). 13  See, inter alia, Opinion of the European Union Agency for Fundamental Rights on the Proposal for a Directive on the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (COM(2011) 32 final), FRA Opinion 1/2011, 14 June 2011. 14  See CJEU, Joined Cases C-317/04 and C-318/04, European Parliament v. Council and Commission (PNR), 30 May 2006. For a comment cf. Nino (2010). For details on the role of the EP in the conclusions of international agreements on the transfer of PNR data, cf. Vara (2013). 15  As it is well known, under article 218 (11) TFEU, “[a] Member State, the European Parliament, the Council or the Commission may obtain the opinion of the Court of Justice as to whether an agreement envisaged is compatible with the Treaties. Where the opinion of the Court is adverse, the agreement envisaged may not enter into force unless it is amended, or the Treaties are revised”.

138

V. Nardone

on PNR data transfer, which was required by the expiry of the previous agreement in force until the end of 2009, has been challenged before the CJEU and led to Opinion 1/15 of 26 July 2017. As anticipated, this Opinion contains a very important verdict, declaring that the envisaged agreement may not be concluded in its current form, since several provisions are incompatible with EU fundamental rights.16 The collection, storage and processing of PNR data by law enforcement authorities has been found to have disproportionate implications on human rights, as enshrined in the EU Charter for Fundamental Rights (Charter or EUCFR), especially the right to respect for private life (Article 7), the right to the protection of personal data (Article 8) and the prohibition of discrimination (Article 21), limiting de facto their enjoyment by air passengers beyond what Article 52 EUCFR (on permissible limitations) would allow. The Chapter will examine the answers provided by the CJEU to the main two questions posed by the EP in its request for an Opinion on the draft EU-Canada PNR agreement, notably: what is the appropriate legal basis of such an agreement (Sect. 2) and if the draft EU-Canada PNR agreement is compatible with the protection of fundamental rights as granted by the EUCFR (Sect. 3).17 Some implications of the Opinion in the EU legal order will then be foreseen (Sect. 4), before drawing some conclusions (Sect. 5).

2  T  he CJEU’s Opinion 1/15: Article 16(2) TFEU as a Necessary Legal Basis… According to the EP, the legal basis chosen for the new EU-Canada PNR Agreement failed to properly take into account the data protection dimension. The envisaged agreement was indeed based on Articles 82(1)(d) and 87(1)(a) TFEU, both falling under the scope of the Area of Freedom, Security and Justice (AFSJ). These provisions address, respectively, judicial cooperation in criminal matters and police cooperation. The choice of the substantive legal basis of an act, which may be subject to judicial review, is extremely important as it affects the scope of the EU powers on a certain issue, as well as the procedure for the adoption of the act (the agreement, in this case), notably in respect of the involvement of the European Parliament and the majority requested in the Council. According to settled case-law of the CJEU, the choice of the legal basis must be based on objective elements, such as the aim(s) and the content of the measure envisaged.18 If it turns out that the act in question pursues more than a single objective, or has more than one component, and these objectives  For early comments on Opinion 1/15 see, inter alia, Bosson (2017), Carpanelli and Lazzerini (2017), Kuner (2017) and Woods (2017). 17  Many commentators observed that the Court in this opinion acted as a policy maker; cf. Carpanelli and Lazzerini (2017), p. 388. 18  Opinion 1/15, para. 76. 16

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

139

or components are “inextricably linked” to each other, being equally important, the act must be anchored on the different legal bases corresponding to the applicable provisions of the Treaties. When this occurs, as it was the case for the EU-Canada PNR Agreement, one shall additionally verify whether the procedures laid down in each provision at stake are compatible with each other, thus allowing the recourse to a dual legal basis. In its Opinion, the CJEU found that the legal basis chosen was not correct, because it did not correctly reflect the purpose and content of the agreement. Building on the positions of both the Advocate General Mengozzi19 and the EDPS,20 the CJEU found that, according to a careful reading of its Article 1,21 the draft agreement served two purposes: the protection of public security, but also the determination of the conditions under which the transfer of PNR data should be performed, including the prescription of how data should be protected: besides, this is confirmed by the Preamble of the agreement, making explicit reference to the necessity of respecting human rights in a manner consistent with the obligations set out in Article 6 of the Treaty on European Union (TEU).22 As far as the content is concerned, the position of the CJEU is confirmed by the fact that many provisions detail a body of rules intended to protect personal data with which Canada has undertaken to comply when processing PNR data. In sum, the draft EU-Canada PNR Agreement addressed two objectives and two different contents, which are “inextricably linked”, and for this reason both should be considered to find a legal basis for the act. In the light of the foregoing considerations, the CJEU clarified that Article 16(2) TFEU must be regarded as a necessary legal basis along with Article 87(2)(a) TFEU, as the draft agreement concerned the collection, storage, processing, analysis and exchange of relevant information useful to serve the purposes of protecting the

 It should be underlined that the Opinion followed the conclusions reached by the Advocate General (AG) Mengozzi, whose Opinion was delivered on 8 September 2016. 20  The Opinion of the EDPS was delivered on 30 September 2013. 21  Article 1 of the envisaged agreement, labelled Purpose of the Agreement, stated that “[i]n this Agreement, the Parties set out the conditions for the transfer and use of Passenger Name Record (PNR) data to ensure the security and safety of the public and prescribe the means by which the data is protected”. 22  In reality, the reference of the Preamble is more complete, affirming that “[m]indful of the European Union’s commitments pursuant to Article 6 of the Treaty on European Union on respect for fundamental rights, the right to privacy with regard to the processing of personal data as stipulated in Article 16 of the Treaty on the Functioning of the European Union, the principles of proportionality and necessity concerning the right to private and family life, the respect for privacy, and the protection of personal data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data [, signed at Strasbourg on 28 January 1981,] and its additional Protocol 181 [, signed at Strasbourg on 8 November 2001]”. 19

140

V. Nardone

security and safety of the public and preventing, combatting, repressing, eliminating terrorism and terrorist-related offences.23 By contrast, the draft agreement could not be based on Article 82(1) TFEU, aiming at facilitating the cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions, as this issue was not addressed in the draft agreement.

3  …  and the Compatibility of the Agreement with the TFEU and the EUCFR The second question addressed by the CJEU was the compatibility of the draft EU-Canada PNR agreement with the protection of fundamental rights as granted by the Charter. This assessment was extremely sensitive as it was likely to have an impact not only on the envisaged EU-Canada PNR agreement, but on the EU PNR framework as a whole, namely the existing PNR agreements with the United States and Australia, the conclusion of similar agreements with other States and the PNR Directive. In fact, that impact would have concerned, more generally, all existing and prospected data transfer schemes of the Union. As anticipated, in relation to the right to respect for private life, the CJEU assessed the agreement in the light of Article 7 EUCFR, while with respect to the right to the protection of personal data, the Court decided to conduct an assessment in the light of Article 8 EUCFR, instead of Article 16 TFEU, as the former, a lex specialis, was believed to be more complete and detailed in laying down the conditions under which data should be processed and shared.24 While some CJEU’s statements and assumptions provide for a substantial differentiation of these two fundamental rights, the entire reasoning seems to communicate that all findings apply in the same way to both Article 7 and 8, as the right of individuals to data protection is intimately linked to the right to respect for private life. In fact, as regard the technique of the analysis, the CJEU started to analyze the

 As both Article 16(2) and Article 87(2)(a) TFEU provide for the use of the ordinary legislative procedure, entailing the qualified majority voting in the Council and the Parliament’s full participation, there is no problem in principle using them as legal basis, nor being affected by the Protocols 21 and 22 to the Treaties. 24  AG Mengozzi went into much detail with respect to Article 16(2) TFEU. 23

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

141

two articles separately,25 but then this distinction smoothed over,26 confirming the trend of its previous case law on the protection of personal data.27 According to the CJEU, the retention, usage and processing of PNR data envisaged by the draft EU-Canada PNR Agreement limited the enjoyment of the abovementioned fundamental rights by air passengers flying from the EU to Canada. Such limitations are not prohibited as such: neither the right to respect for private life nor the right to the protection of personal data are absolute rights under the Charter. However, in order to be considered lawful and compatible with human rights standards, they must satisfy the specific requirements set out in Articles 8(2) and 8(3) EUCFR, as well as Article 52(1) EUCFR, the general clause concerning restrictions allowed to the exercise of the fundamental rights granted by the Charter. According to this provision, limitations shall be provided for by law, pursue an objective of general interest recognized by the EU or the need to protect the rights and freedoms of others and be proportionate and strictly necessary in respect of their aim. These requirements are in line with the provisions set out in other human rights treaties applicable to data protection,28 and confirmed by the jurisprudence of the (quasi-) judicial bodies competent for their interpretation, respect and implementation.29 In the first instance, the CJEU considered whether there was a legitimate basis justifying the interference. Article 8 EUCFR indeed states that personal data must, inter alia, be processed “for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”. Now, since the processing of PNR data envisaged by the draft EU-Canada PNR Agreement pursued a different objective from that for which the data was originally collected by air carriers, the CJEU needed to ascertain if the agreement itself constituted a legitimate  Opinion 1/15, paras. 122 and 123.  Besides, as it has been observed, notwithstanding the separation of the two rights into two different articles, the EUCFR itself encourages a collective reading. The explanations to the Charter concerning Article 7 state that it corresponds to article 8 of the European Convention on the Protection of Human Rights and Fundamental Freedoms (ECHR), which protects both the right to private life and to data protection. Moreover, instruments recalled in the explanations concerning Article 8 EUCFR seem to support the same conclusions. In this sense, see Gonzalez Fuster (2014), p. 260. 27  Cf., Gonzalez Fuster (2014), p. 259. 28  It is the case of Article 8 of the ECHR and of Article 17 of the International Covenant on Civil and Political Rights (ICCPR). 29  Data protection has been addressed both by the European Court of Human Rights (ECtHR) and the UN Human Rights Committee. The ECtHR clearly dealt with data protection issues in the S. and Marper v. the United Kingdom judgment (Grand Chamber) of 4 December 2008, assessing that “[t]he mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8 […]. The subsequent use of the stored information has no bearing on that finding […]. However, in determining whether the personal information retained by the authorities involves any […] private-life [aspect] […], the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained […]”, para. 67. On the other hand, the UN Human Rights Committee in its General Comment No. 16 considered that Article 17 ICCPR should be interpreted as including some data protection guarantees. 25 26

142

V. Nardone

legal basis within the meaning of Article 8(2) EUCFR. On this point, the conclusion of the CJEU was positive, indicating that an international agreement can meet the requirement of being a law. The CJEU thus rejected the EP’s arguments on this point. Moreover, the interference was also justified by the objective of general interest of the EU pursued by the agreement itself, namely that of ensuring public security, fighting against terrorism and other related offences such as transnational crime, and contributing to the protection of freedom of others by means of the transfer of PNR data. The CJEU therefore moved to assess the proportionality and necessity of the norms providing for the limitations. In particular, in order to pass the “proportionality and necessity test”, such norms must be clear and precise in defining the scope of the limitations on the exercise of the rights concerned and applied only if strictly necessary. The analysis carried out by the CJEU has shown that several provisions of the envisaged agreement failed this test on several grounds. The first critical point identified is the lack of a clear and precise identification of the data that should be transferred to the Canadian Competent Authority. In fact, some of the 19 headings enumerated in Annex 1 to the agreement, which corresponds to the list foreseen in Appendix 1 to the Guidelines of the International Civil Aviation Organization (ICAO) on PNR data,30 are not sufficiently well-defined and remain too vague. For example, heading 5 “available frequent flier and benefit information (free tickets, upgrades, etc.)” was found problematic because its wording did not clarify if reference is made to all passengers or only to those enjoying customers loyalty programs; in addition, the use of the term “etc.” broadens too much the scope of the data to be transferred.31 This generous formulation would likely encourage air companies to communicate all information they have—even sensitive ones—in order not to waste time understanding the clear request of the provision or selecting only few information from all they have.32 The second critical issue highlighted by the CJEU concerns sensitive data. According to the definition given by the EU PNR agreement in Article 2(e), sensitive data includes “information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information  See Annex 9 to the Convention on International Civil Aviation (Chicago, 7 December 1944, entered into force on 4 April 1947, 15 U.N.T.S. 295), Recommended Practice 3.49. 31  Along with heading 5, the problematic headings are the following. Heading 7, using the expression “all available contact information (including originator information)”, does not define in a sufficiently detailed manner neither the scope of the data to be transferred nor the eventual involvement of the contact information of third parties e.g. who made the flight reservation for the air passenger. Heading 17, referring to “general remarks including Other Supplementary Information (OSI), Special Service Information (SSI) and Special Service Request (SSR) information”, seems to be a catch-all category, potentially including all other information not specified in the Annex, even sensitive data. The CJEU in its Opinion made explicit reference to two other headings, specifically headings number 8 and 18, which prima facie can be seen as not sufficiently precise and clear due to their formulation, but thanks to the explanation given by the Commission, both headings may be regarded as meeting the requirements of clarity and precision. 32  Opinion 1/15, paras. 156–161. 30

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

143

about a person’s health or sex life”. Even if none of the 19 headings set out in the Annex to the envisaged agreement expressly referred to this kind of data, it can easily fall within the scope of heading 17 on “general remarks”. Additionally, the fact that two articles of the draft agreement, namely Articles 8 and 16, lay down specific rules on the use and retention of sensitive data, it is implicitly admitted that the parties to the agreement have accepted the transfer of such data. The CJEU noted that this is contrary not only to Articles 7 and 8 EUCFR, but also to Article 21 EUCFR concerning “non-discrimination”.33 Moreover, the transfer of sensitive data is contrary to EU law, as the PNR Directive prohibits it in many articles.34 In this sense, at the end of the Opinion itself, the CJEU clearly stated that the agreement is incompatible with Articles 7, 8, 21 and Article 52(1) EUCFR in so far as it does not preclude the transfer, use and retention of data by Canadian authorities.35 The CJEU found some problems also with respect to the automated processing of data. In fact, according to the envisaged agreement, the processing of data transmitted by air carriers is performed mainly by means of automated methods based on pre-established models and criteria and on cross checking with other databases. These mechanisms, coupled with the circumstance that the personal data used are unverified, can lead to unproven results: according to the EDPS, the margin of error would be significant.36 Indeed, the fact that these technologies may present a margin of error is acknowledged by the draft agreement itself: Article 15 provides that “Canada shall not take any decisions significantly adversely affecting a passenger solely on the basis of automated processing of PNR data”.37 Yet, the agreement fails to provide specific corrective procedures for a re-examination by non-automated means before the adoption of an eventual measure unfavorably affecting the air passenger concerned.38 Another critical point relates to the purposes for which PNR data may be processed. According to the CJEU, Article 3 of the envisaged agreement, which defines the purposes for which the Canadian Competent Authority may process PNR data, contains precise definitions of “terrorist offences” and “serious transnational crime” meeting the requirements of preciseness and clearness required by the ­“proportionality  Article 21 of the EUCFR is contained in Title III on Equality and it reads as follows: “1. Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited. 2. Within the scope of application of the Treaties and without prejudice to any of their specific provisions, any discrimination on grounds of nationality shall be prohibited”. 34  Articles of the PNR Directive prohibiting the processing of sensitive data are Articles 6(4), 7(6) and 13(4). 35  Opinion 1/15, paras. 164–167. 36  Point 30 of the EDPS Opinion of 30 September 2013. 37  Other important provisions of the envisaged agreement specifically apply to the automated processing of data, such as Article 3, defining the purposes for which the Canadian Competent Authority may process that data, and Article 7 of the agreement, containing the non-discrimination clause. 38  Opinion 1/15, paras. 168–174. 33

144

V. Nardone

and necessity test”.39 Conversely, the exceptional circumstances in which data can be processed are more challenging. The agreement provides, in fact, for two exceptional cases in which the Canadian Competent Authority can process PNR data, both contained in Article 3. The first purpose is contained in article 3(4) and allows the processing of PNR data where necessary to protect vital interests of any individual such as (a) a risk of death or serious injury; or (b) a significant public health risk, in particular as required by internationally recognized standards.

This would be sufficiently narrow and precise in the Court’s view.40 Conversely, the CJEU found the second exceptional purpose, envisaged in Article 3(5), too vague and general to meet the requirement of clarity and precision and, for this reason, not strictly necessary. Article 3(5) establishes, in fact, that: Canada may also process PNR data, on a case-by-case basis in order to: (a) ensure the oversight or accountability of the public administration; or (b) comply with the subpoena or warrant issued, or an order made, by a court.41

The Court also found major problems as regards the retention of data during the stay of air passengers in Canada, and especially after their departure. This is indeed one of the most interesting part of the Opinion. The retention, access and use of PNR data up to the air passengers’ departure from Canada facilitates security checks and borders controls and it is strictly necessary in order to achieve the objective of the agreement, namely ensuring security of Canada by means of ascertaining that someone arriving in the Country is not a danger for its security and public order.42 According to the Court, problems arise according to the Court when PNR data should be used during the air passengers’ stay, regardless of the results of data checking before their arrival. When air passengers have been allowed to enter the territory of Canada after a successful verification of their PNR data transferred by the air carrier, the use of that data during their stay should be justified on new circumstances; these should be included in dedicated rules on substantive and procedural conditions governing their use and avoiding their abuse. For this reason, “except in cases of validly established urgency” (a concept not further clarified by the CJEU itself), the use of PNR data during the stay should be subject to a prior review carried out by a court or a another public body after a reasoned request.43 The main conclusions, probably in a stronger way, have been applied to the processing of PNR data of air passengers after their departure, noting that the link between the measure and the objective pursued loses its meaning, and the limitation of the rights is no longer justified.44 Only when ­objective  Ibid., paras. 175–178.  Ibid., para. 180. 41  Ibid., paras. 179–181. 42  Ibid., para. 197. 43  Ibid., paras. 199–203. 44  In this respect the CJEU observed that “it is not apparent that all air passengers who have travelled to Canada would present, after their departure from that country, a higher risk that other 39 40

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

145

evidence is identified, and objective criteria demonstrate that a person can be a risk even after its departure in terms of the fight against terrorism and serious transnational crimes, the continuous storage of his or her data for the period envisaged by the agreement would be permissible. However, the use of such data should be subject to a specific request to a court or a competent body.45 In line with previous case law, notably its judgment in Schrems,46 the CJEU found some problems also with regard to the disclosure of PNR data. In fact, the agreement entrusts the Canadian Competent Authority with a discretionary power to disclose PNR data to other Canadian governmental authorities and to government authorities of third countries.47 However, major problems arise when third countries are involved, as the EU can transfer data to non-EU member countries only if it is sure that the receiving country ensures a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU. In order to prevent that the agreement is only a means to circumvent such an important limiting clause, the CJEU “rewrote” the agreement so as to add a conditio sine qua non for the disclosure to third countries. The disclosure should be based on the existence of either an agreement between the EU and the non-member country concerned, equivalent to the envisaged agreement, or a decision of the Commission, under Article 25(6) of Directive 95/46/EC, acknowledging that the level of protection ensured by that country is adequate according to EU law.48 In the final part of the Opinion, the Court focused on two additional shortcomings of the envisaged agreement: first, it failed to provide for a right to individual notification for air passengers in the event of the use of PNR data during their stay or in case of transfer of data by the Canadian Competent Authority to authorities of other countries or to individuals failing to respect Articles 8(2) and 8(3) EUCFR49; second, it failed to define in a clear manner the rules governing the establishment of an independent authority supervising the processing of PNR data.50

4  T  he Potential Implications of Opinion 1/15 on the EU PNR Framework The analysis carried out by the CJEU in Opinion 1/15 delineates a model to be followed for the future revision of the agreement concerned and potentially all other agreements or normative acts of a similar nature or with an analogous content. persons who have not travelled to that country during the previous five years and in respect of whom Canada does not therefore hold PNR data”, ibid., para. 204. 45  Ibid., paras. 204–209. 46  Case C-362/14 Schrems [2015] EU:C:2015:650, paras. 72 and 73. 47  Disclosure of PNR data is governed by Articles 18 and 19 of the envisaged agreement. 48  Opinion 1/15, paras 212–214. 49  Ibid., para 225. 50  Ibid., para 231.

146

V. Nardone

As anticipated, along with the challenged draft agreement, there are currently two agreements in force concerning the transfer of PNR data between the EU, on the one side, and the United States and Australia respectively, on the other side. Obviously, as these agreements require the transfer, use and processing of PNR data, just like the EU-Canada PNR Agreement does, they allow interferences with the rights protected under Articles 7 and 8 of the EUCFR. Since they provide for the same obligations of the EU-Canada Agreement, it is possible to assume that they share most of the incompatibilities with the EUCFR highlighted in Opinion 1/15. Besides, they predate the shift of the EU towards a more effective protection of personal data, which has been upheld in Opinion 1/15 and, more generally, in the recent CJEU’s case. By way of example, one point on which both agreements can be challenged in the light of Opinion 1/15 relates to the legal basis, as both agreements are only based on Article 82(1)(a) TFEU, which the CJEU found to be non-appropriate in the context of the transfer of PNR data. At the same time, the EU-US and EU-Australia agreements differ under several aspects from the draft agreement with Canada. For example, the agreement concluded with Australia expressly prohibits the transfer of sensitive data in Article 6 and, in this respect, it could not be challenged on this point. On the other hand, the agreement with the United States shows different critical points that can be declared incompatible with Article 52(1) EUCFR, such as the retention period (given that PNR data can be stored up to 10 years) and the lack of clarity in the definition of crimes justifying the use of data.51 The question may be raised whether and how these agreements already in force can be challenged. Of course, time has run out to bring annulment actions or to ask the CJEU for an advance ruling on their compatibility with EU law.52 However, it is still possible for individuals to call into question their application before national courts, which can in turn eventually ask for a preliminary ruling. In addition, it is useful to question whether the EU is under an obligation of denounce or re-­negotiate the agreements motu proprio. Moreover, the EP, acting as a “guardian of citizens’ fundamental rights”, could argue that in, order to secure the respect and protection of human rights enshrined in the EUCFR and the EU Treaties, the Council and/or the Commission must denounce or re-negotiate the agreement at stake, in order to avoid being held responsible for a “failure to act”.53 Along with the doubts concerning the fate of the PNR agreements already in force, the conclusions reached by the CJEU in its Opinion 1/15 leave open the question on the compatibility of several provisions of Directive 2016/681/UE—whose national transpositions are due by 25 May 2018—with EU primary law, mainly with the EUCFR.  Indeed, many of the shortcomings of the envisaged agreement are already settled in the Directive itself.  For a more detailed overview on this point, see Carpanelli and Lazzerini (2017).  Cf. Peers (2014). 53  Cf., inter alia, Carpanelli and Lazzerini (2017) and Peers (2014). The procedure concerned is enshrined in Article 265(1) TFEU. 51 52

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

147

This is the case, first of all, of the treatment of sensible data. As mentioned above, in its Opinion 1/15, the CJEU found that the envisaged agreement is incompatible with Articles 7, 8, 21 and 52(1) EUCFR in so far as it does not preclude the transfer, use and retention of sensitive data. By contrast, the Directive expressly prohibits the collection and use of sensitive data and, for this reason, has even been taken as a model by the CJEU in its Opinion.54 Similarly, clarifications requested on the use of automated means of analysis of PNR data envisaged by the EU-Canada PNR agreement are satisfied by the PNR Directive to the extent that it expressly asks for human intervention when the results of automated processing of PNR data require national authorities to adopt individual measures adversely affecting an air passenger.55 The retention period of 5 years envisaged by the EU-Canada PNR agreement and by the Directive has been judged by the CJEU as not exceeding the limits of what is strictly necessary for the purposes of combating terrorism and serious transnational crime. By contrast, other aspects of the regime laid down by the PNR Directive seem challenging vis-à-vis the position of the CJEU and may be the object of a declaration of invalidity via the preliminary ruling procedure. In particular, the PNR Directive does not foresee any distinction concerning the retention of PNR data of passengers that travel to and stay in a given country, and those who have already left its territory. As a matter of fact, the EU Directive only provide for the possibility to mask or depersonalize data collected under specific circumstances.56 Another point on which the PNR Directive could easily be judged as lacking a justification for the limitation of fundamental rights imposed to air passengers is the vague definition of some of the PNR data to be transferred. As an example, heading 5, which corresponds, mutatis mutandis, to heading 7 of the EU-Canada PNR agreement, can be subject to the same objections. More precisely, it is not clear if the Directive, by requesting the transfer of “address and contact information (telephone number, e-mail address)”, protects sufficiently the identity and information concerning persons who eventually made the reservation on behalf of the to-be air passenger.

5  Conclusive Remarks With Opinion 1/15, the CJEU rendered a major ruling on the safeguards that the protection of personal data and privacy requires in the context of mechanisms that are premised on mass surveillance. Public security and the fight against terrorism and transnational crime cannot become a “Trojan horse” to justify the indiscriminate restriction of fundamental  Article 13(4) PNR Directive.  Articles 6(5), 6(6) and 12(5) PNR Directive. 56  These circumstances are established by Article 9(2) and, more specifically, by Article 12 PNR Directive. 54 55

148

V. Nardone

rights.57 This is established not only by testing the compatibility of material provisions of the proposed agreement with the EUCFR and the TFEU, but also by acknowledging the necessity to correctly choose a suitable legal basis. However, this does not put into question the admissibility and the proportionality of the measure itself: PNR data collection and transfer for the purposes of prevention and investigation of serious crimes and terrorism is admitted by the CJEU, but a ­reasoned balancing with fundamental rights involved is strictly necessary and unavoidable. Additionally, Opinion 1/15 represented an occasion for the CJEU to deepen its case law on data protection, following the path clearly defined by previous judgments such as Digital Rights Ireland and Others,58 Google Spain,59 Schrems60 and Tele2 Sverige and Watson and Others.61 In this respect, the CJEU ended up adding some coherent remarks concerning the necessary characteristics that restrictions to data protection should have. As previously observed, the main important consequence of Opinion 1/15 is that PNR agreement cannot be concluded in its current form. Given that an amendment of the EU founding Treaties to allow its ratification is highly improbable, particularly because it would undermine the axiological foundations of the European integration, the EU-Canada PNR Agreement is likely to be modified in order to comply with the CJEU’s ruling. The fate of the EU-US and the EU-Australia PNR Agreements and of the PNR Directive remains to be seen, but the consequences of Opinion 1/15 are likely to have even a greater impact, as it raised non-marginal doubts on the compatibility of many EU laws and Treaties with human rights standards. In fact, the CJEU’s “privacy spring”62 seems to have shaped into something more structured, definitely encouraging the foreseen “domino effect”63 of a series of EU laws and Treaties being ruled in breach of the rights to privacy and data protection, all falling in consequence of the Data Retention Directive’s overturning. It is the case, for example, of the EU-US Privacy Shield or the agreement between the EU and the United States on the transfer of SWIFT financial transaction data for counterterrorism purposes. Additionally, the Opinion would certainly have an impact on the negotiations of PNR agreements with other non-member countries,64 potentially including the United Kingdom after Brexit. More generally, it is possible to assume that the Opinion would have an enormous impact on international relations of the EU. But, given that such difficulties would stem from the stronger affirmation of human rights against public security concerns and fight against terrorism, probably it has been worth taking the risk.  Cf. Tzanou (2015).  Cases C-293/12 and C-594/12 Digital Rights Ireland and Others [2014] EU:C:2014:238. 59  Case C-131/12 Google Spain [2014] EU:C:2014:317. 60  Supra footnote No. 45. 61  Joint cases C-203/15 and C-698/15 Tele2 Sverige and Watson and Others [2016] EU:C:2016:970. 62  Cf. Zanfir (2015). 63  Cf. Peers (2014). 64  See for instance: European Commission, STATEMENT/15/5374, ‘Beginning of negotiations between Mexico and the European Union on PNR data transmission’, 14 July 2015. 57 58

The Passenger Name Record Case: Profiling Privacy and Data Protection Issues…

149

References Bakker, Edwin, and Mark Singleton. 2016. Foreign Fighters in the Syria and Iraq Conflict: Statistics and Characteristics of a Rapidly Growing Phenomenon. In Foreign Fighters Under International Law and Beyond, ed. Andrea de Guttry et al., 9–25. The Hague: T. M. C. Asser Press. Bonfanti, Matteo E. 2016. Collecting and Sharing Intelligence on Foreign Fighters in the EU and Its Member States: Existing Tools, Limitations and Opportunities. In Foreign Fighters Under International Law and Beyond, ed. Andrea de Guttry et al., 333–353. The Hague: T. M. C. Asser Press. Bosson, Raphael. 2017. Passenger Name Records – From Canada Back to the EU. Verfassungsblog. Accessed December 31, 2017. http://verfassungsblog.de/passenger-name-records-from-canadaback-to-the-eu/. Carpanelli, Elena, and Nicole Lazzerini. 2017. PNR: Passenger Name Record, Problems Not Resolved? The EU PNR Conundrum After Opinion 1/15 of the CJEU. Air & Space Law 42: 377–402. De Kerchove, Gilles, and Christiane Höhn. 2016. The Regional Answers and Governance Structure for Dealing with Foreign Fighters: The Case of the EU. In Foreign Fighters Under International Law and Beyond, ed. Andrea de Guttry et al., 299–331. The Hague: T. M. C. Asser Press. Di Francesco Maesa, Costanza. 2016. Balance Between Security and Fundamental Rights Protection: An Analysis of the Directive 2016/680 for Data Protection in the Police and Justice Sectors and the Directive 2016/681 on the Use of Passenger Name Record (PNR), Eurojus. Accessed December 31, 2017. http://rivista.eurojus.it/balance-between-security-and-fundamental-rights-protection-an-analysis-of-the-directive-2016680-for-data-protection-in-the-police-and-justice-sectors-and-the-directive-2016681-on-the-use-of-passen/?print=pdf. Gonzalez Fuster, Gloria. 2014. The Emergence of Personal Data Protection as a Fundamental Right of the EU. Cham: Springer. Kuner, Cristopher. 2017. Data Protection, Data Transfers, and International Agreements: The CJEU’s Opinion 1/15. Verfassungsblog. Accessed December 31, 2017. http://verfassungsblog. de/data-protection-data-transfers-and-international-agreements-the-cjeus-opinion-115/. Lowe, David. 2017. The European Union’s Passenger Name Record Data Directive 2016/681: Is It Fit for Purpose? International Criminal Law Review 17: 78–106. MacKenzie, Alex. 2012. The External Dimension of European Homeland Security. In European Homeland Security: A European Strategy in the Making? ed. Christian Kaunert et al., 101-95-­ 110. London: Routledge. Nino, Michele. 2010. The Protection of Personal Data in the Fight Against Terrorism. New Perspectives of PNR European Union Instruments in the Light of the Treaty of Lisbon. Utrecht Law Review 6: 62–85. Nucera, Gianfranco Gabriele. 2015. Considerazioni sulle misure adottate dall’Unione europea in materia di combattenti terroristi stranieri. Federalismi.it. Accessed December 31, 2017. http:// www.federalismi.it/nv14/articolo-documento.cfm?Artid=30331&content=Considerazioni+sul le+misure+adottate+dall%E2%80%99Unione+europea+in+materia+di+combattenti+terrorist i+stranieri&content_author=%3Cb%3EGianfranco+Gabriele+Nucera%3C/b%3E. Peers, Steven. 2014. The Domino Effect: How Many EU Treaties Violate the Right to Privacy and Data Protection? EU Law Analysis. Accessed December 31, 2017. http://eulawanalysis. blogspot.it/2014/11/the-domino-effect-how-many-eu-treaties.html. Tzanou, Maria. 2015. The War Against Terror and Transatlantic Information Sharing: Spillovers of Privacy or Spillovers of Security? Utrecht Journal of International & European Law 31: 87–103. Vara, Juan Santos. 2013. The Role of the European Parliament in the Conclusion of the Transatlantic Agreements on the Transfer of Personal Data After Lisbon. CLEER Working Papers 2013/2. Accessed December 31, 2017. http://www.asser.nl/upload/documents/20130226T013310cleer_13-2_web.pdf.

150

V. Nardone

Woods, Lorna. 2017. Transferring Personal Data Outside the EU: Clarification from the ECJ? EU Law Analysis. Accessed December 31, 2017. http://eulawanalysis.blogspot.it/2017/08/ transferring-personal-data-outside-eu.html. Zanfir, Gabriela. 2015. How CJEU’s “Privacy Spring” Construed the Human Rights Shield in the Digital Age. In European Judicial System as a Challenge for Democracy, ed. Elzbieta Kuzelewska et al., 111–126. Cambridge: Intersentia.

The European Court of Human Rights Shaping Family Life in Cross-border Surrogacy: The Paradiso et Campanelli Case Mario Gervasi

Abstract  Cross-border surrogacy has become increasingly common: people from countries where surrogacy is forbidden make recourse to it abroad. Yet, the home country’s ban on surrogacy may prevent the continuity of the family status established abroad. Such cases have been brought also before the European Court of Human Rights for the alleged violation of Article 8 of the European Convention on Human Rights. The judgment that  the Grand Chamber issued in the Paradiso et Campanelli c. Italie case is significant for the interaction between the determination of family life and the technological nature of modern surrogate motherhood. The denial that there had been de facto family life raises doubts because of the weight given to the time factor and to the absence of genetic and legally recognised ties between the intending parents and the child born from surrogacy. Still, having found that there had been no family life, the Grand Chamber did not need to balance the right to respect for family life against the State margin of appreciation, which would have proved difficult. It is suggested that the difficulties in balancing the protection of family unity against the State margin of appreciation are due to the technological nature of contemporary surrogate motherhood. Additionally, should surrogacy become increasingly permitted, the Paradiso et Campanelli final judgment would not hinder the European Court of Human Rights from finding the existence of de facto family life and a breach of Article 8 of the European Convention on Human Rights in cases where the child born from surrogacy were separated from their intending parents.

1  Introduction A surrogate mother is basically a woman bearing a baby for someone else, for instance heterosexual couples suffering from infertility, single people or homosexual—especially gay male—couples. Although surrogate motherhood is usually M. Gervasi (*) University of Rome “La Sapienza”, Rome, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_8

151

152

M. Gervasi

considered a very ancient practice, today it is based on artificial reproductive technologies. By dint of technological development, surrogate motherhood has become increasingly “easy” in that the surrogate mother is less and less involved from an emotional and genetic perspective.1 That holds true for both traditional and gestational surrogacy. In traditional surrogacy, the surrogate mother is also genetically tied to the baby. Thanks to artificial insemination, the surrogate does not need to have any physical intercourse with the genetic father. Instead, in vitro fertilisation forms the base of gestational surrogacy, where the surrogate mother is no longer required even to be the genetic mother of the baby and thus there is no genetic link between the surrogate and the newborn. Moreover, sperm donation allows the intending father not to necessarily be also the genetic father, for instance in the event of infertility. In addition to the difference between traditional and gestational surrogacy, another distinction is commonly made between altruistic and commercial surrogate motherhood. As a matter of principle, in altruistic surrogacy the surrogate mother is only refunded the expenses incurred for pregnancy, whereas in commercial surrogacy the surrogate mother is also paid for her “service”. As is well known, surrogate motherhood is currently raising ethical and legal questions. On the one hand, surrogacy is said to be incompatible with women and children’s rights since—inter alia—women are allegedly exploited and children prevented from knowing their origins and thus developing their identity.2 On the other hand, surrogate motherhood is said to be coherent with emerging reproductive rights and women are allegedly free to choose surrogate motherhood as a source of income or form of solidarity.3 In the light of those opposing views, States’ reactions to surrogate motherhood differ significantly, ranging from permission, tacit tolerance, regulation, and prohibition.4 As a result, people from countries where surrogate motherhood is forbidden, strictly regulated or just too expensive resort to surrogacy abroad, namely in those countries where surrogacy is permitted, tolerated or simply cheaper. The receiving States, where the intending parents return to, find themselves facing a fait accompli. Such procreative tourism is also known as cross-border surrogacy.5

 See also Spar (2005), pp. 292–299.  See Stark (2012), pp.  379–380 and 386; Poli (2015), pp.  10–18; Watson (2016). In particular, commercial surrogacy is said to be incompatible with “objective” human dignity, but for some critical remarks on the very existence of such notion in international law see De Sena (2017). 3  See Humbyrd (2009); Stark (2012), pp.  377–378; Panitch (2013), p.  340; Straehle (2016); Wilkinson (2016), p. 137. 4  See the Preliminary Report on the Issues Arising from International Surrogacy Arrangements, drawn by the Permanent Bureau of the Hague Conference on Private International Law, March 2012, pp. 9–18. 5  See Trimmings and Beaumont (2011), pp. 629–633; Ergas (2013), pp. 127–128; Audit (2014), pp. 388–389; Fulchiron (2014), pp. 564–565. See also Laufer-Ukeles (2013), pp. 1275–1278, arguing the need for domestic regulation of surrogate motherhood by reason of the “morally and practically more problematic” nature of cross-border surrogacy. 1 2

The European Court of Human Rights Shaping Family Life in Cross-border…

153

One of the main legal problems arising from cross-border surrogacy concerns the continuity of the legal parentage and family status established abroad in the ­intending parents’ home country, where surrogacy is banned. In particular, domestic authorities often refuse to recognise the foreign birth certificate of a child born from surrogacy on public policy grounds.6 Cases of this type  have recently been brought before the European Court of Human Rights (ECtHR).7 This chapter will specifically look at the final judgment in the Paradiso et Campanelli c. Italie case, which differs from other cross-border surrogacy cases for the impact of surrogate motherhood on the notion of family life. Accordingly, this chapter will focus precisely on the perplexities arising from the ECtHR Grand Chamber’s determination of family life. Should the criteria that the Grand Chamber adopted in the Paradiso et Campanelli case be confirmed in the future, the very notion of de facto family life would risk being assessed on a quantitative basis or losing its autonomous relevance. The chapter will also illustrate the difficulties that would have arisen had the Grand Chamber found that there had been family life. Those difficulties and the overall precedential value of the final judgment in the Paradiso et Campanelli case will be assessed against the backdrop of the technological nature of contemporary surrogate motherhood.

2  The Paradiso et Campanelli Case In the cross-border surrogacy cases brought before the ECtHR, a violation of the right to respect for private and family life under Article 8 of the European Convention on Human Rights (ECHR) has been mainly alleged. In particular, in the analogous cases Mennesson c. France and Labassee c. France two French couples had made recourse to surrogate motherhood in the United States of America; in both cases, the father was genetically tied to the newborn. Yet, by reason of the domestic prohibition on surrogate motherhood,8 France annulled the entries of the foreign birth certificate in the French central register in the Mennesson case and the acte de notoriété issued in France on the basis of the foreign birth certificate in the Labassee case. In the 2014 Mennesson and Labassee twin judgments, the ECtHR found a breach of the right of the children born from surrogacy to respect for their private life under Article 8 ECHR.9  See again the Preliminary Report on the Issues Arising from International Surrogacy Arrangements, drawn by the Permanent Bureau of the Hague Conference on Private International Law, cit., pp. 19–24. See also Campiglio (2009); Tonolo (2014). 7  For an overview of the main trends in the ECtHR case law generally concerning the continuity of transnational private or family status see Davì (2012), p. 439 ff.; Marongiu Buonaiuti (2016). As specifically regards parentage and the role of the best interests of the child see Tonolo (2017), especially pp. 1074–1080 and 1091–1095. 8  Article 16(7) of the French Code civil. 9  Mennesson c. France (App. No. 65192/11), ECtHR, judgment of 26 June 2014; Labassee c. France (App. No. 65941/11), ECtHR, judgment of 26 June 2014. For some remarks on the twin 6

154

M. Gervasi

In the Paradiso et Campanelli case a heterosexual Italian couple made recourse to surrogate motherhood abroad, namely in the Russian Federation, since their previous attempts to become parents, including by artificially assisted reproduction and adoption, had proved unsuccessful. As it is known, surrogate motherhood is forbidden in Italy.10 Accordingly, after the couple had returned to Italy with the child born from surrogacy, the prosecutor’s office opened criminal proceedings against them for misrepresentation of civil status. As the DNA test showed that contrary to the couple’s allegation there was no genetic link between the intending father and the child born from surrogacy, domestic judicial authorities refused to register the foreign birth certificate. The child was then removed from his intending parents and entrusted to a foster home and, later, to a foster family. In 2012, the couple applied to the ECtHR, complaining mainly about a violation of their right to respect for private and family life. Since the applicants had exhausted domestic remedies as regards solely the removal of the child and not also the refusal to register the foreign birth certificate, the former was at the heart of the case. On 27 January 2015 the ECtHR Chamber found a violation of the applicants’ right to respect for their private and family life, because of the inadequacy of the reasons for the child’s removal.11 The case was then brought before the Grand Chamber, which issued the final judgment on 24 January 2017.12 Differently from the Chamber, the Grand Chamber found that there had been no family life and held that Italy had not violated the applicants’ right to respect for their private life. The reasoning that led the Grand Chamber to find no family life is puzzling. It risks impinging upon the “de facto family life” notion in the event of the Paradiso et Campanelli final judgment becoming a precedent informing future case law.

judgments see Campiglio (2014a); Chénedé (2014); D’Avout (2014); Giungi (2014); Guillaumé (2014); Isailović (2014). Later, the ECtHR basically applied the Mennesson and Labassee precedents to the similar cases Foulon et Bouvet c. France (App. Nos. 9063/14 and 10410/14), judgment of 21 July 2016, and Laborie c. France (App. No. 44024/13), judgment of 19 January 2017. 10  Article 12(6) of the Italian Legge No. 40 of 19 February 2004, in Gazzetta Ufficiale No. 45 of 24 February 2004. For an overview of the evolution of the Italian law on artificially assisted reproduction in the light of the case law of the Italian Constitutional Court and the ECtHR see Campiglio (2014b). In the judgment No. 272 of 22 November-18 December 2017, the Italian Constitutional Court abstained from assessing the lawfulness of the prohibition on surrogate motherhood as well as the possibility of registering the particulars of foreign birth certificates based on surrogacy agreements in Italy, but limited itself to assessing the constitutionality of the rules governing the contestation of parentage owing to the lack of a biological tie between the child and the assumed parent. 11  Paradiso et Campanelli c. Italie (App. No. 25358/12), ECtHR, judgment of 27 January 2015. 12  Paradiso et Campanelli c. Italie (App. No. 25358/12), ECtHR [GC], judgment of 24 January 2017.

The European Court of Human Rights Shaping Family Life in Cross-border…

155

3  The Inexistence of de Facto Family Life In the Paradiso et Campanelli case, the absence of biological and legally recognised ties between the intending parents and the child was undisputed.13 As a result, the Grand Chamber focused on ascertaining the existence of de facto family life. The applicants had been living with the child born from surrogacy for about 8 months, until the child’s removal was ordered by the Italian judicial authorities. The legal reasoning of the Grand Chamber is far from persuasive. The denial of de facto family life raises doubts in that it risks undermining that very notion. In particular, were the Grand Chamber reasoning to be confirmed in future case law, the de facto family life notion would end up crucially depending on the time factor and on the existence of biological or legally recognised ties.

3.1  R  isk of a Merely Quantitative Assessment of de Facto Family Life The first risk to be taken into account lies in the determination of de facto family life on the pivotal basis of the duration of the relevant relationship. The existence of de facto family life would thus depend on such a quantitative element. In the Paradiso et Campanelli case the Grand Chamber defined the duration of the relationship between the child born from surrogacy and their intending parents as a key element in the identification of de facto family life.14 It did also find that the relationship had been close and that the intending parents had effectively played a parental role vis-à-vis the child.15 Nevertheless, it eventually abstained from striking any balance between the shortness of the relationship and the quality thereof. The lack of any such balancing notwithstanding, the fact that the Grand Chamber eventually found that no de facto family life had existed suggests the crucial importance of the time factor.16 The existence of de facto family life risks becoming unclear once essential weight is given to the duration of the relationship between the intending parents and the child born abroad from surrogacy, in spite of the strength of the emotional bonds. Once the quality of a relationship has been ascertained, the question whether the relationship has been long enough to give rise to de facto family life cannot but have an unpredictable answer.  In this connection, the disagreement was limited to the Italian courts’ assessment of the impact of the non-existence of biological ties on the Russian birth certificate under Russian law (Paradiso et Campanelli [GC] cit., paras. 143–146). 14  Paradiso et Campanelli [GC] cit., para. 153. 15  Ibid., para. 151. 16  For some critical remarks on the importance given to the time factor see also Poli (2017); Viviani (2017), p. 82. 13

156

M. Gervasi

The uncertainties inherent in the assessment of the duration of the relationship are apparent in the Paradiso et Campanelli case. Firstly, differently from the Grand Chamber, the shortness of the duration, albeit taken into account, did not prevent the ECtHR Chamber from ascertaining the existence of family life in the 2015 judgment.17 The Chamber highlighted the parental role that the applicants had played towards the child.18 Secondly, as regards the final judgment, five judges dissented from the rest of the Grand Chamber and found the 8-month relationship long enough to give rise to de facto family life.19 Indeed, it is exactly in the final judgment in the Paradiso et Campanelli case that the Grand Chamber acknowledged that defining the minimum duration of a relationship for the existence of de facto family life would be inappropriate, the quality of the relationship and the specific circumstances being also relevant.20 Nevertheless, as pointed out above, in the end the Grand Chamber seemingly gave decisive weight to the shortness of the relationship without balancing it against the—established—quality thereof.21

3.2  R  isk of a Decline in the Autonomous Relevance of de Facto Family Life The second risk that the Grand Chamber reasoning could create lies in the decline in the autonomous relevance of the very notion of de facto family life. In addition to the shortness of the duration of the relationship between the applicants and the child born from surrogacy, the Grand Chamber also mentioned the absence of genetic and legally recognised ties in concluding that there had been no de facto family life.22 Indeed, it is in the assessment of the time factor that the Grand Chamber took into account the lack of genetic and legally recognised links. In particular, the Grand Chamber observed that in D. et autres c. Belgique23 the ECtHR had characterised as family life a relationship even shorter than the one in the Paradiso et Campanelli case, since in the former there was a genetic tie between the applicants and the child born from surrogacy.24 In addition, the Grand Chamber held that the belief in the existence of a genetic link between the intending father and the child born from surrogacy—eventually proved to be unfounded in the Paradiso et Campanelli case—could not make up for the shortness of the

 Paradiso et Campanelli cit., para. 69.  Ibid. 19  Paradiso et Campanelli [GC] cit., joint dissenting opinion of Judges Lazarova Trajkovska, Bianku, Laffranque, Lemmens and Grozev, paras. 4–5. 20  Paradiso et Campanelli [GC] cit., para. 153. 21  See again Poli (2017), also noting the incoherence of the Grand Chamber reasoning. 22  Paradiso et Campanelli [GC] cit., para. 157. 23  D. et autres c. Belgique (App. No. 29176/13), ECtHR, decision of 8 July 2014. 24  Paradiso et Campanelli [GC] cit., para. 154. 17 18

The European Court of Human Rights Shaping Family Life in Cross-border…

157

r­ elationship.25 With regard to the lack of legally recognised ties under Italian law, the Grand Chamber found that, although the applicants could not be held responsible for the cessation of their relationship with the child, their conduct had caused the legal uncertainty of the circumstances and thus the reaction of the Italian authorities thereto.26 The weight so given to genetic and legally recognised links between the applicants and the child born from surrogacy risks reducing the autonomous relevance of the de facto family life notion in that a distinction should be drawn between genetic, legal, and effective family ties.27 The Grand Chamber itself brought up the said distinction even in the final judgment in the Paradiso et Campanelli case.28 Yet, the Grand Chamber eventually took into account the absence of genetic and legally recognised ties in its assessment of de facto family life. It is plain to see that, in so doing, the Grand Chamber blurred the distinction between genetic, legal and effective family ties. As a result, the rationale of the de facto family life notion risks falling away.29 From a broader perspective, leaving aside the said distinction, the Grand Chamber approach seemingly impinges upon the general notion of family life for the purposes of Article 8 ECHR. As is well known, the ECtHR has consistently determined the existence of family life in the light of the substance and reality of the relationship rather than the legal and genetic nature thereof.30 Indeed, in the final judgment in the Paradiso et Campanelli case, the Grand Chamber confirmed the factual root of the family life notion as based on the existence of close emotional bonds.31 Nonetheless, as pointed out above, the Grand Chamber eventually disregarded that premise.32 As a consequence, the judgment is hardly coherent with the ECtHR’s previous case law. In this connection, suffice it to analyse the precedents that  the Grand Chamber mentioned in support of its reasoning. The overall impression is that, in deciding the Paradiso et Campanelli case, the Grand Chamber gave the genetic and

 Ibid., para. 155.  Ibid., para. 156. 27  See especially Murat (2002), pp. 161–162. 28  Accordingly, it went on to verify the existence of de facto family life only after it had found the absence of genetic links (Paradiso et Campanelli [GC] cit., para. 142 ff.) as well as the incompatibility of the relationship with Italian law (ibid., paras. 147–148). 29  In this connection, see also Viviani (2017), p. 82. 30  See ex pluribus Pitea and Tomasi (2012), p. 300; Rainey et al. (2014), p. 335; Schabas (2015), pp. 389–390. 31  Paradiso et Campanelli [GC] cit., para 140. 32  In a decision of 23 February 2017, also the Trento Court of Appeal, in Italy, seemingly noticed that in the end the ECtHR Grand Chamber had disregarded the factual nature of the family life notion despite bringing it up. According to the Italian Court, since the Grand Chamber had reaffirmed the factual basis of the family life notion, the weight given to the absence of genetic ties between the intending parents and the child born from surrogacy could not be considered as a precedent. For some remarks on that decision see Schillaci (2017). 25 26

158

M. Gervasi

legal nature of family ties existing in those precedents much more weight than they had really had there. Firstly, the Grand Chamber cited the Wagner case,33 in which the applicant, who had adopted a child in Peru, had complained about Luxembourg’s refusal to recognise the Peruvian single-adoption judgment, deemed to be in contradiction with Luxembourg legislation restricting full adoption to married couples. According to the Grand Chamber, family life had been found to exist in the Wagner judgment in spite of the inconsistency of the relationship with the domestic legal order because domestic authorities had tolerated it.34 In reality, in that judgment the ECtHR had determined the existence of family life considering that the applicant had continuously acted as the mother of the child for more than 10 years.35 It had abstained from taking into account the non-compliance of the relationship with the domestic legal order as well as the authorities’ tolerance. Secondly, the Grand Chamber mentioned the judgment issued in the Moretti et Benedetti case,36 dealing with Italy’s failure to timely examine the request for adoption lodged by the applicants, who had been the foster parents of a child eventually entrusted to the custody of another couple. The ECtHR had stated it was taking into consideration the de facto ties and thus the substance of the relationship between the applicants and the child, in the absence of any legal parentage, in order to assess the existence of de facto family life.37 The ECtHR had then applied that reasoning in the subsequent Kopf and Liberda case,38 where similar circumstances had occurred.39 In both the precedents, the ECtHR had refrained from considering that the relevant relationship was compatible with the domestic legal order  since the respective States had entrusted the children to the applicants as foster parents. Nevertheless, the Grand Chamber held that the Paradiso et Campanelli case differed from the Moretti et Benedetti and Kopf and Liberda precedents in that the relationship between the intending parents and the child complied with the domestic legal order only in the latter.40 Thirdly, the Grand Chamber referred to the Nazarenko case.41 There the applicant had complained of the cessation of any relationship with the child he had believed he was the father of and therefore alleged a violation of Article 8 ECHR. It is true that in the associated judgment the ECtHR had cited legal elements in observing that the child was born when the applicant was married to her birth-mother and was registered as his child.42 Nonetheless, the ECtHR had concluded for the  Wagner and J.M.W.L. v. Luxembourg (App. No 76240/01), ECtHR, judgment of 28 June 2007.  Paradiso et Campanelli [GC] cit., para. 156. 35  Wagner and J.M.W.L. cit., para. 117. 36  Moretti et Benedetti c. Italie (App. No 16318/07), ECtHR, judgment of 27 April 2010. 37  Ibid., para. 48. 38  Kopf and Liberda v. Austria (App. No. 1598/06), ECtHR, judgment of 17 January 2012. 39  Ibid., paras. 36–37. 40  Paradiso et Campanelli [GC] cit., para. 156. 41  Nazarenko v. Russia (App. No 39438/13), ECtHR, judgment of 16 July 2015. 42  Ibid., para. 58. 33 34

The European Court of Human Rights Shaping Family Life in Cross-border…

159

e­ xistence of family life by reason of the applicant’s belief that he was actually the child’s father and the closeness of their relationship.43 In addition to the precedents that the Grand Chamber mentioned, the ECtHR had confirmed the existence of family life on the basis of the substance and reality of the relationship also in the Mennesson and Labassee twin judgments.44 There the existence of a genetic link between the father and the child born from surrogacy had been central to the decision of the case. In particular, the ECtHR had found a breach of Article 8 ECHR only in the French refusal to recognise the paternity of the children as an essential part of their identity, from the perspective of the right to respect for private life.45 However, in its ascertainment of the existence of family life the ECtHR had not considered the genetic link between the intending father and the child born from surrogacy, nor had it taken into account the tolerance of French authorities for the situation despite the domestic ban on surrogate motherhood.

4  T  he Immediate Consequence of the Non-existence of Family Life: No Balance Between Protection of Family Unity and the State Margin of Appreciation The risks explained just now of a merely quantitative determination of de facto family life and a decline in the autonomous application thereof raise the question as to why the Grand Chamber gave weight to the time factor as well as the lack of genetic and legally recognised ties in reaching the conclusion that there had been no de facto family life. Indeed, one may deduce that the Grand Chamber itself perceived the cruciality of the existence or non-existence of family life for deciding the Paradiso et Campanelli case.46 Such an inference may be drawn a contrario from the fact that the Grand Chamber continued reiterating the absence of family life, even after it had so found, which is to say in proceeding to assess the compatibility of the child’s removal with the right of the applicants to respect for private life.47

 Ibid.  Mennesson cit., para. 45; Labassee cit., para. 37. 45  See also Danisi (2014); Winkler (2015), p. 255; Baratta (2016), p. 323. 46  On the essential importance of the existence of family life in the Paradiso et Campanelli case see again Poli (2017). 47  For instance, in assessing the reasons for the child’s removal against the right of the intending parents to respect for their private life, the Grand Chamber observed that, differently from the Chamber, it considered that the circumstances of the case triggered only the notion of private life, and not that of family life (Paradiso et Campanelli [GC] cit., para. 198). Moreover, in assessing the compatibility of the child’s removal with the right of the intending parents to respect for their private life from the perspective of proportionality, the Grand Chamber specified that the child was not a member of the applicants’ family under Article 8 ECHR and that therefore a distinction had to be drawn between Paradiso et Campanelli and those cases concerning the separation of a child from their parents (Paradiso et Campanelli [GC] cit., paras. 208–209). 43 44

160

M. Gervasi

Whereas the question as to why the Grand Chamber gave weight to the time factor as well as the lack of genetic and legally recognised ties is hard to answer, it is still possible to reflect upon the immediate consequence of the non-existence of family life in the Paradiso et Campanelli case. In finding no family life, the Grand Chamber did not need to balance the protection of family unity against the State margin of appreciation. The protection of family unity would have come into consideration under the right to respect for family life since, as mentioned above, it is the child’s removal that was at stake in the Paradiso et Campanelli case. The Italian authorities separated the child born abroad from his intending parents because the foreign birth certificate had not been registered in Italy. The ECtHR case law provides no guidance as regards the protection of family unity in cross-border surrogacy. It is true that, in the twin judgments in the Mennesson and Labassee cases, the ECtHR seemingly alluded to the protection of family unity. In particular, it took account of the preservation of family unity in finding that France had struck a fair balance between private and public interests.48 Yet, in the Mennesson and Labassee cases the family unity had been maintained: it came into play as just one of the factors to be taken into account in the assessment of the concrete consequences of the non-recognition of the legal parentage established abroad. Therefore, the twin judgments do not properly fill the gap with respect to the balance between the State margin of appreciation and the protection of family unity under Article 8 ECHR in cross-border surrogacy cases. Be that as it may, the case law clearly indicates that States have a wide margin of appreciation with respect to surrogate motherhood, as the ECtHR constantly admitted in both the twin judgments in the Mennesson and Labassee cases49 and the final judgment in the Paradiso et Campanelli case.50 Accordingly, the Grand Chamber held that it was from an ethical perspective that surrogate motherhood primarily represented a highly controversial issue.51 Indeed, the ECtHR acknowledged the lack of a European consensus as to surrogate motherhood.52 As is well known, the absence of a common consensus among  Mennesson cit., paras. 92–94; Labassee cit., paras. 71–73.  Mennesson cit., paras. 78–79; Labassee cit., paras. 57–58. 50  Paradiso et Campanelli [GC] cit., paras. 194, 200 and 215. 51  Ibid., para. 194. In this connection, the individual opinions attached to the final judgment in the Paradiso et Campanelli case are especially telling since the relevant arguments were not only legal, but also moral or political in nature. For instance, in his concurring opinion, Judge Dedov compared surrogate motherhood to prostitution or pornography, as they were all sources of income for someone considering their beauty or health as their only resource (ibid., concurring opinion of Judge Dedov, p. 61). He denied any solidarity in surrogate motherhood since solidarity should be shown only with someone risking their life and without posing health risks, according to people’s reaction to the European migration crisis: “we are ready to accept the immigrants on the basis of solidarity, but we are not ready to put our lives at risk” (ibid., p. 62). Moreover, Judge Dedov stated that surrogate motherhood infringed fundamental principles of human civilisation (ibid., p. 64) and that the Italian prohibition on surrogacy had been approved on the basis of Christian values (ibid., p. 63). 52  Mennesson cit., paras. 78–79; Labassee cit., paras. 57–58. 48 49

The European Court of Human Rights Shaping Family Life in Cross-border…

161

the ECHR States parties is an essential element in the determination of the width of the State margin of appreciation: the less the States parties share a common position, the broader their margin of appreciation is.53 In the final judgment in the Paradiso et Campanelli case, the margin of appreciation doctrine seemingly played a crucial role with regard to the right of the intending parents to respect for private life. It was in striking a balance between public and private interests that Italy had a wide margin of appreciation.54 The Grand Chamber found that the public interests at stake had to be attributed much more weight than the applicants’ private interests in the continuation of their relationship with the child born abroad from surrogacy.55 On the other hand, in the twin judgments in the Mennesson and Labassee cases, the ECtHR seemingly found that the right of the children born from surrogacy to respect for their private life, namely for their identity, weighed heavily even against the State margin of appreciation. According to the ECtHR, biological parentage was such an essential aspect of someone’s identity that the State margin of appreciation had to be reduced.56

5  D  ifficulties in Balancing the Protection of Family Unity Against the State Margin of Appreciation In the light of the broadness of the State margin of appreciation as regards surrogate motherhood, the Grand Chamber would have found it difficult to strike a balance between the protection of family unity and the State margin of appreciation in the Paradiso et Campanelli case had it found that there had been family life. In this connection, it should be borne in mind that it is the removal of the child born from surrogacy that was at stake. Had the Grand Chamber ascertained the existence of family life, it could have found a violation of the applicants’ right to respect for family life in the child’s removal, which would have implied a great reduction of the Italian margin of appreciation. Still, as mentioned above, the ECtHR has repeatedly underlined the width of the State margin of appreciation and the lack of a European common consensus as to surrogate motherhood. The problem of reducing the State margin of appreciation as a result of the protection of the family unity came to the fore in the 2015 judgment in the Paradiso et Campanelli case. There the ECtHR Chamber seemed especially concerned about the protection of family unity in finding a violation of the right to respect for private and family life. It defined the removal of the child as a last resort measure ­permissible  See ex multis Benvenisti (1999), pp. 850–853; Dzehtsiarou (2011); Mowbray (2013), pp. 35–36.  Paradiso et Campanelli [GC] cit., para. 200. 55  Ibid., para. 215. 56  Mennesson cit., para. 80; Labassee cit., para. 59. 53 54

162

M. Gervasi

only when aimed at protecting the child from an imminent danger.57 In order to demonstrate the extrema ratio nature of the child’s removal, the ECtHR Chamber lingered on extensive quotations from the Pontes58 and Zhou59 precedents. Nonetheless, the ECtHR Chamber must have perceived the possible impact of the 2015 judgment on the State margin of appreciation. The decision of the Chamber not to require the reunion of the intending parents with the child born from surrogacy, albeit based on the consideration of the best interests of the child, who had been living in a foster family for 2 years,60 might be read as an attempt to attenuate the concrete consequences of the judgment with respect to the Italian margin of appreciation. The attempt has seemingly ended in failure though. In their partly dissenting opinion, Judges Raimondi and Spano observed that, contrary to the principle of subsidiarity, the majority had substituted their view for that of the Italian domestic authorities61 and thwarted the Italian decision to prohibit surrogate motherhood.62 According to the two Judges, the discretion of States to deny any legal effect to surrogate motherhood contracts would be null should the illegal establishment of a relationship with a child abroad be sufficient to compel domestic authorities to recognise the existence of family life.63 Indeed, after the Chamber had delivered its judgment, Italy requested that the case be referred to the Grand Chamber and complained about a great reduction in the State margin of appreciation, in addition to the risk of the introduction of a parentage criterion other than the legal and biological ones.64 The joint dissenting opinion attached to the 2017 final judgment in the Paradiso et Campanelli case provides further evidence of the problematic impact of the protection of family unity on the State margin of appreciation. In affirming the existence of de facto family life and a violation of Article 8 ECHR, the dissenting judges refrained from even considering the State margin of appreciation:65 had they taken into account it, they would have probably found it more difficult to assert a breach of Article 8 ECHR. On the other hand, had the Grand Chamber in the final judgment in the Paradiso et Campanelli case found that there had been family life and no violation of the right to respect for family life by reason of the width of the State margin of appreciation, it would have disregarded the previous case law concerning the maintenance of family unity. In other words, it would have disregarded also that case law that the ECtHR  Paradiso et Campanelli cit., para. 80.  Pontes c. Portugal (App. no 19554/09), ECtHR, judgment of 10 April 2012, para. 74 ff. 59  Zhou c. Italie (App. no 33773/11), ECtHR, judgment of 21 January 2014, para. 55 ff. 60  Paradiso et Campanelli cit., para. 88. 61  Ibid., joint partly dissenting opinion of Judges Raimondi and Spano, para. 13. 62  Ibid., para. 15. 63  Ibid. 64  Italian Presidenza del Consiglio dei Ministri, Relazione al Parlamento, p. 34. 65  Paradiso et Campanelli [GC] cit., joint dissenting opinion of Judges Lazarova Trajkovska, Bianku, Laffranque, Lemmens and Grozev, paras. 7 and 9. 57 58

The European Court of Human Rights Shaping Family Life in Cross-border…

163

Chamber had extensively recalled and relied upon in finding a breach of Article 8 ECHR in the 2015 judgment in the Paradiso et Campanelli case. It is significant that, albeit in abstracto, the Grand Chamber concerned itself with the confirmation of the importance of the protection of family unity. Although it had found that no family life had existed, the Grand Chamber remarked in any event that only a danger to the physical or moral integrity of a child could justify their removal from the family.66 Moreover, as mentioned before, it reiterated the inexistence of family life also when evaluating the compatibility of the child’s removal with the applicants’ right to respect for their private life.67

6  B  ehind the Difficult Balance Between Protection of Family Unity and the State Margin of Appreciation: Surrogate Motherhood as a Technological Development It is submitted that the technological nature of contemporary surrogate motherhood lies at the root of the difficulties that would have come into consideration had the Grand Chamber needed to balance the protection of family unity against the State margin of appreciation. The ECtHR ensures the observance of the ECHR and the Protocols thereto from the perspective of human rights protection, but advances in technique have been making it increasingly “easy” to have recourse to surrogate motherhood regardless of any human rights concerns. If surrogate motherhood was incompatible with children and women’s rights, then the development of reproductive technologies facilitating surrogacy could hardly be comprehended. Similarly, since  the existence of reproductive rights is questionable, any identification of the origins of reproductive technologies in such rights is scarcely convincing. The ongoingness of the human rights debate on surrogate motherhood confirms that an anthropocentric approach is unsuitable to understand surrogacy. From a broader perspective—leaving aside the specific problem of balancing the protection of family unity against the State margin of appreciation—the technological origins of contemporary surrogate motherhood lie at the root of the general difficulties in coherently interpreting and applying Article 8 ECHR in cross-border surrogacy cases.68 It is also submitted that the final judgment in the Paradiso et Campanelli case is consonant with the technological nature of surrogate motherhood in that it will not represent a precedent that the ECtHR will be confronted with in future cross-border surrogacy cases where the removal of the child born from surrogacy from their intending parents is at stake, provided that de facto family life is deemed to exist. In  Paradiso et Campanelli [GC] cit., para. 209.  Ibid., paras. 208–209. 68  The question whether the right to respect for private and family life under Article 8 ECHR requires the continuity of the family status established abroad on the basis of surrogate motherhood agreements cannot be addressed here, but see Gervasi (2018) and the references there included. 66 67

164

M. Gervasi

other words, in future cross-border surrogacy cases in which the child born from surrogacy is separated from their intending parents, the precedential value of the final judgment in the Paradiso et Campanelli case will depend on the existence of de facto family life. In this connection, it is worth bearing in mind that the family life notion is autonomous in the framework of the ECHR: the determination thereof is mainly left to the ECtHR, namely to the ECtHR’s interpretation of the relevant circumstances.69 Even in those cases where there is no genetic or legally recognised link between the child born from surrogacy and their intending parents, the abovementioned perplexities arising from the Grand Chamber assessment of the existence of de facto family life will give the ECtHR room to disregard the Paradiso et Campanelli final judgment. As previously said, the evaluation of the duration of a relationship is highly uncertain and the consideration of genetic and legally recognised ties for the determination of de facto family life is far from persuasive.70 If a European consensus permitting surrogacy emerges, the ECtHR will have a solid basis to find a violation of the right to respect for family life in the child’s removal from their intending parents.  Despite current domestic prohibitions and restrictions, surrogate motherhood as a technological development seems destined to be increasingly permitted.71 As pointed out above, both traditional and gestational surrogacy is based on artificial reproductive technologies and spreads rapidly worldwide by reason of technological development and the associated economic interests. Even though the debate over the compatibility of surrogate motherhood with human rights is still continuing and all over the world States’ reactions to surrogate motherhood differ considerably, it is arguable that technological development and the underlying economic interests will influence State practice concerning surrogate motherhood. In particular, it is becoming increasingly clear that technique plays an essential role in State decision-making. The need for technological development in a capitalist economy would be so high that technique would no longer be a means of achieving something, but an end in itself. The political State is said to have evolved into an economic and eventually technical State: political decisions would yield to decisions meant to intensify technological development as necessary for power, including military and economic power. Technique ends up exploiting States and their goals for its own development.72  See ex pluribus Sudre (2002), p. 11 ff.; Sicilianos (2015).  The possibility for the ECtHR to ignore the criteria that the Grand Chamber adopted in finding that there had been no de facto family life in the Paradiso et Campanelli case does not imply that the ECtHR will do so. Accordingly, the illustrated risks of a merely quantitative determination of de facto family life and a decline in the autonomous application thereof remain. 71  With this regard, the words of Judge Dedov are especially telling. In his concurring opinion annexed to the final judgment in the Paradiso et Campanelli case, he observed that, in the light of the number of States prohibiting and States  permitting or  tolerating surrogacy, “one may even conclude that surrogacy is ‘winning’” (Paradiso et Campanelli [GC] cit., concurring opinion of Judge Dedov, p. 63). 72  On the increasing role of technique in decision-making see Severino (2017), passim, for instance p. 37 ff., especially pp. 38–39, or p. 143 ff., especially pp. 146–147. See also Galimberti (2011), p. 446 ff., and (2016), p. 207 ff., especially pp. 217–219. 69 70

The European Court of Human Rights Shaping Family Life in Cross-border…

165

References Audit, Mathias. 2014. Bioéthique et droit international privé. In Recueil des cours de l’Académie de Droit International de la Haye, vol. 373. Leiden: Brill. Baratta, Roberto. 2016. Diritti fondamentali e riconoscimento dello status filii in casi di maternità surrogata: la primazia degli interessi del minore. Diritti umani e diritto internazionale 10: 309–334. Benvenisti, Eyal. 1999. Margin of Appreciation, Consensus, and Universal Standards. New York University Journal of International Law and Politics 31: 843–854. Campiglio, Cristina. 2009. Lo stato di figlio nato da contratto internazionale di maternità. Rivista di diritto internazionale privato e processuale XLV: 589–604. ———. 2014a. Il diritto all’identità personale del figlio nato all’estero da madre surrogata (ovvero, la lenta agonia del limite dell’ordine pubblico). Nuova giurisprudenza civile commentata XXX: 1132–1139. ———. 2014b. Norme italiane sulla procreazione assistita e parametri internazionali: il ruolo creativo della giurisprudenza. Rivista di diritto internazionale privato e processuale L: 481–516. Chénedé, François. 2014. Les arrêts Mennesson et Labassée ou l’instrumentalisation des droits de l’homme. Recueil Dalloz 190: 1797–1805. Danisi, Carmelo. 2014. Superiore interesse del fanciullo, vita familiare o diritto all’identità personale per il figlio nato da una gestazione per altri all’estero? L’arte del compromesso a Strasburgo. http://www.articolo29.it. D’Avout, Louis. 2014. La «reconnaissance» de la filiation issue d’une gestation pour autrui à l’étranger, après les arrêts Mennesson et Labassée. Recueil Dalloz 190: 1806–1810. Davì, Angelo. 2012. Le renvoi en droit international privé. In Recueil des cours de l’Académie de Droit International de la Haye, vol. 352. Leiden: Brill. De Sena, Pasquale. 2017. Dignità umana in senso oggettivo e diritto internazionale. Diritti umani e diritto internazionale 11: 573–586. Dzehtsiarou, Kanstantsin. 2011. European Consensus and the Evolutive Interpretation of the European Convention on Human Rights. German Law Journal 12: 1730–1745. Ergas, Yasmine. 2013. Babies Without Borders: Human Rights, Human Dignity, and the Regulation of International Commercial Surrogacy. Emory International Law Review 27: 117–188. Fulchiron, Hugues. 2014. La lutte contre le tourisme procréatif: vers un instrument de coopération internationale? Journal du droit international. Clunet 141: 563–588. Galimberti, Umberto. 2011. Psiche e techne. L’uomo nell’età della tecnica. VIII ed. Milano: Feltrinelli. ———. 2016. I miti del nostro tempo. VI ed. Milano: Feltrinelli. Gervasi, Mario. 2018. The European Court of Human Rights and Technological Development: The Issue of the Continuity of the Family Status Established Abroad Through Recourse to Surrogate Motherhood. Diritti umani e diritto internazionale 12: 213–242. Giungi, Maria Maddalena. 2014. Mennesson c. Francia e Labassee c. Francia: le molteplici sfumature della surrogazione di maternità. Quaderni costituzionali. Rivista italiana di diritto costituzionale XXXIV: 953–957. Guillaumé, Johanna. 2014. Note. Journal du droit international. Clunet 141: 1270–1281. Humbyrd, Casey. 2009. Fair Trade International Surrogacy. Developing World Bioethics 9: 111–118. Isailović, Ivana. 2014. The ECtHR and the Regulation of Transnational Surrogacy Agreements. https://www.ejiltalk.org. Laufer-Ukeles, Pamela. 2013. Mothering for Money: Regulating Commercial Intimacy. Indiana Law Journal 88: 1223–1279. Marongiu Buonaiuti, Fabrizio. 2016. La continuità internazionale delle situazioni giuridiche e la tutela dei diritti umani di natura sostanziale: strumenti e limiti. Diritti umani e diritto internazionale 10: 49–88.

166

M. Gervasi

Mowbray, Alastair. 2013. Between the Will of the Contracting Parties and the Needs of Today. Extending the Scope of Convention Rights and Freedoms Beyond What Could Have Been Foreseen by the Drafters of the ECHR.  In Shaping Rights in the ECHR.  The Role of the European Court of Human Rights in Determining the Scope of Human Rights, ed. Eva Brems and Janneke Gerards, 17–37. Cambridge: Cambridge University Press. Murat, Pierre. 2002. Filiation et vie familiale. In Le droit au respect de la vie familiale au sens de la Convention européenne des droits de l’homme, ed. Frédéric Sudre, 161–208. Bruxelles: Bruylant. Panitch, Vida. 2013. Global Surrogacy: Exploitation to Empowerment. Journal of Global Ethics 9: 329–343. Pitea, Cesare, and Laura Tomasi. 2012. Articolo 8. In Commentario breve alla Convenzione europea per la salvaguardia dei diritti dell’uomo e delle libertà fondamentali, ed. Sergio Bartole, Pasquale de Sena, and Vladimiro Zagrebelsky, 297–369. Padova: Cedam. Poli, Ludovica. 2015. Maternità surrogata e diritti umani: una pratica controversa che necessita di una regolamentazione internazionale. BioLaw Journal – Rivista di BioDiritto: 7–28. ———. 2017. La Grande Camera e l’ultima parola sul caso Paradiso e Campanelli. http://www. sidiblog.org. Rainey, Bernadette, Elizabeth Wicks, and Clare Ovey. 2014. Jacobs, White, and Ovey. The European Convention on Human Rights. VI ed. Oxford: Oxford University Press. Schabas, William. 2015. The European Convention on Human Rights. A Commentary. Oxford: Oxford University Press. Schillaci, Angelo. 2017. Due padri, i loro figli: la Corte d’Appello di Trento riconosce, per la prima volta, il legame tra i figli e il padre non genetico. http://www.articolo29.it. Severino, Emanuele. 2017. Il tramonto della politica. Considerazioni sul futuro del mondo. Milano: Rizzoli. Sicilianos, Linos-Alexander. 2015. La vie familiale en tant que notion autonome au regard de la CEDH. In Mélanges en l’honneur de / Essays in Honour of Dean Spielmann. Liber Amicorum Dean Spielmann, ed. Josep Casadevall, Guido Raimondi, Erik Fribergh, Patrick Titiun, Peter Kempees, and John Darcy, 595–602. Oisterwijk: Wolf Legal Publishers. Spar, Debora. 2005. For Love and Money: The Political Economy of Commercial Surrogacy. Review of International Political Economy 12: 287–309. Stark, Barbara. 2012. Transnational Surrogacy and International Human Rights Law. ILSA Journal of International and Comparative Law 18: 369–386. Straehle, Christine. 2016. Is There a Right to Surrogacy?  Journal of Applied Philosophy 33: 146–159. Sudre, Frédéric. 2002. Rapport introductif. La «construction» par le juge européen du droit au respect de la vie familiale. In Le droit au respect de la vie familiale au sens de la Convention européenne des droits de l’homme, ed. Frédéric Sudre, 11–54. Bruxelles: Bruylant. Tonolo, Sara. 2014. La trascrizione degli atti di nascita derivanti da maternità surrogata: ordine pubblico e interesse del minore. Rivista di diritto internazionale privato e processuale  L: 81–104. ———. 2017. L’evoluzione dei rapporti di filiazione e la riconoscibilità dello status da essi derivante tra ordine pubblico e superiore interesse del minore. Rivista di diritto internazionale C: 1070–1102. Trimmings, Katarina, and Paul Beaumont. 2011. International Surrogacy Arrangements: An Urgent Need for Legal Regulation at the International Level. Journal of Private International Law 7: 627–647. Viviani, Alessandra. 2017. Paradiso e Campanelli di fronte alla Grande Camera: un nuovo limite per le “famiglie di fatto”?  GenIUS.  Rivista di studi giuridici sull’orientamento sessuale e l’identità di genere 4(1): 78–86. Watson, Clara. 2016. Womb Rentals and Baby-Selling: Does Surrogacy Undermine the Human Dignity and Rights of the Surrogate Mother and Child? The New Bioethics 22: 212–228. Wilkinson, Stephen. 2016. Exploitation in International Paid Surrogacy Arrangements. Journal of Applied Philosophy 33: 125–145. Winkler, Matteo. 2015. Senza identità: il caso Paradiso e Campanelli c. Italia. GenIUS. Rivista di studi giuridici sull’orientamento sessuale e l’identità di genere 2(1): 243–257.

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal Hate Speech Online Karolina Podstawa

Abstract  Ever since the emergence of the social media platforms as the all-­ encompassing providers of communication, information and entertainment, the Internet has been considered a community-made and governed space. This utopia, however, was bound to be challenged by the exigencies related to the spill-over effects of virtual activity to the very real, physical world, on the one hand, and, on the other, the need to regulate the nominally illegal behaviours of individuals in the virtual realm, such as online hate speech. The two phenomena are often inter-­ connected. Against this background, this Chapter aims to shed light on the emerging role of the Internet Service Providers (ISPs) who control the virtual environment where illegal behaviours may occur. Whilst not responsible for what, prima facie, is published, it is argued that the ISPs are an essential element in the enforcement of hate speech criminal rules, as confirmed by the European Commission’s Code of Conduct on Combatting Illegal Hate Speech Online. This governance instrument exemplifies the essentiality of the ISPs collaboration with the traditional enforcement agents in ensuring the blocking and removal of content online, as well as in subsequent criminal proceedings. At the same time, by involving the representatives of the broader community in monitoring the implementation of the Code, the mixed hybrid governance and enforcement model offers a possible (even if imperfect) solution to the current deadlock in the regulation of Internet governance.

1  Introduction The Internet for long has been viewed as a community-owned public space where freedom of expression could thrive. As such it was considered somewhat of a public good; the space where regulation should not reach unless through the work of the

K. Podstawa (*) University of Maastricht, Maastricht, The Netherlands e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_9

167

168

K. Podstawa

creators and users of this public space.1 Yet, this arrangement does not work when the activities of users are not legal, on the one hand, and when they do have illegal, real, physical world implications, on the other hand. Even if substantive criminal laws apply by default to the activities taking place online, their enforcement has proved extremely difficult. In particular, both the substantive and procedural fragmentation of laws relating to illegal content online have not contributed to the effective protection of fundamental rights of individuals online, nor of democratic values, for that matter. This has been confirmed by the 2008 Framework Decision on combating certain forms and expressions of racism and xenophobia by means of criminal law (the “2008 Framework Decision”),2 which, as it was revealed, encountered serious obstacles to its online implementation. It is in this context that the particular role of the ISPs comes to the forefront. These are the entities that enable the participation in the Internet world and are also the ones that set the rules of access, persistence and removal from the online community. In other words, they are as much gatekeepers as guards and occasional peace-keepers in their domains. More recently, following the adoption by the European Commission of the Code on Countering Illegal Hate Speech Online (CoC),3 they also became the enforcers of these rules. Importantly though, they play this role in their domains only, side by side with and not instead of criminal enforcement. This Chapter argues that such development is an essential step in creating a complementary system capable of ensuring protection of fundamental rights and democratic guarantees in the Internet space. The analysis, based on policy and legal documents, as well as on academic contributions and interviews with policy makers, consists of three steps. Firstly, the governance setting will be described pointing to the surfacing underlying assumptions visible in the emerging governance mode. Then, the focus will be placed on two roles of the ISPs: that of gatekeepers, who can potentially threat the exercise of our rights. This perception will be confronted with the outlined governance approach with the conclusion emphasizing the role of the ISPs as guardians.

 See, in general, on Internet governance Mihr (2017).  For general discussion of hate crimes and, amongst others‚ their relationship to the Internet space, see Schweppe et al. (2018). See also the work of the dedicated group of experts working under the auspices of the European Commission: European Commission (2018), A EU High Level Group on combating racism, xenophobia and other forms of intolerance, available at: http://ec.europa.eu/ newsroom/just/item-detail.cfm?&item_id=51025. 3  European Commission, Code of Conduct on Countering Illegal Hate Speech Online of 31 May 2016, available at: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=54300. 1 2

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

169

2  T  he Policy and Governance Framework for Combatting Illegal Hate Speech Online In this section we will discuss the architecture of the current governance scheme for combatting illegal hate speech online, emphasizing its new governance elements and gradually developing new features. The analysis will start off with the CoC, but will be complemented by selection of the subsequent initiatives which not only took on board various features of the Code, but enhanced them to better serve the purposes of governance of the online illegal content emphasizing the role of the ISPs as the essential actors in the process.

2.1  T  he Framework Decision 2008/913/JHA and the Code of Conduct on Countering Illegal Hate Speech Online The origins of the CoC can be traced back to the report of the European Commission to the European Parliament on implementation of the 2008 Framework Decision. Article 1 of the latter defines hate speech as any intentional conduct (or instigating, aiding and abetting to such according to Article 2): (a) publicly inciting to violence or hatred directed against a group of persons or a member of such a group defined by reference to race, colour, religion, descent or national or ethnic origin; (b) the commission of an act referred to in point (a) by public dissemination or distribution of tracts, pictures or other material; (c) publicly condoning, denying or grossly trivialising crimes of genocide, crimes against humanity and war crimes as defined in Articles 6, 7 and 8 of the Statute of the International Criminal Court, directed against a group of persons or a member of such a group defined by reference to race, colour, religion, descent or national or ethnic origin when the conduct is carried out in a manner likely to incite to violence or hatred against such a group or a member of such a group; (d) publicly condoning, denying or grossly trivialising the crimes defined in Article 6 of the Charter of the International Military Tribunal appended to the London Agreement of 8 August 1945, directed against a group of persons or a member of such a group defined by reference to race, colour, religion, descent or national or ethnic origin when the conduct is carried out in a manner likely to incite to violence or hatred against such a group or a member of such a group.4

With reference to these conducts, EU Member States are to adopt measures in order to prevent such crimes both in the real and virtual setting. In fact, the 2014 Report on its implementation attributes high importance to the online hate speech as “one of the most prevalent ways of manifesting racist and xenophobic attitudes”.5  Council of the European Union (2008) Framework Decision on combating certain forms and expressions of racism and xenophobia by means of criminal law, Article 1. 5  Report from the Commission to the European Parliament and the Council on the implementation of Council Framework Decision 2008/913/JHA on combating certain forms and expressions of racism and xenophobia by means of criminal law (COM/2014/027 final), Sect. 3.8. 4

170

K. Podstawa

Consequently, it indicates that the Member States should “ensure that their jurisdiction extends to cases where the conduct is committed through an information system and the offender or materials hosted in that system are in its territory”.6 Of all Member States, at the time of drafting that Report only Cyprus was considered as having fully transposed this aspect of the Framework Decision into its legislation. In addition, the Report revealed that: the legislation of DK, MT and SI makes specific reference to information systems, and HR refers to the offence being committed through electronic press. CZ, LU, HU, AT, PT, RO, SK and SE say that their general jurisdictional rules cover online hate speech situations but have provided no detailed information. On the other hand, BE, BG, DE, FR and UK have provided case law to show that their courts have taken cognizance of cases involving information systems, the majority of which appear to establish jurisdiction when the offender is physically present/resident in the relevant jurisdiction or when the material was accessible in that jurisdiction or clearly addressed to that country’s public.7

At the same time, the Report observed that “(d)ue to its special character, including the difficulty of identifying the authors of illegal online content and removing such content, hate speech on the internet creates special demands on law enforcement and judicial authorities in terms of expertise, resources and the need for cross-­ border cooperation”.8 The CoC itself refers to the 2008 Framework Decision. It emphasizes that: (w)hile the effective application of provisions criminalising hate speech is dependent on a robust system of enforcement of criminal law sanctions against the individual perpetrators of hate speech, this work must be complemented with actions geared at ensuring that illegal hate speech online is expeditiously acted upon by online intermediaries and social media platforms, upon receipt of 1a valid notification, in an appropriate time-frame.9

It is clear both from the wording and the substance of the CoC that the adoption of this measure was meant to complement the existing criminal law substantive and procedural provisions. Why was this the case? It seems that in the years of implementation of the 2008 Framework Decision Member States’ authorities and users encountered obstacles in establishing channels of communication with the ISPs. The requests for blocking and removal of content were often ignored whilst the authorities would not be able to obtain the information on existence of persistent offences, on the one hand, nor concrete details on identified offenders, on the other hand.10 In such a context, it was pertinent for the EU to develop the modality, through which the online hate crimes would have been tackled efficiently. This was conceived as a part of the broader initiative of the European Commission to ensure the blocking and the removal of the online content that is considered as illegal also

 Ibid., Sect. 3.8.  Ibid., Sect. 3.8. 8  Ibid., Sect. 4. 9  CoC, p. 2. 10  Interviews with the European Commission officials which took place in June 2016. 6 7

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

171

under other EU legislative measures.11 In effect, following the adoption and implementation of the CoC, the Commission adopted the Communication “Tackling Illegal Content Online. Towards an Enhanced Responsibility of Online Platforms”, which contains a set of “guidelines and principles of online platforms to step up the fight against illegal content online in cooperation with national authorities, Member States and relevant stakeholders”.12 The Communication builds on the CoC, offering the set of guidelines applicable to combating sexual abuse and sexual exploitation of children and child pornography, terrorism and copyright infringements. In all cases, the emergent governance structure is strongly rooted in the hard legislation (both adopted and proposed). All of the hard law rules, however, for their effective implementation require the participation of the ISPs and their users. As the result, the resulting governance structure bears resemblance to the EU open method of coordination model.13 In the case of hate speech, as explained above, the CoC is complementary to the 2008 Framework Decision and thus the entire governance structure is of hybrid nature,14 emphasizing the peculiar, horizontal to an extent, regulatory Internet setting. The sections below present the CoC as the instrument of new governance complementary to the hard governance elements. As such, it must possess the following characteristics: it must reflect a participatory approach, involve on-going monitoring, evaluation and learning, participation to it should be voluntary, and, finally it must be embedded in the soft law framework.15 2.1.1  Participatory Approach The adoption, implementation, monitoring and related evaluation of the CoC is designed as a fully participatory endeavour. The initiative emerged from the EU Colloquium on Fundamental Rights held in October 2015, whose content was determined through a public consultation that  Ibid.  European Commission. 2017. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Tackling Illegal Content Online. Towards an enhanced responsibility of online platforms. COM(2017)555, p. 5. 13  The Open Method of Co-ordination (OMC) is the flagship instrument of the EU new governance setting entailing the European Commission creating a multi-stakeholder platform for the creation, the monitoring and the implementation of specific rules (of soft and hard nature) in order to attain the objectives in various policy fields. In particular, it has been used in the area of social and environmental policy. In addition, the EU implementation of the UN Guiding Principles on Business and Human Rights seems to be organised according to the same principles. See Pennings (2011), Besselink et al. (2011) and Augenstein et al. (2017) on the implementation of the UNGPs through the OMC. 14  See the discussion by Mark Dawson on three waves of EU new governance with the final one entailing the co-existence of traditional and new governance instruments: Dawson (2011). For general introduction to new governance theories, see: De Búrca and Scott (2006). 15  De Búrca and Scott (2006). 11 12

172

K. Podstawa

took place in April and May 2015. The topic of the colloquium was “Tolerance and respect: preventing and combating Anti-Semitic and anti-Muslim hatred in Europe”. As its result, the European Commission invited Facebook, Microsoft, Twitter and YouTube (involved already in the anti-terrorist oriented EU Internet Forum), as well as representatives of the civil society,16 to collaborate in the attempt to develop a tool aimed at enhancing the implementation of the 2008 Framework Decision. Indeed, the core of the CoC lies in laying out the ground rules for the enforcement of the 2008 Framework Decision whilst ensuring that freedom of expression is not violated. The 2008 Framework Decision defines freedom of expression in line with the case law of the ECtHR as freedom “not only to ‘information’ or ‘ideas’ that are favourably received or regarded as inoffensive or as a matter of indifference, but also to those that offend, shock or disturb the State or any sector of the population”.17 In the implementation process, each of the actors has an assigned role. The role of Civil Society Organisations (CSOs) is of particular importance “in the field of preventing the rise of hatred online, by developing counter-narratives promoting non-discrimination, tolerance and respect, including through awareness-­ raising activities”. The European Commission was to step up its actions in the field of combatting the rise of the hate speech online (in particular, in the context of the fight against terrorism), as well as the adherence on the Member States’ level to the principles outlined in the CoC, whilst the ISPs are requested to aid the Member States and the European Commission in enforcing the existing tools.18 Of particular importance here is the designation of contact points between the ISPs and the Member States as means of improving the speed and effectiveness of communications. The purpose of such channels of communication is to “enable Member States, and in particular their law enforcement agencies, to further familiarise themselves with the methods to recognise and notify the companies of illegal hate speech online”.19 As mentioned above, such enforcement is dependent on a “valid” notification, which must be sufficiently precise and substantiated. Here again, different actors preform various functions. The ISPs committed20 themselves, first of all, to include the prohibition of incitement to violence and hateful conduct in their internal community rules. These, together with the national laws transposing the 2008 Framework Decision, should be the standards against which notifications are to be evaluated. Both the ­community  See below for the NGOs involved in the process of creation of the CoC, which are also involved in the evaluation of its implementation. It must be noted, however, that European Digital Rights (EDRi) and Access Now withdrew from the discussion considering the CoC as “ill-intended” and downgrading for the laws in place. See European Digital Rights (2016) EDRi and Access Now  Withdraw from EU Commission Discussions available at https://edri.org/ edri-access-now-withdraw-eu-commission-forum-discussions. 17  Handyside v. the United Kingdom (App. No. 5493/72), ECtHR, judgment of 7 December 1976, para. 49. 18  CoC, p. 1. 19  Ibid. p. 2. 20  Ibid. pp. 2–3. 16

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

173

rules and the “notice and take down” mechanisms are to serve the aim of raising awareness. Furthermore, the ISPs are also to put in place clear and effective (so involving specific internal resources) processes to review notifications in order to block or remove the content of the type. To this end, the staff should be continuously trained and new ways of addressing the matter should be sought. In addition, the notifications must be reviewed within 24 hours and should result in “disabling” the account or removing the content at issue. The notifications concerning content allegedly displaying characteristics of hate speech can arrive through two principal channels. The first of them involves standard users, whereas the second one foresees a role for “trusted reporters”, meaning CSOs who must “help to provide high quality notices”.21 To this end, ISPs together with the European Commission will ensure that the notifying entities possess the necessary skills. Notifications from such entities are more reliable and so the take down mechanism may be even automatic. Information on such “trusted reporters” should be made available on the websites by the ISPs. Finally, reports on the implementation of the CoC should be submitted to the EU High Level Group on combating racism, xenophobia and other forms of intolerance, which was established towards the end of 2016. Within the group, a special sub-­ group was formed, focused on countering combatting illegal hate speech online. The sub-group is composed of the Member States’ national contact points for the purpose of combatting hate speech online and an additional representative from another service (ministry or other relevant authority; in order to ensure their participation, a special budget was allocated to cover their expenses); the representatives of the ISPs; representatives of the CSOs involved with the monitoring exercise and trusted flaggers. Finally, and depending on the agenda the sub-group will host representatives of international organisations such as the Council of Europe or EU agencies such as FRA as well as other stakeholders (equality bodies or national human rights institutions). This completes the overall participatory architecture of the CoC’s creation, implementation and evaluation. In the second step we will analyze the evaluative element in the CoC also inasmuch as it leads to the learning of the governance structure and improvement of its performance. 2.1.2  Monitoring, Evaluation and Learning The CoC foresees that the public review of implementation of the outlined commitments is conducted on a regular basis, including their broader impact.22 Here a new actor comes to the picture: the High Level Group on combating racism, xenophobia and all forms of intolerance23 is to be a body receiving reports on the matter.  Ibid. p. 2.  Ibid. p. 3. 23  European Commission, EU High Level Group on combating racism, xenophobia and other forms  of intolerance, 2008, available at: http://ec.europa.eu/newsroom/just/item-detail. cfm?&item_id=51025. 21 22

174

K. Podstawa

So far, three rounds of evaluation took place,24 showing gradual improvement of the “notice and take-down” mechanism and growing participation of international and local CSOs. According to the January 2018 evaluation, up to 81% of notifications are tackled within the prescribed 24 hours25 (as compared to 59.1% in June 201726 and 40% in December 201627). By 2018, 70% hate speech is removed; however, feedback is only provided to users in 69.1% of cases.28 In general, the evaluation shows gradual improvement of the performance of the ISPs and the documented increase in the number of tackled notifications. Content deemed as hate speech concerned ethnic origin (17.1%), Muslim hatred (16.4%) and xenophobia (16%).29 The process and methodology of evaluation deserve here particular attention. The evaluation is conducted under coordination of the European Commission, however, using the CSOs as chief agents. The exercises are carried out in the specified period of time (for instance, the final round of evaluation took place between 6 November to 15 December 2017). In total, “33 organisations and 2 public bodies (in France and Spain) reported on the outcomes of a total sample of 2,982 notifications from all the Member States except for Luxembourg. An additional 9 cases were reported to other social platforms”.30 Notifications were submitted through the channels for “trusted reporters” or using those available to everybody. In particular, “trusted reporters” would use the commonly accessible channel in order to report for the second time the content, which has not triggered first time the response on the part of the ISPs. In all cases, the notifications concerned only the content, which would be considered as hate speech under the 2008 Framework Decision. Importantly, the evaluation exercise is not to deliver the general statistical overview of the types of hate speech reported, but the effectiveness of the procedures established by the ISPs participating in the exercise. The three evaluation rounds show the gradual improvement of ISPs’ performance and the learning process of the entire community, making sure that the “notice and take-down” mechanism effectively works for everybody. Importantly,

 Jourová, Vera (2016). Code of Conduct on Countering Illegal Hate Speech Online: First Results on Implementation (December 2016) Directorate-General for Justice and Consumers, available at https://ec.europa.eu/information.../2016-50/factsheet-code-conduct-8_40573.pdf; Jourová, Vera (2017). Code of Conduct on Countering Illegal Hate Speech Online: One Year after (June 2017). Directorate-General for Justice and Consumers. Available at https://ec.europa.eu/information_ society/newsroom/image/document/2016-50/factsheet-code-conduct-8_40573.pdf; Jourová, Vera (2018). Code of Conduct on Countering Illegal Hate Speech Online. Results of the 3rd Monitoring Exercise (January 2018). Directorate-General for Justice and Consumers, available at https:// ec.europa.eu/newsroom/just/document.cfm?doc_id=49286. 25  Jourová (2018) cit., p. 1. 26  Jourová (2017) cit., pp. 2–3. 27  Jourová (2016) cit., p. 4. 28  Jourová (2018) cit., pp. 4–5. 29  Ibid., p. 5. 30  Ibid. 24

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

175

the evaluation is to continue, which is pledged by the European Commission in the summary of results.31 On the basis of the experience so far, the European Commission issued the Recommendation on measures to effectively tackle illegal content online.32 The Recommendation contains indications on the technical requirements as to how the “notice and take-down” mechanism should be structured. In particular, the procedural safeguards towards notice providers should be established. Specifically, the ISPs should not share the identity of the authors of notices to the content providers. The Recommendation foresees a series of information duties. For instance, the notice provider should be informed about the way, in which his notice was tackled. Moreover, the content provider should be informed of the reasons why the hosting provider has removed content. This, however, would not apply if the content concerned is illegal, in order not to interfere with the on-going investigations. The Recommendation foresees the principles of transparency, proactive measures and advocates the establishment of out-of-court settlement mechanisms.33 The Recommendation clearly reflects the problems emerging from the implementation of the CoC, whilst at the same time it anticipates the response to the critiques against the measure. What can be observed in the Recommendation is the gradual knowledge about the issues that can be encountered in the implementation of the “notice and take-down”, mechanisms stemming from evaluation, continuous consultation and critiques from the CSOs and the academic community. These will be addressed in detail in Part 3 of this contribution. 2.1.3  Soft Law and Voluntariness of Participation The final feature of the CoC perceived as a new governance structure is its use of soft law measures and the associated voluntariness of participation. In fact, on the civil society side, CSOs had the freedom to join the original cohort, gain the status of trusted flaggers and watch over the enforcement of principles outlined in the CoC. The initial, December 2016, evaluation exercise involved only 12 organizations, which increased to 33 and 2 national authorities in 2018. It must be noted that in the final monitoring round, aside the notifications to the ISPs, the CSOs submitted 511 cases of hate speech to the relevant public authorities (police, public prosecutor’s bodies and national authorities) of the Member States, thus broadening the scope of the exercise and its impact. The participation on the part of the ISPs is equally voluntary. Under Article 16 of the Directive on Electronic Commerce, the Member States and the European Commission shall encourage the drawing up of codes of conduct at the Union level, by trade, professional and consumer associations or organisations designed to  Ibid.  Commission Recommendation of 1 March 2018 on measures to effectively tackle illegal content online COM(2018)1177 final. 33  Ibid., Chapter II. 31 32

176

K. Podstawa

c­ ontribute to the implementation of its Articles 5 to 15. The CoC is one of those documents, developed in order to facilitate the cooperation between the Member States, the European Commission and the ISPs in the implementation of the Framework Decision. From the ISPs’ point of view, the CoC should, in fact, guide “their own activities as well as [the] sharing [of] best practices with other Internet companies, platforms and social media operators”. It is, therefore, a classical soft law instrument, to which the ISPs platforms operating within the territory of the EU can accede. In fact, in January 2018 Instagram and Google Plus announced joining the original cohort of ISPs abiding by the CoC, namely Facebook, Twitter, Microsoft, and YouTube.

2.2  German Network Enforcement Act It must be emphasized at this stage that the voluntariness of the self-regulatory principles enshrined in the CoC may be short lived. This is due to the gradual attempts undertaken by the Member States of the European Union (and beyond)34 to induce a higher level of collaboration on the part of the ISPs in combatting not only hate speech, but also content which would interfere with democratic processes. Whilst a number of States have attempted to induce ISPs to remove unwanted posts, it is Germany that was a pioneer in introducing binding legislation to this effect. On 1 September 2017, the German Parliament adopted the Act to Improve Enforcement of the Law in Social Networks (“Network Enforcement Act”), which is colloquially known as the “anti-hate speech regulation”.35 Similarly to the CoC, the Network Enforcement Act is a measure complementary to the existing ones. In fact, the unlawful content according to Sect. 1(3) of the Network Enforcement Act is such that is understood under specific sections of the German Penal Code. It is important to name the entire list in order to picture the scope of the application of the law. These are: dissemination of propaganda material of organisations considered unconstitutional, such as Nazi ones (Sect. 86) and using their symbols (Sect. 86a); preparation of a serious violent offence endangering the State (Sect. 89a); incitement to the commission of a serious violent offence endangering the state (Sect. 91a), treasonous forgery (Sect. 100a), public incitement to crime (Sect. 111), breaching public peace with a threat of committing an offence (Sect. 126), creation of a criminal (Sect. 129) and terrorist organisations (Sect. 129a), including those abroad (Sect. 129b); the incitement to hatred (Sect. 130), dissemination of depictions of violence (Sect. 131), rewarding and approving of offences in a public manner (Sect. 140), defamation of religions, religious and ideological associations (Sect. 166), distribution, acquisition and possession of child pornography, in  See the recent Malaysian regulation: 2018 Anti-Fake News Act (No. 803).  Available at (BGBl. I S. 3352). The English version of the text prepared by the Ministry of Justice is available at: www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/Dokumente/NetzDG_engl. pdf?__blob=publicationFile&v=2. 34 35

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

177

p­ articular distribution through broadcasting, media services and telecommunication (Sect. 184b in connection with Sect. 184d), insult (Sect. 185); defamation (Sect. 186) and intentional defamation (Sect. 187), violation of intimate privacy by taking photographs (Sect. 201a), threatening with the commission of felony (Sect. 201a). Significantly, aside from covering a variety of facets of hate speech, the Act also applies to defamation (and so the protection of ones good reputation which is customarily to be balanced with freedom of expression) as well as child pornography and combatting terrorist organizations. The ISPs (having more than two million users registered in Germany according to Sect. 1(2) of the Network Enforcement Act) are defined as telemedia service providers which, for profit-making purposes, operate internet platforms which are designed to enable users to share any content with other users or to make such content available to the public (social networks). Platforms offering journalistic or editorial content, the responsibility for which lies with the service provider itself, shall not constitute social networks within the meaning of this Act. The same shall apply to platforms which are designed to enable individual communication or the dissemination of specific content.

This means that not all platforms will be bound by these rules. However, for sure the four ISPs participant to the European Commission’s CoC correspond to the requirements of the Network Enforcement Act definition. The obvious question concerns the extent to which obligations stemming from the Network Enforcement Act overlap with the practices developed on the basis of the CoC. Pursuant to the Network Enforcement Act, the ISPs are to set up an effective and transparent “notice and take-down” mechanism. The mechanism should lead to blocking or removal the manifestly unlawful content within the period of 24 h up to 7 days, if the content must be evaluated (Sect. 3). The information on the procedure for specific complaints should be stored up to 10 weeks for the purposes of delivering evidence in possible criminal proceedings (in line with the exigencies of Directive on electronic commerce 2000/31/EC36 and Audiovisual Media Services Directive 2010/13/EU37). Finally, and the Network Enforcement Act foresees two forms of collaboration that are of importance for the implementation of the 2008 Framework Decision. In the first place there is the collaboration between the ISPs and the Member States. Any platform, which receives “more than 100 complaints per calendar year about unlawful content shall be obliged to produce half-yearly German-language reports on the handling of complaints about unlawful content on their platforms, covering the points enumerated in subsection (2), and shall be obliged to publish these reports in the Federal Gazette and on their own website no later than one month after the  Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”), OJ L 178, 17.7.2000, pp. 1–16. 37  Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (“Audiovisual Media Services Directive”), OJ L 95, 15.4.2010, pp. 1–24. 36

178

K. Podstawa

half-year concerned has ended” (Sect. 2 Network Enforcement Act). The information basically contains the same elements as the reports on the monitoring of the implementation of the CoC: 1. general observations outlining the efforts undertaken by the provider of the social network to eliminate criminally punishable activity on the platform, 2. description of the mechanisms for submitting complaints about unlawful content and the criteria applied in deciding whether to delete or block unlawful content, 3. number of incoming complaints about unlawful content in the reporting period, broken down according to whether the complaints were submitted by complaints bodies or by users, and according to the reason for the complaint, 4. organisation, personnel resources, specialist and linguistic expertise in the units responsible for processing complaints, as well as training and support of the persons responsible for processing complaints, 5. membership of industry associations with an indication as to whether these industry associations have a complaints service, 6. number of complaints for which an external body was consulted in preparation for making the decision, 7. number of complaints in the reporting period that resulted in the deletion or blocking of the content at issue, broken down according to whether the complaints were submitted by complaints bodies or by users, according to the reason for the complaint, according to whether the case fell under section 3 subsection (2) number (3) letter (a), and if so, whether the complaint was forwarded to the user, and whether the matter was referred to a recognised self-regulation institution pursuant to section 3 subsection (2) number (3) letter (b), 8. time between complaints being received by the social network and the unlawful content being deleted or blocked, broken down according to whether the ­complaints were submitted by complaints bodies or by users, according to the reason for the complaint, and into the periods “within 24 hours”/“within 48 hours”/“within a week”/“at some later point”, 9. measures to inform the person who submitted the complaint, and the user for whom the content at issue was saved, about the decision on the complaint. On the other hand, the ISPs are supposed to foster cooperation among each other, in particular, through creating a self-regulation agency, which would oversee the handling of complaints (Sect. 2(5) of the Network Enforcement Law). Such institution, in line with Sect. 2(6), should be sufficiently independent and equipped appropriately to facilitate the reply to the evaluation of the complaint within the 7-day deadline period. The procedure of analysis should be transparent and foreseeable. The institution itself should be sufficiently funded by the affiliated social networks and recognized by the administrative authority named in section 4 (Ministry of Justice). The recognition can be withdrawn or made conditional on the fulfilment of the above-described requirements by the very same administrative authority. One of the conditions to be satisfied by the self-regulating authority is that the complaints are handled within the 7-day period.

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

179

Clearly, the provisions on cooperation between the ISPs and the Member States, as well as those on the possibility to establish a self-regulation agency, go beyond the scope of regulation envisaged by the CoC.  Yet, the ideas behind remain the same. The “notice and take-down” mechanism sets the similar objective of 24 hours tackling period, whilst the cases requesting further evaluation are permitted the extended period of 7 days. On the other hand, the obligation to establish the contact point on the part of the IPSs seems to be one-sided with the assumption that German enforcement bodies have their agents clearly instructed as to how approaching the ISPs. The system of control is centralized with the Ministry of Justice, which receives the monitoring reports and is responsible for making the ISPs accountable and starting proceedings in court. In this vein, the Network Enforcement Act foresees administrative fines of up to 50 million Euros that can be imposed on the ISPs who consistently disregard the obligations imposed by the Act. Should the requirements of Sect. 3 not be fulfilled, according to sections 4(1)2 and 4(1)3 of the Act, the ISPs can be administratively fined. In case of such administrative offences, penalties of up to 5 million Euros can be imposed, which can be enhanced up to 500 million Euros on the basis of the Act on Regulatory Offences. Finally, at times the administrative authority (the Ministry of Justice) can intervene in order to issue a decision of removal of the content, which relates to the content that has not been appropriately tackled by an ISP. However, in such cases, according to Sect. 4(5), it should first obtain the decision of the unlawfulness of such content issued by the court (the same court will have the jurisdiction on the matter as the one that would rule on the objection to the regulatory fine order). Such application should be submitted to the court together with the grounds provided by the ISPs. The decision of the court should not be contestable and will be binding on the administrative authority. In this way, the Network Enforcement Act adds to the standard “notice and take down” mechanism the aspects of control by the administrative and judicial authorities. Even though both types of controls are highly controversial, they respond to the critique uttered against the CoC, and, in particular, against the special position the ISPs have in the process. The subsequent sections will address these critiques.

3  Internet Service Providers as “Gatekeepers”? The above-described emerging governance structure seems to be solidifying the perception of the ISPs as responsible for (at least) removing or blocking the content deemed illegal. It is claimed that the soft and hard “notice and take-down” mechanism has made the ISPs the “gatekeepers” of platforms.38 As “gatekeepers” they are  The notion of the “gatekeeper” in the context of the activities by the ISPs is an old one and can be traced back to the 1980s. In particular Kraakman (1986) came up with the general gatekeeping theory according to which, for the construct to be effective the gatekeeper will be functioning the 38

180

K. Podstawa

not only liable for what is and what is not happening on the platform, but they are also responsible for shaping the interactions and content appearing there. This corresponds to the understanding of the role of the ISPs as going beyond and ordinary service provision and transforming into (or finally assuming)39 their civic responsibilities. This means that one can observe against the backdrop of the CoC the transformation of the perceived role of the ISPs from agents capable of doing harm, into responsible or even accountable ones.40 As such, they are allegedly capable of censoring the content of illegal platforms, even though they do not possess the necessary authority, know-how to do so. In addition, the users are not protected by the essential procedural safeguards.41 At the same time, however, they may be best technologically equipped to address the very challenges, or, as some argue, may even have a responsibility to create a context of service provision where harm should not happen.42 Such approach goes against the prevailing regulatory method according to which the ISPs are not liable for the content of their platforms, in particular because they do not have an active obligation to seek facts or circumstances indicating illegal activity (in line with Article 15 of the Electronic Commerce Directive).43 However, on the other hand, under Article 14(1) of the Electronic Commerce Directive: where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information. (…) This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.

This means that the “notice and take-down” mechanism obliges the ISPs to protect their platforms from individually placed illegal content once it obtains the inforcontext in which the serious misconduct cannot be deterred whilst the incentives to introduce private rules are unsatisfactory. On the other hand, the gatekeeper will be willing and able to prevent the misconduct and whom legal rules can oblige to deter misconducts at a cost which is not unreasonable. See for application of this theory: Metoyer-Duran (1993). 39  See among many others: Shapiro (2000), p. 1; Taddeo and Floridi (2011), as well as Taddeo and Floridi (2016) and Cerf (2011). 40  Frosio (2018), pp. 7–12. 41  For instance Leerssen (2015) makes a compelling argument according to which the cutting out by “the middle man” is dangerous due to the lacking remedies available to users. As the result, in his view, private censorship of Internet is becoming a reality. 42  Cerf (2011). 43  Directive on electronic commerce cit.

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

181

mation that such content found its way to the platform. Yet, for a long time there has been little clarity as to what this type of activity on the one hand, and liability, on the other hand, on the ISPs’ part would entail. In fact, the focus presents their image as potential “wrong-doers”, complicit in illegal activity. In most cases, the issue of the liability of the intermediaries is presented in the context of the tension between the freedom to express individual opinions and public interest or individual rights. However, the responses forged by the European courts seem to be reaching well beyond the measures targeting freedom of expression only. In fact, one may argue that in the past 10 years the courts have started to dialogue, albeit implicitly, on general issues of illegal online content in clarifying, inter alia, the “notice and take-down” (or “notice and delist”) mechanisms. The visible shift is to depart from the literal understanding of liability as provided for the existing legislation and embrace the idea of ISPs as an essential part of the enforcement chain. This shift echoes the policy-makers advocacy for the voluntary measures.44 In fact, already in 2012, the European Commission put on the table the proposal to approach the regulation of the illegal online content in a uniform manner.45 Many commentators commented on the necessary intertwining of regimes and the mutual impact they have on each another. Similarly, the courts’ ideas run parallel. The development has been initiated by the European Court of Human Rights (ECtHR) judgement in Delfi v. Estonia,46 as the result of which the ECtHR ordered the defamatory content to be deleted on the website of Delfi, the major media outlet. The Court examined the case under Article 10 of the European Convention on Human Rights (ECHR), on the right to freedom of expression. The ECtHR found that the Estonian courts interfered with the freedom of expression, however, with difficulty found that such limitation was indeed prescribed by law and thus foreseeable. In fact, it drew these conclusions from general Civil Code provisions and attributed the role of the publisher of comments that were inserted under the articles. As such, it was up to Delfi (and similar ISPs) to conduct the balancing exercise between the freedom of expression and the right to privacy under the ECHR in line with the indications provided for by the Court. By ordering the content to be removed, the ECtHR angered a number of prominent CSOs, which announced that the Court did not understand the principles of the online intermediary liability. In particular, the Court should have not interfered with the understanding of the lack of general obligation to monitor the content expressed in Article 15 of Electronic Commerce Directive.47  Frosio (2018), describes this a shift towards ”private ordering” reflexive of the indecisiveness of the policy makers on the international and more local levels as to whether ISPs are in fact a threat for freedoms or participants of the global structures co-responsible for maintaining those freedoms. See pp. 12 and the following. 45  But the final proposal was tabled only in 2017. The results of original consultations are available at http://ec.europa.eu/internal_market/consultations/2012/.../summary-of-responses_en.pdf. 46  Delfi AS v. Estonia (App. No. 64569/09), ECtHR, Grand Chamber, judgment of 16 June 2015. 47  Directive on electronic commerce, cit. 44

182

K. Podstawa

The subsequent cases of MTE v. Hungary48 and Pihl v. Sweden49 further confirmed the rule according to which the breach of Article 10 of the ECHR does not occur when the content is promptly taken down upon previous examination. However, this should be done after a proper examination of the content and following the balancing out steps originally from Delfi v. Estonia. Importantly, one can infer from MTE v. Hungary that the information of the professional actors do not enjoy the protection to the same degree as the content concerning individuals. In addition, one needs to observe the changed position of the ISPs as essential and complementary to that of the State. The question arises as to whether this means that the State is to use the ISPs as proxies in its enforcement of the rules on combatting illegal content online.50 Against the background of the recent legislative developments this conclusion seems to be too far drawn.

4  Conclusions: Internet Service Providers as ‘Guardians’ In none of the superhero universes are guardians ordinary. Be it in Marvel, Star Wars, or Tolkien’s universe, they possess extraordinary qualities that make them capable of fulfilling the function they are assigned by the greater entity. They are to protect the universe, its members and the community, at whatever cost and with whichever means they have available. Similarly, the ISPs role is to preserve the online communities so that they remain public spaces through the means available to them, yet not without scrutiny. It is undeniable by now that the CoC on countering illegal hate speech online was an experiment that paid off setting an exemplary path to trod for the policy makers. This path has been already taken voluntarily by Germany and its Network Enforcement Act, but will be soon followed by other Member States.51 This made the ISPs aware that, regardless of whether they are asked to do so in a “soft” or “hard” manner, they will be required to partake in the enforcement of the legal rules concerning combating hate speech to start with, but ultimately the entire set of the illegal content online. Similarly, the policy makers (as exemplified by Germany) have become aware through the repetitive monitoring endeavours and the resulting process that half self-regulatory framework must be maintained for the ISPs and that without their support the effective enforcement of the mentioned measures will not be successful. This awareness, combined with the ISPs’ clear willingness to cooperate (as the fruits of such cooperation are in line with their interests),  MTE and Index.hu Zrt v. Hungary (App. No. 22947/13), ECtHR, of 2 February 2016.  Pihl v. Sweden (App. No. 74742/14), ECtHR, decision of 9 March 2017. 50  Kuczerawy (2016). 51  See, for the comment and link to the French draft Clavel (2018) available at https://www.huffingtonpost.fr/2018/03/07/la-proposition-de-loi-contre-les-fake-news-a-fuite-le-juge-aura-48h-pourdereferencer-ou-ordonner-le-blocage-dun-site_a_23379451/; on the Polish proposal, see Szymielewicz (2017). 48 49

Hybrid Governance or… Nothing? The EU Code of Conduct on Combatting Illegal…

183

as well as the imminent need to guard the liberty of the online platforms and of their users, forces a new outlook at the platforms. They should be considered as long term allies, bearing moral responsibility similar to that of state institutions,52 rather than a suspiciously eyed intruder. It seems that in the area of online governance, like in many others, there is no governance without those private actors (compare, for instance the rapid emergence of blockchain technologies).53 Yet, if one assumes that these actors are solely “gatekeepers” we will not leave the paradigm of the centrally organised governance structure, with the interests of top down and bottom up ­structures constantly clashing. Instead, enlisting the ISPs alongside the top down regulatory initiatives and the users of services makes them equally (if not more) responsible for the Internet space and in the long term, possibly accountable. Should this be the case, they can indeed assume the role of guardians in this galaxy of freedom and rights. In this process we will observe them being equipped with new tools and deeper immersion in the traditional governance structures. We will also observe how they affect the traditional legal notions as well as the content of substantive and procedural rights. By all means, this can be considered as a great opportunity and a great threat. Which one of these will prevail, time will only tell.

References Augenstein, Daniel, Mark Dawson, and Pierre Thielborger. 2017. Implementing the UNGPs in the European Union: Towards an Open Method of Coordination for Brussels and Human Rights. EUI Working Papers. LAW 1. Besselink, Leonard, Frans Pennings, and Sacha Prechal. 2011. The Eclipse of the Legality Principle in the European Union. Alphen aan den Rijn: Kluwer Law International BV. Cerf, Vincent. 2011. First, Do No Harm. Philosophy & Technology 24: 463. Dawson, Mark. 2011. Three Waves of New Governance in the European Union. European Law Review 36: 208. De Búrca, Grainne, and Joanne Scott. 2006. Introduction: New Governance, Law and Constitutionalism. In Law and New Governance in the EU and the US, ed. Grainne De Búrca and Joanne Scott. Oxford: Hart. Frosio, Giancarlo F. 2018. Why Keep a Dog and Bark Yourself? From Intermediary Liability to Responsibility. International Journal of Law and Information Technology 26: 1–33. Kraakman, Reiner. 1986. Gate-Keepers: The Anatomy of a Third-Party Enforcement Strategy. Journal of Law, Economics and Organization 2: 53. Kuczerawy, Aleksandra. 2016. The Code of Conduct on Online Hate Speech: An Example of State Interference by Proxy? Leuven: KU Keuven CiTiP. https://www.law.kuleuven.be/citip/blog/ the-code-of-conduct-on-online-hate-speech-an-example-of-state-interference-by-proxy/. Leerssen, Patrick. 2015. Cut Out by the Middle Man. The Free Speech Implications of Social Network Blocking and Banning in the EU. Journal of Intellectual Property, Information Technology & Electronic Communication Law 6: 99.

52 53

 Taddeo and Floridi (2017), Chapter 2, pp. 13–39.  In line with Kraakman’s idea of gatekeepers, Kraakman (1986), p. 2.

184

K. Podstawa

Metoyer-Duran, Cheryl. 1993. Information Gatekeepers. Annual Review Information Science and Technology (ARIST) 28: 111. Mihr, Anja. 2017. Cyber Justice. Human Rights and Good Governance for the Internet. ebook. Springer International Publishing. Pennings, Frans. 2011. The Open Method of Coordination in the Area of Social Policy and the Legality Principle. In The Eclipse of the Legality Principle in the European Union, ed. Leonard F.M.  Besselink, Frans Pennings, and Sacha Prechal. Alphen aan den Rijn: Kluwer Law International BV. Schweppe, Jennifer, Amanda Haynes, and Marc Walters. 2018. Lifecycle of a Hate Crime. ICCL. https://www.iccl.ie/wpcontent/uploads/2018/04/Life-Cycle-of-a-Hate-Crime-ComparativeReport-FINAL.pdf. Shapiro, Andrew. 2000. The Control Revolution: How the Internet is Putting Individuals in Charge and Changing the World We Know. New York: Public Affairs. Szymielewicz, Katarzyna. 2017. Zmiany w UŚUDE: odpowiedź rządu na arbitralne działania pośredników internetowych. Warszawa: Fundacja Panoptykon. https://panoptykon.org/wiadomosc/zmiany-w-usude-odpowiedz-rzadu-na-arbitralne-dzialania-posrednikow-internetowych. Taddeo, Mariarosa, and Luciano Floridi. 2011. The Case of E-Trust. Ethics and Information Technology 13 (1): 1–3. ———. 2016. The Debate on the Moral Responsibilities of Online Service Providers. Science and Engineering Ethics 22: 1575–1603. ———. 2017. The Responsibilities of Online Service Providers. Cham: Springer International Publishing AG.

The Construction of a Normative Framework for Technology-Driven Innovations: A Legal Theory Perspective Francesco De Vanna

Abstract  Technology developments change the way we conceive the normative force of law and legal systems. Traditionally based on written texts, and on their interpretation by a professional class of jurists, normativity seems nowadays to migrate into technological devices, increasing the performative effect of regulation. This shift calls into question the “flexibility” of law as a fundamental performance of the rule of law and of constitutional democracy. These problems can only be addressed by taking into consideration the multifactorial prism of regulation, in a pluralistic dimension that has been highlighted by studies on the architectural dimension of cyberspace and, in particular, on the “code”. In this perspective, asserting that technological devices are sheer “instruments” divested of normative implications is anything but an illusion: their regulative force, in fact, is embedded in their own “design” from the outset. Before envisaging scenarios dominated by ungovernable technology, it is therefore useful to emphasize the “responsibility” of coders and operators. In this way, the question of human responsibility re-emerges as a crucial factor for the elaboration of a normative framework that preserves the conditions of an intersubjective coexistence marked by freedom.

1  S  ome Introductory Considerations Through the Lens of Privacy The dialectic tension underlying the relation between law and the sudden development of technology emphasises the complex “relation between the legal power and the other kinds of power”1 leading jurists to regard technological innovation as a limitation of law to a mere instrumentum scientiae.2  Irti (2007), p. 13 (my own translation).  Rodotà (2012), p. 352. In this regard, Pascuzzi (2016) writes as follows: “The technological standards are defined based this is not a field on the most advanced knowledge in a specific historical 1 2

F. De Vanna (*) University of Modena and Reggio Emilia, Modena, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_10

185

186

F. De Vanna

Unlike “old” technologies, the new ones—intended as instruments for the control over the world and nature—not only meet the requirements of instrumental rationality: they also penetrate mankind and change it. The exponential growth of information and communication technologies (ICT) affects also the other scientific and human fields—like medicine and biology—and urges the overcoming of the extent and speed “limits”. As a consequence, a contamination has been observed between the various scientific branches—“bio”, “nano”, “neuro”—technologies— and between “human” and “non-human”, which saw the advent of a “hybrid” era.3 In other words, men and new technologies re-construct each other and simultaneously co-define the sense of reality and the genesis of subjectivity.4 In the light of the current technological development, it is difficult to reject the feeling that “the existing legal provisions are inadequate and unable to govern in all its implications the relation between men and these machines - clearly ‘different’ from all the others”5—and, consequently, we should opt “with fewer respect for established traditions, which however tend to become fossils”.6 Law cannot ignore the onset of a new anthropology, and must critically analyse its dynamics, thus preventing its normative implications from being so contingent as to turn men into “the happy slave of machines”.7 On the other hand, the normative consequences of technology have always shaped behavioural patterns,8 define the conditions of use and eliminate the possible alternatives, thus influencing the perception of what is “natural” and inevitable. Consequently, the material area within which the protection of fundamental rights becomes crucial is expanded and requires a deeper understanding and redefinition. This is particularly evident in the protection of privacy. In 1884 the snapshots provided by Eastman Kodak Company to the public enables the unauthorized context in a certain field. The industry experts are able to define the most advanced notions: in this sense, they are referred to as technicians. The law standards in the digital age are determined by technicians (who address other technicians.)”, p. 297 (my own translation). 3  Khanna and Khanna (2012). 4  “[T]echnologies of the self, which permit individuals to effect by their own means or with the help of others a certain number of operations on their own bodies and semis, thoughts, conduct, and way of being, so as to transform themselves in order to attain a certain state of happiness, purity, wisdom, perfection, or immortality”. Foucault (1988), p. 18. 5  Salazar (2014), p. 257. 6  di Robilant (1973), p. 230. 7  Butler (1872). 8  The introduction and the following development of the telephone technology, for example, shows the change in the interpersonal behaviour: soon it was evident that the ‘sociality’ value embodied by the telephone (albeit involuntarily) was in conflict with the ‘privacy’ one. A telephone call, in fact, is an intrusion into the lives of friends, family members and (potential) customers. The protection of the private space of the individuals has been further questioned by the introduction of mobile telephones, through which we can be reached anywhere and at any time. (…) Users have started (…) to call the others without any prior notice, via email or an SMS, which is regarded as an improper behaviour. (…) This change in the habits goes hand in hand with a different priority relationship between the value of sociality and privacy. In this context, privacy is stronger than sociability”. Bisol et al. (2014), p. 247.

The Construction of a Normative Framework for Technology-Driven Innovations:…

187

r­eal-­time diffusion of personal images, leading two American lawyers to write a short essay—The Right to Privacy—to ask for the introduction of this right into the US federal law system.9 Today, privacy is faced with new technological progresses which require its implementation: every day, in fact, men interact with smart devices, from the Internet of Things to the 3.0 web, through digital administration and cloud computing. These systems represent an “infosphere”10 or “smart environment” which extracts a continuous flow of information: data, preferences and ­individual attitudes subjected to contextual profiling processes—‘data-mining’— yielding a statistical projection and, consequently, an anticipation/enforcement of the decisions of the individual in question.11 The subject becomes totally ‘predictable’ and the surrounding environment is able to anticipate his/her requests—which are assessed by means of special algorithms—meeting them even before they are expressed. Mankind has entered an era ruled by ubiquitous computing,12 which will help overcome the desktop paradigm and will culminate with an invasive extrapolation of data thanks to sensors installed in the objects and connected to the web. New risks of vulnerability and discrimination will be observed basically due to the loss of control resulting from classification through socially binding models likely to impair the autonomous decision-making process. These risks arise from a strong “information asymmetry”—a kind of “computational divide”13—between the user and the digital environment, where the former acts without knowing the segmentation methods and mechanisms, as well as of their results, which are out of his/her control. The algorithm defines the risks which each individual is likely to face, by assigning them to a specific group, more or less reliable; it also establishes the probability of committing crimes, the inclination towards the purchase of tangible goods, the (genetic or social) risk of developing diseases, the reliability in case of loans. Thus it marks unaware people with a “stigma”, influencing their existence, and “affecting your reputation without an assessment of risk because it says what kind of person you are and who you are treated as equivalent to”.14 This may lead some users to change their behaviour to avoid the classification suggested or any reputational damage (normalization), with objective impacts on the social construction of the identity of the subject. In this sense, the concept of privacy has acquired a new, more complex dimension, which is conceptually associated with the “control of one’s data”; privacy thus  Warren and Brandeis (1890).  Floridi (2014). 11  Rodotà (2012), p. 335. 12  Weiser (1993). 13  It is no coincidence that the traditional social divisions, represented by the classes, have been replaced by new categorisations based on the ability to use the new information technologies. In 1999 the American writer William Gibson said during a radio program: “The future is already here, it’s not just very evenly distributed”. 14  Balkin (2016), p. 40. 9

10

188

F. De Vanna

shifted from its conventional meaning—“the right to be left alone”15—to the “control of information about oneself”16 up to the “ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose”.17 Thus a private legal claim gradually takes on a public character, since—to the extent that it promotes the free formation of one’s project—it fosters a model of social regulation which prevents any external interference. Law, albeit slowly, changes and adapts itself, facing the new challenges arising from regulation. In the next paragraphs, with constant reference to concrete technological innovations, both current or incoming, the main challenges to be faced by law will be examined, together with its meaning and its capacity to constrain social behaviours. After a brief analysis of the meaning of the normativity of the law, an attempt will be made to observe how technology influences the legal categories and to what extent it changes their resistance and quality. Meanwhile, a special attention will be paid to the issues of “code” and the theory of regulation “by design”, as suggested by Lawrence Lessig. Eventually, some proposals made by the discipline to safeguard the “constitutional” dimension of the law strictly connected with the freedom of individuals will be reviewed.

2  The Normativity of Law from Writing to Technology 2.1  Law, Written Texts and Interpretation The technological revolution questions one of the strongest interpretations of law, namely its view as a series of provisions strengthened by the threat of a penalty. This assumption relied on the implicit possibility of “knowing” the law, basically through written texts: from this point of view, the printing was a support and, at the same time, a precondition for the development of the modern legal theories. The modern “writing” technique has enabled the mass distribution of legal texts requiring an interpretation, thus promoting the establishment of a professional category—i.e. legal experts—who studied those texts and interpreted them with the purpose of finding a systemic consistency. In this regard, the following observation has been made: Writing enables a new practical situation of communication. For the first time, the discourses can be separated from the specific circumstances in which they were delivered. Therefore, the hypertexts of the author and the reader can be completely different (…) from generation to generation, the distance between the author’s and the reader’s world does not

 Warren and Brandeis (1890), p. 193.  Westin (1967), p. 7. 17  Westin (1982), p. 112. 15 16

The Construction of a Normative Framework for Technology-Driven Innovations:…

189

cease to grow, and the gap as well as the semantic tension are reduced thanks to a constant interpretation.18

The (written) text offsets a gap—between author and the reader—destined to be filled only through a constant interpretation. However, the willingness to eliminate this gap remains inevitably unsatisfied: it is a mere desire that preserves the flexibility (or underdeterminacy) intrinsic in the written law, although the legal science has tried to hide it behind the value of “certainty”.19 The interpretation suggested by the lawyers, therefore, preserves the ductility of law which allows for its actual implementation, regardless of the technological innovations introduced over time and, especially in the modern industrial society. In this way, in spite of a growing and constant regulation concerning any aspect of human activity, the jurists have not given up their main target, i.e. granting order and rationalization, even when it comes to power, in fact: …even though the script is linked to the coercive authority of the modern state, it is also linked to the relative autonomy of law in relation to political power. This is the case because the proliferation of legal texts since the advance of the printing press produced a potential chaos of interpretations, generating a need for systemization and specialization. (…) The fragility of the meaning of written text, faced with the need for legal certainty, thus facilitated the appearance of a monopoly on law for the professional class of lawyers (…), mandated to safeguard the coherence of the legal system (…). The force of (written) law thus depends on the coercive authority of the state in combination with the labors of the lawyers’ guild.20

Within this relation between written text and interpretation there is a fundamental trait of the peculiar form of normativity represented by “law”, which consists of the possibility of binding the political authority to the assessments of the interpreters. Law is a legitimate control instrument, but is also a limitation to power. In this regard, Mireille Hildebrandt introduced the “paradox of Rechsstaat”, because the interpreter and the legislator co-determine the meaning of the juridical statements, thus mitigating the (political) authority and depriving it of the monopoly on the legal regulation.21

 Lévy (1990), pp. 100–101 (my own translation).  Recalling Radbruch  (1950), Agata Amato Mangiameli says that “no weaver knows what law weaves”, Amato Mangiameli (2017). 20  Hildebrandt (2008), p. 175. 21  For an insight into the meaning of Rechsstaat, especially in relation to the Rule of Law, see Krygier (2009) and Palombella (2009). 18 19

190

F. De Vanna

2.2  N  orms Without Interpretation: The Dark Side of Technological Normativity Another important feature of modern law is the distinction between “constitutive rules” and “regulatory rules”.22 This distinction concerns also social theory in general. The first category includes, for example, those rules which establish a social practice. Let us think of chess: its rules not only regulate the game, but also establish it. In fact, it relies on the agreement upon these rules and could not be conceived before them. The second category—the regulatory rules—encompasses, for example, the rules underlying the road traffic: the drivers failing to comply with the speed limits are punished according to the legal system, but it is impossible to prohibit them from “driving a car”.23 This alternative is indirectly reflected in the power of modern technology, since the latter promotes or “imposes” the people’s adhesion to its “code”. Let us consider smart cars, a feasible perspective, able to assess the energy consumed by the driver during the journey and estimate the remaining attention thresholds; as soon as this level drops approaching the (preset) safety threshold, the car can react in two different ways: it may ask the driver to slow down and stop (using a sound alarm) or it can immediately activate an “autopilot” system which prevents the driver from speeding up. The same thing may happen if the car realises that the driver has drunk too much alcohol or has taken drugs. These two cases both imply a techno-regulation, however it is important to stress the qualitative difference between the two possible answers: in one case, in fact, the car will provide a regulatory reaction and the driver is practically prevented from adopting a dangerous driving behaviour (norm-enforcing technology), while, the other case represents a constitutive reaction, since it prevents the same possibility of making hazardous manoeuvres (norm-establishing technology.) Since the “[r]egulation of users’ behaviour is imperative in automated cars”,24 then in this case technology simply defines what is allowed and what is prohibited, by overlapping the being dimension (“ius”) with the having to be one (“factum”). As evidenced by Koops, recalling Brownsword’s assumptions, “[f]or human dignity, it is important not only that right choices are made (to comply with the rules) but also that wrong choices can be made, and that not all ‘bad’ things are simply made impossible, for human life is enriched by suffering”.25

 Rawls (1955) and Searle (1964).  Palombella (1990) says that: “The “regulatory crisis” of the contemporary State is certainly the result of the principle of the omnipotence of law, which has turned into the widespread standardisation of every aspect of social reality. But the fact that the law influences the events through a qualification process leads to at least two alternatives: on the one hand, the principle of juridical qualification becomes the constitutive principle of reality; on the other hand, the intervention of the juridical rule adheres to a pre-existing reality”, p. 367 (my own translation). 24  Leenes and Lucivero (2014), p. 14. 25  Koops (2008), p. 165. Cfr. Brownsword (2005). 22 23

The Construction of a Normative Framework for Technology-Driven Innovations:…

191

The performance power of technology—while dramatically reducing the range of the possible choices—raises some questions about the structural changes in the normativity which, in this form, can compress freedom, thus strongly influencing the people’s behaviour.26 It especially emphasises the responsibility of programmers and developers, the ethical sustainability of their choices and the liability that they assume towards the public whenever they focus on a specific result or functioning model. In other words, jurists and philosophers ask themselves whether and how—through which procedures and criteria—the technological normativity can be accepted or not.27 The relevance of a “public decision” seems to be extended to practical issues and professional sectors which some years ago were still sectorial or at an embryonic step.

2.3  W  hat Is Left of Law? The Rule of Law Put to Test by Technology The quick technological development constantly raises policy issues to which law is often unable to react with the same speed. This “reaction” asymmetry resulted in a situation when many normative—procedural, substantial, ethical or purely ­juridical—issues were primarily addressed by individual subjects—namely programmers and computer scientists, or individual private bodies—deprived of any accountability mechanism or even of any democratic supervision. In case of normenforcing technology, this problem produces adjustable outcomes which can be questioned through a debate originating from a “public sphere” of regulators and regulated. Conversely, the performance results of the technology establishing the norm can be adjusted or changed by law more slowly and with a greater effort.28 Future “always comes too fast” and law cannot keep pace with it. This scenario introduces another series of reflections. Law has traditionally manifested itself as an adaptive and context-sensitive (flexibility) technique. In this  “[L]iberty is constructed by structures that preserve a space for individual choice, however that choice may be constrained”, Lessig (1999a, b), pp.  7–8. As evidenced by Koops, recalling Brownsword’s assumptions “[f]or human dignity, it is important not only that right choices are made (to comply with the rules) but also that wrong choices can be made, and that not all ‘bad’ things are simply made impossible, for human life is enriched by suffering”. Koops (2008), p. 165. 27  “Technology that sets new norms clearly raises questions about the acceptability of the norms, but also if technology is used ‘only’ to enforce existing legal norms, its acceptability can be questioned, since the reduction of ‘ought’ or ‘ought not’ to ‘can’ or ‘cannot’ threatens the flexibility and human interpretation of norms that are fundamental elements of law in practice”. Ibid., pp. 157–158. 28  “Because technology is often irreversible — once it is developed and applied in society, it is hard to fundamentally remove it from society in those applications—the process of developing technology is a key focus when normativity is at stake. After all, it may well be too late when technology simply appears in society to ask whether it is acceptable to use this technology; quite often, the genie may then be out of the bottle never to be put back in”. Ibid., p. 166. 26

192

F. De Vanna

sense, it has granted the limitation of power; in fact, it is no coincidence that the application technique of contemporary constitutional democracies is not a subsumption but rather a balancing, since the latter is able to simultaneously weigh conflicting arguments, establishing a rule at the meeting point of the various reasons involved. The expression “Mild law”29 (“diritto mite”) helps us to understand this concept, far from the rigidity of the ‘dura lex, sed lex’ motto and in line with the pluralism of modern societies. The instruments ensuring this flexibility are the constitutional principles, including above all proportionality and reasonableness.30 Conversely, the technological normativity, programmed through a code, is not affected by the variable concreteness of experience, and features an all-­encompassing and inflexible efficiency.31 The algorithm, for example, always reproduces the same decision, without exceptions, and this invariability seems to express an impersonal and unlimited power. As stressed by Reidenberg: “[f]lexibility is only undesirable when fundamental public interests are at stake and the public interest requires rules that individual participants in the network might not choose themselves”.32 In the example of the drunk driver, it is certainly desirable to force him/her make the only decision able to save his/her life: a technological application implementing this option would be compliant with the norms and social values shared by the majority of people. But, evidently, some circumstances imply more comprehensive values—such as the freedom of speech, the freedom of movement, social equality and the prohibition of discrimination—whose specification is possible only thanks to the mediation of men. In this regard, an anecdote may help understand the issue. Jan Klabbers says that, once, while he was in Holland to visit his mother, he hired a car and got a spot fine speeding in a certain area of the country where he had been only once and over 30 years earlier: So I appealed the fine, suggesting that perhaps the photographs taken by speed cameras had been mixed up. The response was disheartening: I received back a standard form, saying that the camera in the place where I was supposed to have been (but never was) had been properly aligned. This may well be true, of course, but it did not relate to the point I was making – my point was never addressed. In the end, I resigned myself to paying the fine (…), but under objection. Given the structure of the speeding ticket system and the largely automated nature of the process, it would have been rather costly to prove my innocence, but at least I wanted to have it on record that I had not been in the area.33

 Zagrebelsky (1992).  As stated by Zagrebelsky (1992): “The modern English parliament does not rely on a clear shift from the production of law through the activity of the Courts to the “legislative” production. Among the essential criteria of this “extraction” of law from the practical cases, there are “circumstances, conveniency, expediency, probability”—The progresses of law did not actually depend on the increasingly refined deduction from great immutable and rational principles (the scientia iuris), but rather on the induction from empirical experience, enlightened by situations (the iuris prudentia), through “challenge and answer, trial and error”” (pp. 27–28). See also Kluxen (1980), p. 103. 31  Koops (2012). 32  Reidenberg (1998), p. 584. 33  Klabbers (2017), p. 28. 29 30

The Construction of a Normative Framework for Technology-Driven Innovations:…

193

From this point of view, the main problem is the safeguard of the guarantees of a due process, not in jurisdictional sense but rather in the broadest and truest sense of the term, i.e. the possibility of confronting and challenging “on equal footing”34 the actions of power—any kind of power—before a third party able to give an effective and successful remedy. More generally: “Due process entails that a person has access to an effective remedy where she feels that her interests have been harmed”.35 Therefore, it is crucial to combine the deterministic and mechanical dimension of technology with the analysis of the effects exerted by the latter on society, law and politics.

3  T  he Legal Theory of Design: Towards a “Hybrid Normativity” 3.1  The Code in Lessig’s Pluralistic Perspective Lawrence Lessig36 has always focused on the possibility of governing the techno-­ regulation, especially in the cyberspace dimension. While highlighting the qualitative and structural differences between “real” and “virtual” space, he points out the persistent regulatory potential of law by combining it with other constraining elements, thus obtaining a mixture globally able to preserve the fundamental virtues of constitutionalism. The peculiarity of his contribution lies in the reference to the “code” as an architectural dimension of cyberspace as well as to the relating responsibility of the coders, who are liable for most of the Internet structure.37 More specifically, Lessig has highlighted how the behaviour of the affiliated subjects in a certain environment is influenced only partially by law—“the most obvious self-conscious agent of regulation”.38 In addition to this constraint, he emphasis the role of social rules39—for example, those which sanction the drivers exceeding the speed limit on the city roads or near parks and areas attended by families and children—of economy—car manufacturers which determine the price of cars also

 This is the meaning generally attributed to Article 6 of the European Convention on Human Rights associated with the concept of due process, in the sense that the accused must be able to effectively defend himself/herself. 35  Hildebrandt and Koops (2010), p. 438. 36  It is worth mentioning the significant contributions of Mitchell (1995) and De Monchaux and Schuster (1997). 37  A “code policy” is, first of all, a policy concerning the intellectual property and the forms that it can take in the digital era. This leads the code to be regarded as a “common good” (commons), together with the contribution provided by the opening of the code to the re-evaluation of the idea of commons”. Goldoni (2007), p. 23. 38  Lessig (1999b), p. 511. 39  Posner (2000). 34

194

F. De Vanna

based on their speed—and of “design”40 which, in case of physical spaces, corresponds to urban planning and architecture.41 The design of a road—its width, the creation of sidewalks along the roadways or bumps, the presence of roundabouts— affects the drivers’ behaviour,42 and not only the preference formation process, as happens with the first three constraints. According to Lessig, the architecture is “the most pervasive agent”,43 because it directly defines the range of choices that the user can make. Furthermore, the architecture carries out an early regulation, ex ante, while the law—net of its feeble dissuasive function—intervenes only at a later time with ex post penalties. Within the virtual context, design refers to the economic and social organization of the Internet and the cyberspace, especially focusing on the ownership of the code. Let us think of the TCP/IP and http “codes”, in relation to issues concerning the anonymity in the Internet and the spamming, in addition to the copyright protection by means of DRM (Digital Rights Management). From this point of view, design has a norm-enforcing normativity44: the architecture of cyberspace, or its code, regulates behavior in cyberspace. The code, or the software and hardware that make cyberspace the way it is, constitutes a set of constraints on how one can behave. The substance of these constraints varies — cyberspace is not one – place. But what distinguishes the architectural constraints from other constraints is how they are experienced. (…) The conditions, however, are different. In some places, one must enter a password before one gains access; in other places, one can enter whether identified or not. (…) In some places, one can elect to speak a language that only the recipient can understand (through encryption); in other places, encryption is not an option. Code sets these features; they are features selected by code writers; they constrain some behavior (for example, electronic eavesdropping) by making other behavior possible (encryption).45

Law—intended in its traditional sense, i.e. as a series of provisions supported by penalties—is just one of the instruments that “force” men to behave in a certain way. According to Lessig, it influences the other three constraining factors on which it exerts a direct impact, but, at the same time, is affected by them: each of these factors significantly contributes to the regulation of human behaviour, pursuing a bal-

 Lessig (1999a, b). This article was written to reply to Judge Frank Easterbook who, during a lecture held at the University of Chicago, said that a law of cyberspace could not express any general heuristic resource, precisely just like a “law of the horse” or any law specifically focusing on a particular object or space. See Easterbrook (1996), pp. 207 ff. 41  Cfr. Vermaas et al. (2008) and Yeung (2008). 42  According to Langdon Winner, the overpasses in Long Island were low, because they had been intentionally designed as such: thus the buses could not pass under the overpasses, and the lower social classes could not reach the beaches of New York. See Winner (1980). 43  Lessig (1999b), p. 511. 44  It was observed that “architecture should be intended in a broad sense, i.e. as the organization of any kind of space by means of the materials available. Architecture somehow represents the “nature” of a context but, unlike natural data (which can be rarely changed, therefore they are considered stable or unchanging), it can be either fully or partially changed to review the organizational structure of the space in question”. Goldoni (2007), p. 3. 45  Lessig (1999b), pp. 508–509. 40

The Construction of a Normative Framework for Technology-Driven Innovations:…

195

ance (mix) which obviously varies depending on the “space” to be regulated.46 The context is an unavoidable element for the adjustment of the regulation and the impact of its architectural dimension: from this point of view, there is no space, but rather spaces to be regulated. The stringency of each constraint varies according to the structure of the “place” to be regulated, and law can be either suitable and successful or only partially effective and inadequate. However, in this regulatory scenario, there is a significantly new element introduced by the “code”; it embodies the potential and the strength of the new technologies as a technique able to actually influence the people’s behaviour: The novelty of ‘code as law’ is that technology is nowadays being used intentionally as an instrument to influence the way people behave, supplementing law as a regulatory instrument. A key difference between ‘code’ and ‘law’ is that normative technology, both in its norm-enforcing and in its norm-establishing form, influences how people can behave, while law influences how people should behave. This is why the rise of intentionally normative technology, in contrast to traditional technology, raises the democratic and constitutional issues…47

Therefore, the code is the control architecture that allows (or not) the user of the cyberspace to activate or disable certain functions and make a certain decision. However, it can be changed, since the way in which the cyberspace has been designed is not necessarily the way in which it should be. Due to its entirely plastic and artificial character, cyberspace is a space totally moldable and doesn’t have any intrinsic “nature” resisting to man chemical interventions. In this respect it represents a paradigmatic space to light the architectural dimension. The privacy-related issues, for example, consist of the fact that the automatic collection of the data is invisible and, to the extent that it hides necessary information, it precludes an informed choice concerning the navigation experience and the bottom-up control by the users. Political institutions, however, can introduce a top-down change in the code which enables the expression of one’s own preferences with reference to the use of the data. This example shows the importance of changing both the architecture and the law. Nevertheless, the modification of the law may not yield positive results; the economic organization of the code turns out to be decisive for the purpose of its adjustability: paradoxically, a private software can be changed more easily, since it is sufficient to influence the behaviour of the owners of the “source code”: in fact, the license does not allow the user to change the code. Conversely, where the property of the code is open (neither private nor state), the code is provided together with its source and, consequently, it is free and can be changed by users. In this case, the penetration capacity of the legal rule is significantly impaired. In the Nineties, Privacy-Enhancing Technologies (PETs) such as the so-called “cookie crunchers” and, more recently, awareness instruments such as Transparency-­ Enhancing Technologies (TETs) were introduced to inform “users on how their  “The ‘net regulation’ of any particular policy is the sum of the regulatory effects of the four modalities together. A policy trades off among these four regulatory tools. It selects its tool depending upon what works best”. Lessig (1999b), p. 507. 47  Koops (2008), p. 159. 46

196

F. De Vanna

p­ ersonal information is used by the service provider”.48 The ultimate challenge is the tuning of law and code in order for them to support each other and result in a single ethically sustainable regulatory design. In this case, engineering, ethics and law must cooperate and face the regulatory challenge by shaping technology according to specific regulatory expectations. The combination of different scientific perspectives must rely on the use of technology as an instrument of freedom which strengthens the virtue of law.49 In this regard, the reflection according to which “[i]f only because ‘code’ is not equivalent to ‘law’, the ‘rule of law’ cannot simply lay down all the criteria for the ‘rule of code’; it shall need to adapt, if only to a small extent, to the particulars—positive as well as ­negative—of normative technology”50 sounds persuasive. Beyond the cybernetic context, the relation between law and architecture shows its regulatory potential even in non-virtual dimensions and “illuminate the entire law”.51 As already anticipated, the perspective suggested by Lessig is intrinsically pluralistic: according to him, in fact, the regulatory phenomenon is hybrid and includes different regulatory specificities, which cannot be limited to a mere legal dimension.52 The impact of the regulation of the cyberspace will lead to results with a variable effectiveness depending on the optimisation of each constraint in a complex and multifactorial structure: those who want to refer only to one of these constraints are not aware of the concrete dynamics of real space, let alone the virtual one.

3.2  Minimum Taxonomy of Technological Regulations Design theory is applicable to the whole field of artificial intelligence (AI): not only to cyberspace—which seems to reflect its full potential—but also to environments and intelligent products, robotics, and all the devices managed by a code and/or an algorithm.

 Janic et al. (2013), p. 18; in terms of differentials “[w]hile PET’s ‘think’ in terms of shielding personal data, TETs ‘think’ in terms of empowering individuals by making profiling activities visible”. See Hildebrandt and Koops (2010), p. 450. 49  “[R]ules must be embedded in such a way that they share the nuance and flexibility of the natural-language rules that determine the written law. (…) there is a democratic challenge: is valueembedded technology or the articulation of legal norms in digital technologies legitimate?”, Hildebrandt and Koops (2010), p. 452. 50  Koops (2008), p. 172. 51  Lessig (1999a, b), p. 546. 52  Lessig’s assumption falls within paradigm of the downfall of the legal exclusivism (or centralism) because, “although it did not give up the role of the authoritative constituting, it has put it in relation with other factors which, in various ways, affect the conduct of the partners, precisely identifying the binding character in the result of this mechanism”. Laghi (2015), p. 156. 48

The Construction of a Normative Framework for Technology-Driven Innovations:…

197

The scientific assumption behind this theory is that the on-going technological progress, during its development, already absorbs aims, purposes, values that makes its own, thus weakening the distinction between “tool” and “end” which directs most of the ethical and legal reflections on new technologies. The prima facie may seem a neutral tool, actually it has already built itself an “entelechy” and, therefore, legal and ethical analysis must take place already in the design phase, to orient the use, which otherwise would be just an expression of mere contingency forces. As written by Pierre Lévy: …the debate over the oppressive, antisocial, or benefactress and convivial informatics nature is not limited to the circle of the sociologists, philosophers, journalists or trade unionists (pretended specialists of purpose, customs, and relationships between men). It begins among scientists, engineers, same technicians, among the so-called professionals of relations between things, those who should not take care of instruments, tools. The abstract distinction between ends and means does not resist a precise analysis of the social-technical process in which, in fact, the mediations (means, interfaces) interpreted each other for local, contradictory, continually called into cause purposes, so that in this deviation game no means stays long tied to a stable end.53

Moreover, this is confirmed by the fact that the objectivity parameter that should inform the work of scientists is conditioned by their conscience, as well as by their ideological and epistemological prejudices: in other words, technical choices are never only technical choices, which means that they are never54 neutral. This applied also to the invention of writing, printing and, most recently, PC—just to name a few—therefore, the assumption according to which technology is just a pure “instrument” becomes illusory.55 The effects of technological mediation are reflected also in the field of law.56 The basic goal of the design theory is, therefore, to determine the behaviour of the individual by preventing and correcting malfunctions, by identifying them already at the design time and providing effective protections to prevent the downgrading of the laws into “paper dragons”57: …lawyers need to be involved to prevent inadequate reformulation of legal norms into technical architectures. This does not imply that articulating law in novel technological  Lévy (1990), p. 68 (my own translation).  “Technology is neither good nor bad; nor is it neutral”, Kranzberg (1986). 55  “The way a technology is designed, in short it defines and influences the actions of the subject, preventing some, allowing or helping others. In this sense, objects of daily use have a moral content: prescribe, oblige, allow, prohibit and regulate the behavior of users”. See Bisol et al. (2014), p. 246. 56  “[M]oving from one type of infrastructure to the next has major consequences for the manner in which legal authority and normativity can be sustained. For lawyers and legislators it may be too obvious to note that modern law is in fact technologically embodied, namely in the technology of the script and the printing press”, Hildebrandt (2011), p. 237. 57  Ibid., p.  231, thus wrote: “If we want to sustain the rights and freedoms that developed with modern legal systems, legislators need to engage in the design of the novel computational infrastructures, taking care that they at least provide effective legal protection against their own omniscience and their capability to enforce a normativity that goes against the grain of constitutional democracy”. 53 54

198

F. De Vanna

frameworks renders written law redundant. Just as written law has not replaced the role of unwritten law but complemented and changed it, written law as well as unwritten law will continue to play a key role in providing legal protection….58

Regulation through the design is a matrix that includes many models differing from one another according to their objectives and their level of ‘constriction’ impressed by the relating implementing arrangements, i.e. on the basis of the “amount of choice”59 that they offer to the user. In short, four fundamental models are identified. Persuasive technology falls into design forms of messages and aims at changing the behaviour of the user by suggesting the best solution simply describing it as the most rational. From a technical point of view this architecture does not provide any external material interference and maintains the full spectrum of choices; however it “influences” and directs the user’s choice with an achievement that depends on the degree of persuasiveness of the message itself. A practical example of such regulation is the Speed Monitoring Awareness Radar Trailer near “sensitive” areas like playgrounds: in this case, the device indicating the speed limit invites the drivers to reflect and adapt their driving attitude without perceiving a real external constraint. The second regulatory model is represented by the nudging theorized by Richard Thaler and Cass Sunstein60: it challenges the economic theory that regards man as “rational” actors—homo economicus—and embraces the approach of cognitive psychology in which the individuals’ choices considerably affect the cognitive limitations and failures, along with strategic reasons.61 This model belongs to the field of communication design and, again, the spectrum of possible choices remains essentially unchanged but, unlike the previous model, the design establishes a hierarchy among the policy options thus making a subtle “manipulation” of the context where the decision should be made. The nudging, in fact, gives—a gentle “push”— that alters the behaviour of individuals in a predictable way but without excluding any option. Obligations, coercion and prohibitions make way for a general strategy of incentives and benefits which makes the choice identified as optimal by the regulator easier (and more practicable). In other words, normativity gets rid of the heavy burden of rules and dissolves itself into a system of “tips”. In this context, the nudging is a paradigm of soft paternalism, because it assumes that the individuals alone are not able to decide rationally and guide them towards the “best” solution. An example of this model is the anticipatory computing, namely the tendency of new technologies—in particular of social networks and e-commerce platforms—to address and anticipate the future through algorithms suggesting forecast models.62  Hildebrandt (2010), p. 454.  Leenes and Lucivero (2014), p. 209. 60  Cfr. Thaler and Sunstein (2008). 61  Becker (1976). 62  “Computers weren’t initially created to persuade; they were built for handling data – calculating, storing, and retrieving. But as computers have migrated from research labs onto desktops and into everyday life, they have become more persuasive by design. Today computers are taking on a variety of roles as persuaders, including roles of influence that traditionally were filled by teachers, 58 59

The Construction of a Normative Framework for Technology-Driven Innovations:…

199

These predictive systems use the traces left by the users, anticipating their choices and actions. “Affordance” is the term that characterises the third relevant regulatory model and designates the set of “the perceived and actual properties of the thing, primarily those fundamental properties that determine just how the thing could possibly be used”.63 This research was inaugurated by the studies of Donald Norman64 and focuses on the adaptive character of design so that the ‘performances’ always prevail over the aesthetic component of the design. Evidently, it belongs to the field of product design. Still today, for example, hotels use uncomfortable and particularly heavy key chains urging guests to hand over the keys at the reception before leaving the hotel.65 The key chain contains an “action programme” (script) which is inscribed in its form,66 which immediately indicates the “function” and allows for a “pragmatic mediation” leveraging the natural signs provided by the objects. A bad design makes the perception of using an object more complicated or hides its primary use behind the others, either wrong or misleading. The fourth model is the techno- regulation67: it differs from the previous ones because it expects to encode the regulation directly into the technological device. In this sense, the techno-regulation is a “strong” performance-efficient architectural model: it completely eliminates the “mouldabilty” strongly emphasized by Lessig starting from the basis of the artificial character of the code and enables the mechanical application of the regulation. In this case, the model does not give any impulse, push, or the correspondence between form and function: the range of the possible choices is drastically reduced to only one possible option, thus determining the individual behaviour in advance. In other words, the compliance of the behaviour is automated and the need for a specific action arises from the deterministic force of a “law of nature, like the force of gravity”.68 The car able to automatically prevent the pilot from accelerating is the paradigmatic case of this type of regulation: the legal value is embedded within a technical solution. In this case the “social control” is not exercised under the penalty of punishment, but rather by means of a practical solution, a self-applicable “technology”.69 As already observed, the techno-regulation, evoking the possibility of total control, raises important questions in terms of compatibility with the principles of modern constitutionalism. In this sense, the techno-regulation, like rule by law, seems to be a threat to freedom meant as non-domination. Techno-regulation exceeds and coaches, clergy, therapists, doctors, and salespeople, among others. We have entered an era of persuasive technology, of interactive computing systems designed to change people’s attitude and behaviors”. Fogg (2003), p. 1. 63  Norman (1988), p. 9. 64  Norman (2007). 65  Akrich (1992). 66  Latour (1992). 67  Leenes (2011). 68  Rossato (2006). 69  Pagallo (2014), p. 130.

200

F. De Vanna

amplifies the dangers of paternalism to the extent that it results in devious forms of authoritarianism, even if it has often been useful to fight against particular crimes such as terrorism and, specifically, cyber-terrorism. As stated by Kant, nobody can force us to be happy in one’s own way, “in accordance with his beliefs about the welfare of others”70: paternalism, at least in its strongest meaning, is a detrimental form of despotism which extends the instrumental size of the law compared to the assumption according to which it has its own value. From the perspective of techno-regulation, as Roger Brownsword noted, obvious problems emerge from the profiles of transparency and accountability: unlike the rules approved by the legislator, typically through an open ‘deliberation’ procedure, the architectural regulation hides the reasons underlying the draft code71—the ­pedigree72—and the subject is no longer able to perceive what is ‘the right thing’ and why. In other words, it can be said that a completely techno-regulated society is likely to affect the self-control mechanisms and leads to what David Smith has called “de-moralising” effects.73 Moreover, the operating settings of the new technologies are often installed by default and act in an essentially “invisible” way, so that users cannot challenge their accuracy. The design of new technologies is an interesting research path and is potentially able to offer a decisive support to the processes of legal regulation; however, the measures and technical needs inevitably require a social awareness and a legal background that regard the guarantee of the individual’s freedom as a commitment. In other words, we need a new ethics of responsibility, adjusted to the new technological era, which revises some legal categories and inspires new regulatory solutions. A quick look at robotics may provide an insight into some directives on the regulation of artificial intelligence.

4  From Robots’ Liability to Humans’ Responsibility 4.1  The Case of Robots: Do We Have to Forget Asimov? Through the collection and categorization of data the algorithm “introjects” preferences, attitudes, choices and prejudices of real users but, obviously, it does not have its own. As already pointed out in relation to the theory of design, the  Kant (1991), p. 74.  “Regulation affects the behaviour of individuals and (often) restricts their autonomy and freedom to act. This requires justification. This requirement equally applies to restrictions imposed by the state and to those imposed by private entities. The nature of the justification may differ. The legitimation of state intervention is well understood: it has to be legitimate and based on the rule of law. The justification of intervention in freedoms of individuals by private entities is usually based on consent or the protection of rights”, Leenes (2011), p. 149. 72  Lessig (1999a), p. 98. 73  Smith (2000). 70 71

The Construction of a Normative Framework for Technology-Driven Innovations:…

201

“nomopoietic” power of the code cannot hide the “human factor” of the programmer and his/her responsibility. The shape of the technological device may oppose a certain “resistance” to the exploitation, making it improbable but not impossible. The issue of responsibility applied to robotics must be based on a fundamental distinction: autonomy vs. freedom. These categories are often considered the same thing in the legal debate, thus leading to a misunderstanding that prevents us from making distinctions and indispensable clarifications. “Androids” are in many cases “autonomous”, in the sense that they regulate themselves and take basic decisions in an independent way: they are able to prefer an option among many alternatives and have a cognitive dimension that allows them to adapt their behaviour under different circumstances, starting from coded ‘experience’ data (machine-learning).74 Those arguments, however, cannot establish any kind of “freedom” in the robot. Robots do what the user wants to do and follow the “instructions” following inference rules. Their choice relies on instructions and “do not give up what is not chosen, as human beings do”75: the latter, in fact, feel an inevitable regret for the alternatives that they have excluded. The robot programming already includes the option to be preferred, therefore it is not appropriate to refer to good or bad choices: “for these devices we should rather refer to right or wrong, correct or incorrect behaviour”.76 The famous three Asimov’s laws77 have shaped our imaginary: they were formulated as the “technological” version of the values and fundamental principles underlying the relationships between people and human beings, first of all the neminem laedere principle. But this transposition conceals the fact that robots are not moral subjects able to give themselves norms, therefore, they cannot be considered “responsible”.78 The artificial agent emulates the reason as a calculation and emulates the will as feedback through formalization operations. But humanity cannot be limited to its functions and, therefore, “[t]he attempt to compare the human mind to the computer is doomed to fail” because “[h]uman conscience is a property of the whole person and must be considered in the entirety that distinguishes human intelligence”.79

 This type of intelligence is largely used, for example, for self-driving cars as well as for the autopilot system for civil aviation and drones. A famous example is Deep Blue, a robot which defeated the chess champion G. Kasparov in 1997. 75  Fabris (2012), p. 80. 76  Ivi, p. 81. 77  The three laws formulated by Asimov in 1942 in his “Runaround” short story are listed below: 1. A robot may not injure a human being or, through inaction, allow a human being to come to harm; 2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law; 3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law. Cfr. Asimov (1950). 78  From this point of view, the application of a “black box” to smart cars has been suggested so that any failure can be detected; moreover, the users of these cars should enter into an insurance agreement which covers any damage possibly caused by “autonomous” robots. 79  Moro (2015), p. 530 (my own translation). 74

202

F. De Vanna

In other words, Asimov’s laws focus on robots, but today it is more urgent to define the rules for artificial machine developers. Although some authors, such as Ray Kurzweil,80 believe that the quick development of artificial intelligence will soon lead to the production of self-aware robots, this scenario does not seem to be imminent.81 Therefore, robots do not have their own agency. Those who think otherwise fall in what Jack Balkin has called “homunculus fallacy”, according to which there is a “homunculus” in the algorithm that governs artificial intelligence and robots which determines the good or evil nature of the activities carried out.82 In this way, we accept the shift of responsibility from the coder to the code, by redirecting the dysfunctions to mere side effects that man cannot address because they cannot be predicted upon the design stage.83 Therefore, a share of responsibility rests with each operator, in a global mechanism that requires the contribution of everyone, although it is cannot be individually controllable by anyone in particular. Then it becomes necessary to establish a legal background of normative principles and models, in addition to an ethics for operators, a professional ethics for designers and users: in this perspective the expression “techno-ethics” must be understood as “ethics in the age of robots” since “the object of reflection in ethics is new (robotics), but the way to face the issue (deontological method) is ‘classical’”.84

4.2  S  ome Conclusive Thoughts: A Framework for Operators and Authorities The latest-generation devices, including robots, could not work without an underlying algorithm governing their interactions based on coded predictive models. The algorithm, in turn, could not work without processing and reprocessing a permanent flow of information: from this point of view the case of self-driving cars is paradigmatic. Robots, or any other intelligent tool, need an external environment from which they receive stimuli and impulses in the form of ‘data’. Therefore, it is clear  Kurzweil (2005, 2012).  Searle (1980). 82  These cases are referred to as “anthropomorphism” or “zoomorphism”, i.e. the tendency to assign the characteristics of men or animals to inanimate beings: “[h]umans may also project emotions, feelings of pleasure and pain, the capacity to form relationships with others, and the capacity to care for others and be cared by them in turn. The projection of human or animal emotions onto inanimate objects is as old as history itself. People hear the wind howl and the ocean roar; they project agency and loyalty onto their ships and cars. The projection of humanity onto what is not human is the reflection of the self on the outside world”, Balkin (2015), p. 56. 83  “When we criticize algorithms, we are really criticizing the programming, or the data, or their interaction. But equally important, we are also criticizing the use to which they are being put by the humans who programmed the algorithms, collected the data, or employed the algorithms and the data to perform particular tasks”, Balkin (2017), p. 14. 84  Grion (2016). 80 81

The Construction of a Normative Framework for Technology-Driven Innovations:…

203

that the nature of new technologies is basically ‘informational’ and is ultimately based on the “hardware-big-data-algorithm” trio: Because robots are cloud robots, we shouldn’t forget that one of the central issues in robots and AI agents is the handling of data, and in particular, Big Data. Robots are nothing without data, and since many robots will be cloud robots, and many AI systems will be connected to the Internet cloud, they will depend heavily on data analytics.85

Jack Balkin theorized three general rules which constitute a “minimum” normative framework that should inform the institutions (either political or private) and above all the ethics of operators: unlike Asimov’s laws, they are not intended for the robot but rather for the individuals. The first rule states that “the algorithmic operators are information with respect to their clients and end-users”. Recalling the obligations for particular professional categories such as doctors and lawyers, this rule asks the programmers of smart machine to use the information collected by the algorithms as “trust information” as they identify sensitive user data.86 For example, physicians must use “confidential”87 information relating to their patients by complying with duties of diligence and correctness, thus avoiding the occurrence of conflicts or risks that may jeopardize the physical and mental wellbeing of the patients. In other words, they must adapt their behaviour to the principle of good faith. Large IT companies, from this point of view, have similar obligations: Google, for example, collects, analyses and classifies a huge number of data relating to the users, who read (and “accept”) the privacy policy allowing for the “improvement of the browsing experience”. Google asks its customers’ trust and the latter cannot help but trust it: on the other hand, the use of some search engines is difficult and the verification of the data classification solutions and purposes is almost impossible. Therefore, while the users’ lives become virtually transparent, the browsers promote the “logic of secrecy”.88 Putting the duties of data-users on an equal footing with fiduciaries means following a “principle of finality” in the sense that the data,  Balkin (2017), p. 8.  Balkin (2016). 87  “Confidentiality law arose centuries ago to keep certain kinds of shared information private. Multiple areas of the law provide confidentiality protections for preventing the disclosure of information in intermediate states, whether through professional duties of confidentiality, implied or expressed contracts for confidentiality, evidentiary privileges, or statutory rules. We have long had confidentiality rules like the duties lawyers owe to their clients and doctors owe to their patients to incent individuals to feel safe in sharing their confidences to advance important societal values of providing effective legal representation and medical care. We also have statutory rules that explicitly create confidential relationships regarding health, financial, and video records information. We also protect obligations of confidentiality that arise through voluntary promises or confidentiality agreements like preventing employees from revealing business secrets. Confidentiality law reveals how we have long recognized shared information can still be kept private using effective legal tools. Expanding confidentiality law approaches would seem to be one way to help keep shared information private”, Richards and King (2014), pp. 415–416. 88  As written by Frank Pasquale, the large companies of the digital era are “black boxes” whose operation, often subjected to market targets, are not accessible not only to users but also to the analysts. Pasquale (2015). 85 86

204

F. De Vanna

“although available, may only be used in accordance with the reasons that the party has decided to make them public in some way.”89 Profiling mechanisms, as noted above, may present a threat to society as a whole. The second rule formulated by Balkin—“algorithmic operators have duties toward the general public”—emphasises the public consequences of the private use of social media and search engines. It has been appropriately observed that” [t]he technical community, willingly or not, now has become a policy community, and with public policy influence comes responsibility”.90 Jonathan Zittrain has proved that Facebook has the potential to manipulate the data of its users in order to guide their voting intentions, thus affecting the overall outcome of the presidential election.91 This example inevitably stresses the social and public dimension of the digital sphere, which is able to influence crucial aspects of life, including those not profiled or lacking a digital culture. Therefore, the operators have obligations even towards third parties and ‘public’ duties to protect the society in general terms.92 This trend reflects the mechanisms of attribution of legal responsibility developed at the beginning of the twentieth century, when the large manufacturing companies were held liable for the damage caused to third parties by their defective products, regardless of the absence of a direct contract between the producer and final consumer.93 The third rule assumed by Balkin establishes that “[a]lgorithmic operators have a public duty not to engage in algorithmic nuisance”: again, the algorithm has no intentions—neither good nor bad—while the coders should not entrust the algorithm activity to any third party, as companies are legally obliged to minimize the environmental impact of their activities. The use of IT tools produces a continuous data flow elaborated by the algorithms thus generating categorisations: this means that the users’ identity is processed but also influenced and exposed to the risk of

 Rodotà (2012), p. 322.  Reidenberg (1998), p. 583. 91  Zittrain (2014). 92  “[G]overnments should intervene…when private action has public consequences”, writes Lessig (1999a, b), p. 233. Mireille Hildebrandt pointed out and further developed this aspect stating that “genetic tests or technologically enhanced soldiers should be obligated to present their case to the public that is composed of those that will suffer or enjoy the consequences. In other words, the hybrids that are propelled into the collective must survive the scrutiny of the public that constitutes itself around what it considers to be a matter concern”. 93  The current Italian legal system includes a civilistic category which addresses the same need for “protection”: they are agreements with “protective effects” towards any third party leading to the division between the obligation of protection and performance obligation, and the content of the obligation is not only what is written (primary obligation of performance) but also what is right (secondary obligations of protection, either instrumental or accessory). 89 90

The Construction of a Normative Framework for Technology-Driven Innovations:…

205

reputational damages,94 tampering95 and normalisations.96 In this regard, the legal framework that offers the best heuristic resources is the environmental law and the concept of “nuisance”97 Just like pollution, as evidenced by Balkin, the discrimination caused by the algorithm does not have any binary demarcation line between “permission” and “forbidden” as a degree logic, since it relies on the continuous elaboration of the data accumulated incrementally.98 Therefore, programmers should not to pollute the digital environment, i.e. not produce unreasonable “costs” which may result in an increase in the users’ vulnerabilities.

References Akrich, Madeline. 1992. The De-Scription of Technological Objects. In Shaping Technology Building Society: Studies in Sociotechnical Change, ed. Wiebe Bijker and John Law, 205–224. Cambridge: MIT Press. Amato Mangiameli, Agata. 2017. Tecno-regolazione e diritto. Brevi note su limiti e differenze. Diritto dell’informazione e dell’informatica: 147–167. Asimov, Isaac. 1950. Rounaround. In I, Robot. New York: Bantam. Balkin, Jack. 2015. The Path of Robotics Law. California Law Review 6: 45–60. Balkin, M. Jack. 2016. Information Fiduciaries and the First Amendment. U.C Davis Law Review 49: 1183–1234. ———. 2017. 2016 Sidley Austin Distinguished Lecture on Big Data Law and Policy: The Three Laws of Robotics in the Age of Big Data. Ohio State Law Journal 78: 1217. Yale Law School, Public Law Research Paper No. 592. Becker, Gary. 1976. The Economic Approach to Human Behavior. Chicago: University of Chicago Press. Bisol, Benedetta, Antonio Carnevale, and Federica Lucivero. 2014. Diritti umani, valori e nuove tecnologie. Metodo. International Studies in Phenomenology and Philosophy 2: 235–252. Brownsword, Roger. 2005. Code, Control, and Choice: Why East is East and West is West. Legal Studies 1: 1–21. Butler, Samuel. 1872. Erewhon or Over the Range. Londra: Trubner.

 “[T]he algorithm affects your reputation by placing you in a category or class, which is not necessarily an assessment of risk. The algorithm constructs groups in which you are placed and through which you are known and therefore potentially acted upon. Classification can affect your reputation without an assessment of risk because it says what kind of person you are and who you are treated as equivalent to (and, implicitly, better than or worse than according to some metric)”, Balkin (2017), p. 40. 95  “[H]uman beings and organizations can use algorithms to lead you and others like you to make (more or less) predictable choices that benefit the algorithm operator but do not enhance your welfare and may actually reduce your welfare”, Balkin (2017), p. 41. 96  “[T]he algorithm causes you to internalize its classifications and assessments of risk, causing you to alter your behavior in order to avoid surveillance or avoid being categorized as risky”, ibid. 97  Balkin discourages the application of criminal law and anti-discriminatory law: in fact, the use of the “respondeat superior” principle would make no sense, since the algorithm itself does not represent any subjective attribution and, consequently, it is impossible to transfer the responsibility which must be assigned—since the very beginning, to the human being. 98  Ivi, p. 34. 94

206

F. De Vanna

De Monchaux, John, and Mark J.  Schuster. 1997. Five Things to Do. In Preserving the Built Heritage: Tools for Implementation, ed. John De Monchaux and Mark J.  Schuster, 3–12. Waltham: University Press of New England. di Robilant, Enrico. 1973. Il diritto nella società industriale. Rivista internazionale di filosofia del diritto: 225–262. Easterbrook, Frank. 1996. Cyberspace and the Law of the Horse. University of Chicago Legal Forum 113: 207–216. Fabris, Adriano. 2012. Etica delle nuove tecnologie. Brescia: Editrice La Scuola. Floridi, Luciano. 2014. The Fourth Revolution. How the Infosphere is Reshaping Human Reality. Oxford: Oxford University Press. Fogg, J. Brian. 2003. Persuasive Technology. Using Computers to Change What We Think and Do. Amsterdam: Morgan Kaufmann Publishers. Foucault, Michel. 1988. In Technologies of the Self: A Seminar with Michel Foucault, ed. L. Martin, H. Gutman, and P. Hutton, 16–49. Amherst: The University of Massachusetts Press. Goldoni, Marco. 2007. Politiche del codice. Architettura e diritto nella teoria di Lessig. Available online https://archiviomarini.sp.unipi.it/350/1/lessig.pdf Grion, Luca. 2016. Ethics in the Age of Robotics Revolution. Cosmopolis, Rivista di Filosofia e Teoria Politica 2. Hildebrandt, Mireille. 2008. Legal and Technological Normativity: More (and Less) Than Twin Sisters. Techné: Journal of the Society for Philosophy and Technology 3: 169–183; Vrije Universiteit Brussel, From the Selected Works of Mireille Hildebrandt, https://works.bepress. com/mireille_hildebrandt/13/. ———. 2010. The Challenges of Ambient Law. Modern Law Review 73: 428–460. ———. 2011. Legal Protection by Design: Objections and Refutations. Legisprudence 5: 223–248. Hildebrandt, Mireille, and Bert-Jaap Koops. 2010. The Challenges of Ambient Law and Legal Protection in the Profiling Era. Modern Law Review 73: 428–460. Irti, Natalino. 2007. Il diritto nell'età della tecnica. Napoli: Editoriale Scientifica. Janic, Milena, Pieter Wijbenga, and Thijs Veugen. 2013. Transparency Enhancing Tools (TETs): An Overview. Washington, D.C.: IEEE Computer Society. Kant, Immanuel. 1991. On the Common Saying: ‘This May Be True in Theory, but It Does Not Apply in Practice’. In Kant’s Political Writings, ed. Hans Reiss. Trans. H.B. Nisbet. Cambridge: Cambridge University Press. Khanna, Ayesha, and Parag Khanna. 2012. Hybrid Reality. Thriving in the Emerging Human-­ Technology Civilization. Ted Books. Klabbers, Jan. 2017. Doing Justice? Bureaucracy, the Rule of Law and Virtue Ethics. Journal of Legal Philosophy 1: 27–49. Kluxen, Kurt. 1980. Die geistesgeschichtlichen Grundlagen des englischen Parlamentarismus. In Parlamentarismus, ed. Kurt Kluxen, 99–111. Berlin: Athenäum. Koops, Bert-Jaap. 2008. Criteria for Normative Technology. The Acceptability of ‘Code as Law’ in Light of Democratic and Constitutional Values. In Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes, ed. Roger Brownsword and Karen Yeung, 157– 174. Oxford: Hart Publishing. ———. 2012. The (In)Flexibility of Techno-Regulation and the Case of Purpose-Binding. Legisprudence 5: 171–194. Kranzberg, Melvin. 1986. Technology and History: ‘Kranzberg’s Laws’. Technology and Culture 27: 544–560. Krygier, Martin. 2009. The Rule of Law: Legality, Teleology, Sociology. In Relocating the Rule of Law, ed. Gianluigi Palombella and Neil Walker, 45–70. Oxford: Hart Publishing. Kurzweil, Ray. 2005. How to Create a Mind: The Secret of Human Thought Revealed. New York: Penguin. ———. 2012. The Singularity is Near: When Humans Transcend Biology. New York: Penguin. Laghi, Pasquale. 2015. Cyberspazio e sussidiarietà. Napoli: Edizioni Scientifiche Italiane.

The Construction of a Normative Framework for Technology-Driven Innovations:…

207

Latour, Bruno. 1992. Where are the Missing Masses. In Shaping Technology Building Society: Studies in Sociotechnical Change, ed. Wiebe Bijker and John Law, 225–258. Cambridge: MIT Press. Leenes, Ronald. 2011. Framing Techno-Regulation: An Exploration of State and Non-state Regulation by Technology. Legisprudence 5: 143–169. Leenes, Ronald, and Federica Lucivero. 2014. Laws on Robots, Laws by Robots, Laws in Robots: Regulating Robot Behaviour by Design. Innovation and Technology 6: 194–222. Lessig, Lawrence. 1999a. Code and Other Laws of Cyberspace. New York: Basic Books. ———. 1999b. The Law of the Horse: What Cyberlaw Might Teach. Harvard Law Review 113: 501–549. Lévy, Pierre. 1990. Le tecnologie dell’intelligenza. Trans. F. Berardi. Milano: Synergon. Mitchell, J.  William. 1995. City of Bits: Space, Place, and the Infobahn. Cambridge: Harvard University Press. Moro, Paolo. 2015. Libertà del robot? Sull’etica delle macchine intelligenti. In Filosofia del diritto e nuove tecnologie. Prospettive di ricerca tra teoria e pratica, ed. Raffaella Brighi and Silvia Zullo, 525–544. Roma: Aracne. Norman, A. Donald. 1988. The Design of Everyday Things. New York: Basic Books. ———. 2007. The Design of Future Things. New York: Basic Books. Pagallo, Ugo. 2014. Il diritto nell’età dell’informazione. Il riposizionamento tecnologico degli ordinamenti giuridici tra complessità sociale, lotta per il potere e tutela dei diritti. Torino: Giappichelli. Palombella, Gianluigi. 1990. L’istituzione del diritto. Una prospettiva di ricerca. Materiali per una storia della cultura giuridica 2: 367–401. ———. 2009. The Rule of Law Beyond the State: Failures, Promises, and Theory. International Journal of Constitutional Law 7: 442–467. Pascuzzi, Giovanni, ed. 2016. Il diritto dell’era digitale. Bologna: il Mulino. Pasquale, Frank. 2015. The Black Box Society: The Secret Algorithms That Control Money and Information. Cambridge: Harvard University Press. Posner, Eric. 2000. Law and Social Norms. Cambridge: Harvard University Press. Radbruch, Gustav. 1950. Introduzione alla scienza giuridica. Torino: Giappichelli. Rawls, John. 1955. Two Concepts of Rules. The Philosophical Review 64: 3–32. Reidenberg, R. Joel. 1998. Lex Informatica: The Formulation of Information Policy Rules Through Technology. Texas Law Review 76: 553–584. Richards, M. Neil, and Jonathan H. King. 2014. Big Data Ethics. Wake Forest Law Review 49: 393–432. Rodotà, Stefano. 2012. Il diritto di avere diritti. Roma-Bari: Laterza. Rossato, Andrea. 2006. Diritto e architettura nello spazio digitale. Il ruolo del software libero. Padova: Cedam. Salazar, Carmela. 2014. Umano troppo umano…o no? Robot, androidi e cyborg nel “mondo del diritto” (prime notazioni). BioLaw Journal 1: 255–276. Searle, R. John. 1964. How to Derive “Ought” from “Is”. The Philosophical Review 73: 43–58. ———. 1980. Minds, Brains, and Programs. Behavioral and Brain Sciences 3: 417–457. Smith, J.  David. 2000. Changing Situations and Changing People. In Ethical and Social Perspectives on Situational Crime Prevention, ed. Andrew von Hirsch, David W. Garland, and Alison Wakefield, 147–173. Oxford: Hart Publishing. Thaler, H. Richard, and Cass Sunstein. 2008. Nudge. Improving Decisions About Health, Wealth and Happiness. New Haven: Yale University Press. Vermaas, E. Pieter, Kroes Peter, Light Andrew, and Steven A. Moore, eds. 2008. Philosophy and Design: From Engineering to Architecture. Dordrecht: Springer. Warren, D. Samuel, and Louis D. Brandeis. 1890. The Right to Privacy. Harvard Law Review 4 (5): 193–220. Weiser, Mark. 1993. Some Computer Science Problems in Ubiquitous Computing. Communications of the ACM 36: 7; reprinted as Ubiquitous Computing, Nikkei Electronics, 199: 137–143.

208

F. De Vanna

Westin, F. Alan. 1967. Privacy and Freedom. New York: Athenum. ———. 1982. Home Information Systems: The Privacy Debate. Datamation 28: 100–113. Winner, Langdon. 1980. Do Artefacts Have Politics. Daedalus 109: 121–136. Yeung, Karen. 2008. Towards an Understanding of Regulation by Design. In Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes, ed. Roger Brownsword and Karen Yeung, 79–108. London: Hart Publishing. Zagrebelsky, Gustavo. 1992. Il diritto mite. Torino: Einaudi. Zittrain, Jonathan. 2014. Response, Engineering an Election: Digital Gerrymandering Poses a Threat to Democracy. Harvard Law Review 127: 335–336.

Part III

Addressing Violations Deriving from the Use of New Technologies: Issues of Responsibility and Judicial Protection

Who Is to Blame for Autonomous Weapons Systems’ Misdoings? Daniele Amoroso and Benedetta Giordano

Abstract  This Chapter analyses who (or what legal entity) should be held responsible for behaviours by Autonomous Weapons Systems (AWS) that, were they enacted by a human agent, would qualify as internationally wrongful acts. After illustrating the structural problems which make ascription of responsibility for AWS’ activities particularly difficult, when not impossible, the alternative routes proposed to solve the ensuing responsibility gap will be assessed. The analysis will focus, in the first place, on the international criminal responsibility of the individuals who, in one way or another, are involved in the process of production, deployment and activation of the AWS.  The possibility to hold the deploying State accountable for AWS’ wrongdoings will then be gauged. Subsequently, attention will be paid to the responsibility of the corporations manufacturing and/or programming the AWS. It will be observed that these options may solve some responsibility problems more effectively than critics of AWS are ready to admit. At the same time, it will be shown that, unless a no-fault liability regime is adopted, autonomy in weapons systems is bound to magnify the risk that no one may be held to answer for acts which are objectively in contrast with international legal prescriptions. Also, it will be argued that, given the complementary relationship among the various forms of responsibility under international law, proposals aimed at focusing solely on one of these at the expense of others are incapable of leading to satisfying results.

Paper submitted on 23 February 2018. Although the Authors equally share the responsibility for the entire work, just for evaluation purposes, Sects. 2, 3, 4 and 6 should be attributed to Daniele Amoroso, while the remaining sections should be attributed to Benedetta Giordano. D. Amoroso (*) University of Cagliari, Cagliari, Italy B. Giordano Juvenile Court of Salerno, Salerno, Italy © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_11

211

212

D. Amoroso and B. Giordano

1  Introduction In the ever-growing scholarly and diplomatic debate on the ethical and legal implications of Autonomous Weapons Systems (AWS), a prominent place is given to responsibility issues.1 To be discussed, in particular, is who (or what legal entity) would be to blame in case an AWS makes a targeting decision that, were it taken by a human agent, would trigger state responsibility or, in the most serious cases, individual criminal responsibility. Indeed, even supporters of AWS are ready to concede that they will never be able to ensure a 100% degree of compliance with International Humanitarian Law (IHL).2 The Group of Governmental Experts (GGE) on Lethal Autonomous Weapons Systems, which met in 2017 under the auspices of the Convention on Conventional Weapons (CCW),3 showed awareness of this problem. In its first Report, it highlighted that: States must ensure accountability for lethal action by any weapon system used by the State’s forces in armed conflict in accordance with applicable international law, in particular international humanitarian law.4

Notwithstanding the floods of ink devoted to this topic, it is fair to affirm that the entire discussion is polarised around two antagonistic views. On the one end of the spectrum, there are those who scramble to identify the responsibility-bearers for AWS’ misdemeanours, be them one or more designated individual(s) in the decision-­ making chain and/or legal entities (i.e., States or corporations). On the other end, there are the critics of AWS who argue that every attempt to fill the responsibility gap created by AWS is doomed to fail.5 Our inquiry will be therefore developed along these lines. After illustrating the “structural problems” which make ascription of responsibility for AWS’ activities particularly difficult, when not impossible (Sect. 2), the alternative routes proposed to solve the responsibility gap problem will be assessed. The analysis will focus, in the first place, on the international criminal responsibility of the individuals who are somehow involved in the process of production, deployment and activation of the AWS (Sect. 3). The possibility to hold the deploying State accountable for AWS’ wrongdoings will then be gauged (Sect. 4). Subsequently, attention will be paid to the responsibility of the corporations manufacturing and/or programming the AWS  Academic discussion on this topic was kicked off by Sparrow (2007). Since then, this problem has been dealt with in several articles, speeches and reports, of uneven quality indeed, which we will recall—as comprehensively as possible—throughout the analysis. 2  See, e.g., Crootof (2016), pp. 1373–1375; NATO JAPCC (2016), p. 27. 3  The GGE was established after a three-year cycle of informal meetings, with the mandate of exploring possible recommendations on Lethal AWS to be submitted to CCW State parties. See the Final Document of the Fifth Review Conference, 23 December 2016, UN Doc. CCW/CONF.V/10, Decision 1. 4  Report of the 2017 Group of Governmental Experts on Lethal Autonomous Weapons Systems, 20 November 2017, UN Doc. CCW/GGE.1/2017/CRP.1, para. 16(c). 5  Compare, e.g., NATO JAPCC (2016), pp. 28–31, with HRW and IHRC (2015). 1

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

213

(Sect. 5). It will be observed that these options may solve some responsibility problems more effectively than the critics of AWS are ready to admit. At the same time, it will be shown that, unless a no-fault liability regime is adopted, autonomy in weapons systems is bound to magnify the risk that no one (individual, State, corporation) may be held responsible for an AWS objectively acting in contrast with international legal prescriptions. In Sect. 6, it will be conclusively argued that, given the complementary relationship among the various forms of responsibility under international law, proposals aimed at focusing solely on one of them (i.e., State and/ or corporate responsibility) at the expense of another (notably, individual criminal responsibility) are incapable of leading to satisfying results. Unlike most analyses on AWS, we will not delve into the definitional issue concerning what makes a weapons system “autonomous”. For reasons explained elsewhere by one of the present authors,6 we will adopt the definition—propounded by the US Department of Defense (DoD)7 and the International Committee for the Red Cross (ICRC)8—whereby, to count as autonomous, a weapon system must be able to perform the critical functions of selecting and engaging targets without human intervention.9

2  S  tructural Problems with Responsibility Ascription for AWS’ Misdoings Quite unsurprisingly, the discussion on the responsibility gaps possibly provoked by autonomous machines is not peculiar to military technology. Rather, it builds upon on the wider debate among ethicists on the way Artificial Intelligence (AI) and, more generally, computer technology may affect responsibility ascription for harmful events. This debate has brought two factors with the potential to function as “structural” sources of responsibility gaps into the limelight, namely (i) the inherent unpredictability of autonomous machines and (ii) the “many hands” problem. (i) The inherent unpredictability of autonomous machines. In a farsighted 2004 article, Andreas Matthias pinpointed the inevitability of “responsibility gaps” as a consequence of the development and use of autonomous, learning machines.10 He set out from the observation that machines are nowadays entrusted with i­ ncreasingly  Amoroso and Tamburrini (2017), pp. 3–4.  US Department of Defense, “Autonomy in Weapons Systems” Directive 3000.09 (21 November 2012), p. 2. 8  ICRC (2016), p. 8. 9  Remarkably enough, by adopting a definition of this kind, it is possible to qualify some presently operating weapons systems as autonomous, their limited target baskets notwithstanding, including stationary robotic sentinels, loitering munitions and fire-and-forget systems. For an overview of existing weapons captured by this notion of autonomy, see Amoroso and Tamburrini (2017), pp. 3–4. 10  Matthias (2004). 6 7

214

D. Amoroso and B. Giordano

complex tasks, whose accomplishment is ever more difficult to ensure through traditional programming, whereby all possible situations are coded into long and articulated sequences of behavioural rules based on IF-THEN-ELSE statements. Against this background, optimal performances can be ensured only by endowing machines with some learning capabilities, so that they may develop their own rules to face situations that were not (and could not have been) foreseen during the code production process. In this way, programming shifts from mere “coding” to “creating” software organisms, which no longer behave on the basis of fixed and thus predictable programs, but shape their actions in response to the operational environment.11 Matthias claims that the relationship of control between the machine and the human agent (be it the programmer or the final user) is thus severed, with the consequence that the latter cannot be blamed for the former’s harmful activities. While weapons systems are mentioned by Matthias only cursorily, they constitute a promising field of application of his theory. Remarkably enough, in the very first work devoted to AWS-related responsibility gaps, Rob Sparrow followed quite a similar argumentative path.12 In his view, if an AWS “has sufficient autonomy that it learns from its experience and surroundings then it may make decisions which reflect these as much, or more than, its initial programming”. This inevitably affects the predictability of its choices, which will lie at some point beyond the control of its programmers (or users), so breaking the connection “between the programmers/ designers [as well as the users] and the results of the system, which would ground the attribution of responsibility”.13 The works by Matthias and Sparrow stirred a lively debate, which for obvious reasons cannot be addressed here in full detail.14 Among the criticisms levelled against Matthias’ thesis, that by Deborah Johnson concerns us the most. She contested the deterministic vision propounded by Matthias and Sparrow, whereby technology may only develop in such a way as to rule out, sooner or later, human control and understanding of machines’ activities. In her view, artificial agents do not necessarily have to “be designed so that no human can understand or control what they do”: they can also be conceived of in a fully transparent way or, still, so as to keep human control only “on certain aspects or levels of the machine behaviour”.15 But is that possible for AWS? Supporters of autonomy in weapons systems would answer this question in the affirmative. Some of them, mostly lawyers, simply assume that AWS will behave predictably without much bothering to examine why it would.16 Others take pains to explain how unpredictability can be avoided by design. This is the case of Ronald Arkin, who excludes that future AWS could use

 Ibid., p. 182.  Sparrow (2007). 13  Ibid., p. 70. 14  For an overview, see Johnson (2014), pp. 709–710. 15  Ibid., p. 714. 16  See, e.g., Reitinger (2015–2016), pp. 116–118. 11 12

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

215

artificial neural networks precisely because that would hinder the transparency and the predictability of the system.17 Contrary to these views, it is our contention that, while design choices (like that propounded by Arkin) may have a role in reducing the overall unpredictability of the AWS’ behaviour, they will never eliminate it completely. As aptly noted by Tamburrini, the predictability of a machine is not only a function of its algorithms: it largely depends on the environment where the machine is meant to act. In this perspective, an effective way to prevent the machine from acting unpredictably is to structure its operational environment so as to keep out all those factors that are likely to put the machine’s perceptual, cognitive and behavioural capabilities under stress, with the first factor among these being the presence of human beings. This is the reason why industrial robots are normally segregated from human workers or their interactions with humans are strictly regimented.18 Yet, this option is generally unavailable when it comes to AWS, which are specifically intended to operate in deeply unstructured warfare scenarios, where “[e]ach fighting side strives to generate unexpected events that defy the opponent’s predictions”.19 If deployed in warfare scenarios, AWS are hence bound to act unpredictably, no matter how well they are designed. (ii) The “many hands” problem. The expression “many hands problem” was coined by Dennis Thompson, who used it in relation to the dilution of the decision-­ making power among many different officials in public administrations. It refers to the difficulty “to identify who is morally responsible for political [harmful] outcomes”,20 caused by the fact that the “salient and immediate causal antecedents” of an event (i.e., who or what materially caused it) “do not converge with its locus of decision-making” (i.e., who, if anyone, actually wanted it to occur).21 Helen Nissenbaum found this problem to be magnified by the increasing reliance of our society on computer technology. And this for a variety of reasons. Firstly, not only are software systems generally developed by complex organisations (software companies), but they are also normally used in articulated institutional settings (corporations, government agencies). Secondly, software programs are often composed of different modules generally developed by different teams of individuals, different producers or even asynchronously and for different purposes. Thirdly, the most sophisticated programs function as “systems of systems”, namely they work in pair with (or on the top of) other software systems, which may well be produced by different developers, with the risk that unforeseen incompatibilities between them may result in harmful events. Finally, in many cases software programs operate in a  Arkin (2009), p. 108.  Tamburrini (2016), pp. 127–128. 19  Ibid., p. 129. The most notable exception in this respect is provided by autonomous anti-materiel defensive systems, like the Israeli Iron Dome, which operates in sufficiently structured areas preset by military officers on the basis of IHL-informed judgments. See Amoroso and Tamburrini (2017), p. 14. 20  Thompson (1980), p. 905. 21  Nissenbaum (1996), p. 29. 17 18

216

D. Amoroso and B. Giordano

“symbiotic relationship” with kinetical machines, which are in turn designed and manufactured by others. Should something go wrong, it could be tough to ascertain whether this is due to the machine, to the computer system or to a faulty interaction between the two.22 The foregoing analysis is relevant to the discussion on AWS in multiple respects. First of all, the deployment of an AWS presupposes an institutional setting that typically entails the involvement of “many hands”, including “the software programmers, those who build or sell hardware, [the procurement officials], military commanders, subordinates who deploy these systems and political leaders”.23 Moreover, given the extraordinarily demanding tasks they will be required to perform, one can easily foresee that AWS will develop as complex “systems of systems”, programmed and manufactured by joint ventures of private and public companies. Finally, AWS are precisely featured by the “symbiotic relationship” between software programme and kinetic machine that might muddy the waters as to where the fault lies in case of malfunctioning. The many hands problem can be dissected into two aspects. On the one hand, there is the issue of discerning, in a tangle of causal antecedents and loci of decision-­ making, who to blame for the accident. This problem has been described as merely “practical”, in that it makes responsibility ascription difficult, but not impossible, to the extent that the acquisition of more pieces of information should help to find an acceptable solution for it. On the other hand, we have what has been called the “normative or moral problem”, which arises every time collective responsibility for a certain outcome cannot be reduced to full-blown individual responsibility.24 The latter aspect has proven to be more troublesome and has compelled ethicists and legal philosophers to find a way to avoid responsibility gaps. Mark Bovens summarised these attempts by referring to three alternatives to individual accountability, namely (i) corporate accountability; (ii) hierarchical accountability; (iii) collective accountability.25 It is interesting to note that each of these models bears correspondence to international legal doctrines or regimes that will be analysed in the following pages. Notably, the “corporate accountability” model, insofar as it places the blame directly on the organisation as a whole, is mirrored by the regimes of state and corporate responsibility; the “hierarchical accountability” model, which predicates that the blame for the misconduct of a group should be assigned to those who are at the top of its chain of command, has a clear match in the doctrine of superior responsibility; finally, the “collective accountability” model, whereby each member of the group is held personally responsible for the conduct of the organisation as a whole, simply because of his/her membership, is echoed—with some qualifications—by the doctrine of the Joint Criminal Enterprise (JCE).

 Ibid., pp. 29–32.  Report of the Special Rapporteur on extrajudicial, summary or arbitrary executions, Christof Heyns, 9 April 2013, UN Doc. A/HRC/23/47, para. 77. 24  Bovens (1998), pp. 46–47. 25  Ibid., pp. 50–52. 22 23

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

217

3  Individual Criminal Responsibility Most of scholarly analysis coping with the responsibility gap problem is devoted to the problem of individual criminal responsibility. This might be explained with the widespread (but ultimately wrong) perception that autonomy in weapons systems would solely affect the ascription of responsibility to the individual, while leaving untouched other forms of responsibility, with particular regard to that of the deploying State.26 An academic quest has thus been ushered in to find the most convenient individual(s) to blame in case of civilian casualties provoked by AWS. Lists of candidates for responsibility flourished in scholarly works on the subject, in a bizarre “dance” where potential defendants for AWS-related crimes alternate on the court’s dock. In the following pages, their position will be examined. Our analysis, however, will refrain from using a listing method, but will consider two possible forms of responsibility for AWS-related crimes, namely direct responsibility and superior responsibility. This will assist us in discerning the various problems raised by AWS, without incurring repetition.

3.1  Direct Responsibility Human wickedness in warfare has accustomed us to the worst atrocities. Therefore, it is far from implausible that human agents will use an AWS with the knowledge and intention to commit an international crime (dolus directus), or with the virtual certainty that it will act harmfully (dolus indirectus). Should this happen, AWS would be nothing but a tool in the criminal hands of human agents. This makes responsibility ascription relatively unproblematic, since the agents’ mental state clearly meets the mens rea requirement as it is generally understood in international criminal law. Not only are the harmful events caused by the machine fully within the cognitive domain of the agents concerned, they also constitute the object of the latter’s volition.27 Not all cases of “direct” responsibility for AWS-related crimes are so straightforward, though. Autonomy in weapons systems is likely to raise unprecedented problems of responsibility ascription, as well as to shed new light on long-standing issues. Reference is made, in particular, to (i) the individual criminal responsibility of software developers, (ii) the recurrence of the many hands problems, and (iii) the increased role of dolus eventualis.

 See below Sect. 4.  These are the “easy cases” (Crootof 2016, pp. 1376–1377), which are often relied upon by supporters of AWS to argue that no responsibility gap would ensue from their deployment (Schmitt 2013, pp. 33–34). 26 27

218

D. Amoroso and B. Giordano

(i) The participation to the crime by software developers. To the extent that military technology has been evolving to the point where a software is delegated the critical functions of selecting and engaging enemy targets, a brand-new category of candidates for international criminal responsibility enters the floor: software developers.28 To better grasp the role which software developers might play in the commission of international crimes, it could be useful to analyse two different scenarios. 1. Under the first scenario, upon request by the military, a team of software developers program a class of AWS so that they will target civilian objects along with military objectives with a ratio of 1:15. This is intended to sap the enemy troops’ morale. One of these AWS is subsequently employed to this end, resulting in the bombing of a hospital. 2. Under the second scenario, an unscrupulous arms dealer, eager to exacerbate tensions in conflict-torn regions, bribes the software developers of an AWS employed by peacekeeping forces, to program the latter so that it will attack religious buildings of a certain creed. This criminal plan is completely unbeknownst to the final users of the AWS. These two examples provide a glimpse at possible modes of participation to international crimes by software developers. The first scenario introduces the most likely ground for incriminating software developers, namely purposefully “aiding and abetting” the principal perpetrator(s) by providing the means for commission of a crime.29 This is nothing new, indeed. After all, this situation is not much different from that of the German industrialists found to be guilty for supplying to the S.S. the infamous Zyklon B gas, with the knowledge that it would have been used to exterminate the internees in concentration camps.30 The second scenario, instead, presents elements of novelty. It shows that autonomy in weapons systems might determine a radical shift in the locus of control for targeting decisions. The more weapons systems are endowed with the capability to perform the critical tasks of selecting and engaging targets without human intervention, the less military commanders and operators may be held primarily responsible for targeting decisions. Responsibility, indeed, is going to be shared with, or even wholly owned by, software developers, who might well have greater weight than final users on the way AWS take targeting decisions.31 This is precisely what happens in the second scenario, where software developers—along with the instigator/ inducer arms dealer—would bear responsibility for committing the war crime of intentionally directing attacks against buildings dedicated to religion. It is worthy of note that the crime is here committed “through another person”, namely the unaware and innocent operator of the peacekeeping force, “regardless of whether that other  McFarland and McCormack (2014).  See, e.g., Article 25(c) of the Statute of the International Criminal Court (ICC). 30  British Military Court, Trial of Bruno Tesch et  al., 1–8 March 1946, The UN War Crimes Commission “Law reports of trials of war criminals”, Vol. I (1947), p. 93. 31  McFarland and McCormack (2014), p. 370. 28 29

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

219

person is criminally responsible”.32 As this scenario illustrates, in other words, AWS technology makes it a concrete possibility to reduce members of military forces to puppets in the hands of war geek-criminals. Ascription of responsibility to software developers is not bereft of difficulties. The contextual element of war crimes, as codified by the Elements of Crimes annexed to the ICC Statute, requires that the criminal conduct must take “place in the context of and [be] associated with an […] armed conflict”.33 It has been rightly noted, in this regard, that the development of the software may be finalised well before the beginning of the armed conflict during which the crime is actually perpetrated. Should that happen, prosecution for war crimes could be barred by the impossibility to establish the existence of a contextual connection between the developers’ conduct and the relevant armed conflict.34 Moreover, AWS are going to be developed by “many teams of developers in many organizations working on a multitude of subsystems with complex interdependencies”,35 so making it arduous to trace responsibility back to individual developers. This leads us again to the “many hands” problem, which we will now focus on. (ii) The “many hands” problem and Joint Criminal Enterprise. As observed above, the emergence of AWS technology may entail the proliferation of “many hands” scenarios, where the high number of people involved in the causal chain makes it difficult, if not impossible, to discern who is/are responsible for AWS-­ related harmful events. This is especially likely to occur during the development phase, when various teams of individuals collectively work on the software that will shape an AWS’ targeting decisions. Let us assume, for instance, that the team of software developers involved in the programming of a war crimes-prone AWS is composed of a large number of individuals (say 60); that most of them do not code criminal instructions, but only those parts of the software that make the AWS operational; and that all team members knew that the AWS is intended for criminal uses, although at varying levels of awareness. Who will be held responsible for the crimes eventually perpetrated through the AWS? On what count? In fact, international criminal law is well acquainted with these kinds of problems. International crimes stand out precisely in that they “connote organized, collective wrongdoing” whose implementation may require complex apparatuses.36 It is no surprise, therefore, that attempts have already been made in international practice to adequately grasp the responsibility of the individuals who, within those apparatuses, somehow contributed to the commission of criminal acts. In this respect, reference should be made—first and foremost—to the doctrine of the Joint Criminal

 Article 25(a) of the ICC Statute.  ICC (2011), pp. 13–43. 34  McFarland and McCormack (2014), pp. 376–378. 35  Ibid., p. 384. 36  van Sliedregt (2012), p. 1174. 32 33

220

D. Amoroso and B. Giordano

Enterprise developed by the International Criminal Tribunal for the former Yugoslavia (ICTY).37 Broadly speaking, the JCE doctrine postulates that when one or more acts are perpetrated by a plurality of individuals in the furtherance of a criminal common plan, all of them should be treated as principal perpetrators, regardless of whether they were physically involved in the commission of the crime(s) and of whether their participation took place through a criminal or a legally neutral act. In its broadest variant (so-called “extended form” or JCE III), the doctrine applies when “one of the perpetrators commits an act which, while outside the common design, was nevertheless a natural and foreseeable consequence of the effecting of that common purpose”.38 Unlike the other forms of JCE, therefore, the mental element required is dolus eventualis: participants are deemed responsible also for crimes that they did not intend to perpetrate, nor were part of the original plan, solely on the grounds that they foresaw and accepted the possibility that those crimes would have been committed. The JCE doctrine would present unique advantages for prosecutors in AWS-­ related criminal cases. On the one hand, once the existence of a common plan is established, the JCE would allow incriminating as principal perpetrators all the software developers who knowingly contributed to the plan, regardless of the (apparently) innocuous character of the part of the software they were tasked to code (e.g., the one concerning AWS’ movements on a rugged terrain). On the other hand, as we will see below, the mental state of those involved in the criminal use of AWS is more likely to be qualified as dolus eventualis, rather than as dolus directus or indirectus. So far, so good. Except that the JCE doctrine, especially in its extended form, happens to be particularly controversial, since it brings imputation of criminal responsibility very close to a criterion of “guilt by association”, in blatant contrast with the principle of culpability.39 In this respect, it is significant that the drafters of the ICC Statute chose to follow a different approach. The main deviations from the JCE model are two. On the one hand, not all participants to the common plan are treated as principal perpetrators, only those who dominate the causal chain of events culminating in the realisation of the common criminal plan and could therefore be qualified as (direct or indirect) co-perpetrators (Article 25(3)(a)). Lower level participants—who may include, to bring the focus back to our subject, most software developers involved in the criminal programming of an AWS—will not be punished as principal perpetrators, but on  ICTY, Prosecutor v. Tadić, IT-94-1, Appeals Judgment, 15 July 1999, paras. 185–229. The JCE doctrine has been subsequently endorsed by the International Criminal Tribunal for Rwanda (see below footnote 43), the Special Court for Sierra Leone (Prosecutor v. Kondewa, No. SCSL-0312-PT, Decision and Order on Defence Preliminary Motion for Defects in the Form of the Indictment, 27 November 2003, para. 9) and the East Timorese Special Panel for Serious Crimes (Prosecutor v. Perreira, No. 34/2003, Judgment, 27 April 2005, pp. 19–20). 38  International Criminal Tribunal for Rwanda, Prosecutor v. Ntakirutimana et  al., ICTR-96-17, Appeals Judgment, 13 December 2004, para. 465. 39  See, e.g., Badar (2006), who wittingly dubbed the doctrine as “Just Convict Everyone”. 37

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

221

the basis of an “accessorial” common purpose liability (Article 25(3)(d)). On the other hand, the ICC Statute does not envisage dolus eventualis as a culpable state of mind.40 This aspect, which has important backlashes on AWS-related responsibility issues, will now be addressed. (iii) Limited predictability of AWS and the role of dolus eventualis. Until now, we have assumed that the human agent wilfully and knowingly caused a harmful event through the AWS, or was at least virtually certain that such an event would have occurred. As AWS will be endowed with broader and broader operational discretion, this is going to be the exception rather than the rule. In most cases the human agent will not be able to foresee with certainty what the machine is going to do, with inevitable repercussions on his/her mental state in relation to the harmful event. Consider the case where an AWS operator does not intend to move an attack against civilians, nor he/she knows that this will naturally flow from the course of action undertaken; but merely accepts that something wrong could happen (dolus eventualis). This, more tenuous, volitional relationship between action and event does not have a clear status under international criminal law, especially with regard to targeting decisions. On the one side, the ICTY proved ready to accept dolus eventualis as a culpable state of mind in relation to the war crime of intentionally directing an attack against the civilian population,41 basing itself on the ICRC’s reading of the notion of “wilfully […] making the civilian population or individual civilians the object of attack” under Article 85 of the First Additional Protocol to the Geneva Conventions (API).42 On the other side, the drafters of the ICC Statute did not include dolus eventualis in the general description of the mental element of the crime under Article 30. Such a fragmented legal framework led Paola Gaeta to suggest, with specific regard to AWS’ misdoings, that war crimes committed with dolus eventualis, while falling outside the jurisdiction of the ICC, could be tried before national courts, which remain obliged to punish the “grave breaches” of the Protocol by Article 85 of API.43 The problem with this view is that it takes for granted the extensive interpretation of Article 85 provided by the ICTY and the ICRC. In fact, this reading is far from solidly grounded in international practice and raises hardly surmountable logical problems.44 To say the least, if the mere acceptance of the risk of civilian casualties equated to an intentional attack against the civilian population, collateral damage should always be deemed unlawful, regardless of whether it is “excessive” under the

 Article 30 of the ICC Statute.  Prosecutor v. Galić, IT-98-29-T, Trial Judgment, 5 December 2003, paras. 57–58. The Trial Chamber uses, quite interchangeably, the civil law notion of dolus eventualis and the common law one of “recklessness”, although only the former can be properly characterized as a form of intent. 42  ICRC (1987), p. 994. 43  Gaeta (2016), p. 45. 44  Ohlin (2013). 40 41

222

D. Amoroso and B. Giordano

principle of proportionality.45 Perhaps, that would be a step forward in the protection of civilians. But this is simply not how things stand in IHL. The foregoing flags a warning sign concerning individual responsibility for AWS-related crimes. Autonomy in weapons systems will increase the incidence of cases where the human agent can at best formulate probability assessments as to what the weapon will actually do in the theatre of war. This is likely to create serious hurdles for responsibility ascription, given that both international criminal law and international humanitarian law fail to recognise mere risk acceptance, or dolus eventualis, as a culpable state of mind in relation to direct responsibility for targeting decisions. Awareness of this problem led many authors to look at the doctrine of superior responsibility, and in particular at the lower mens rea required thereby, as an alternative route to establish individual responsibility. The viability of this alternative will be examined in the next sub-paragraph.

3.2  Superior Responsibility In the literature dealing with the responsibility problems posed by AWS, a fair amount of attention has been paid to the possibility of applying the doctrine of command responsibility to the officer who ordered their deployment on the battlefield.46 According to the authoritative definition provided by the ICRC, the doctrine of superior responsibility dictates that: [c]ommanders and other superiors are criminally responsible for war crimes committed by their subordinates if they knew, or had reason to know, that the subordinates were about to commit or were committing such crimes and did not take all necessary and reasonable measures in their power to prevent their commission, or if such crimes had been committed, to punish the persons responsible.47

Reliance on this doctrine signals a shift in the way AWS are conceptualised. AWS are no longer considered as tools in the hands of human agents, being instead treated as soldiers, whose misdemeanours may trigger their superiors’ responsibility. Sci-fi fascinations aside, what makes the doctrine of command responsibility a good candidate for filling the AWS-related accountability gap is its lower mens rea requirement. As the formula “knew, or had reason to know” makes clear, indeed, the responsibility of the commander is triggered also in cases of conscious disregard of the risk that a crime is going to be perpetrated—a mental state that is even lower than dolus eventualis, namely recklessness. This doctrine, therefore, would render it possible to incriminate the commander who deployed an AWS in circumstances

 Ibid., p. 113.  See, e.g., Reitinger (2015–2016), pp. 110–115; Schmitt (2013), p. 33; Margulies (2017). 47  ICRC (2005), p. 558. 45 46

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

223

where it may behave harmfully, even if there is no virtual certainty that it will happen. In fact, the application of the doctrine of command responsibility in relation to AWS is hindered by a number of problems. On a formal level, it should not be overlooked that the doctrine, at least as it currently stands, refers to human-to-human relationships. This means that its application to AWS is possible solely at the cost of an interpretation by analogy, which is generally prohibited under international criminal law.48 A related, and similarly formal problem is the fact that the commander’s responsibility arises only if a veritable crime is perpetrated or attempted by her/his subordinates. Yet, unless one considers the weapon itself to have committed a crime (which sounds simply nonsensical to us), it is well possible that the only culpable conduct is that of the commander who recklessly deployed the AWS eventually resulting in civilian casualties.49 Admittedly, these formal problems could be adequately tackled by updating the doctrine of command responsibility, by way of a reform of the ICC Statute or an ad hoc international treaty, or by modifying State practice (in particular, army manuals, military penal codes) in order to adapt the customary content of the doctrine to the specificities of AWS technology. Even assuming that an international consensus would rapidly grow to this effect, however, a number of substantive problems would still be in place. It should be recalled, in this respect, that the responsibility of the commander does not amount to a form of strict responsibility, but envisages an element of “personal dereliction”,50 which is grounded (i) on the knowledge or, at the very least, the foreseeability of the subordinates’ unlawful behaviour; (ii) on the breach of the duty to prevent and/or to punish such criminal conducts; (iii) on the commander’s attitude to have an impact on his/her subordinates’ behaviour by exercising an effective control over their activities.51 In fact, these tenets are seriously challenged by autonomy in weapons systems. On the one hand, as discussed above, AWS—especially if employed in unstructured environments—are likely to take unforeseeable, harmful courses of action. This would rule out the commander’s fault, thus denying a proper legal basis for incriminating him/her for AWS’ misdoings. One could object, in this respect, that human soldiers are “autonomous” as well, and can act in no less unpredictable ways than AWS, e.g. by disobeying orders.52 Yet, this would totally overlook that, in case of misconduct by human soldiers, the commander may (and indeed must) exercise her or his punitive power over them—an option that is clearly precluded when the “wrongdoer” is an AWS to which “punishment” is a meaningless concept.  Chengeta (2016), p. 31; Geiss and Lahmann (2017), p. 393.  HRW and IHRC (2015), pp. 21–22. 50  US Military Court, Trial of Wilhelm von Leeb et  al. (The German High Command Trial), 30 December 1947–28 October 1948, The UN War Crimes Commission “Law reports of trials of war criminals”, Vol. XII, p. 76. 51  See, generally, Ambos (2013), pp. 197–228. 52  Corn (2016), p. 221. 48 49

224

D. Amoroso and B. Giordano

On the other hand, the requirement of “effective control” is very unlikely to be satisfied in the case of AWS: after all, no longer having to constantly exert human “effective control” is exactly what AWS are all about, and in the great majority of cases their faster-than-human reaction times would make a commander’s intervention impossible.

4  State Responsibility A survey of the scholarly works on AWS shows that the issue of State responsibility has received scant attention, on the grounds that it would be far less problematic than individual criminal responsibility.53 The argument is put forth, in particular, that State responsibility would be simpler to establish because no mental element is required.54 As a consequence, once it is ascertained that an AWS has been deployed by a State organ (or by someone acting on the State’s behalf), State responsibility would automatically ensue for the harm it may cause. Nor, it is added, an unexpected malfunction could be invoked as a force majeure precluding wrongfulness: under the law of State responsibility, force majeure cannot excuse a breach of a peremptory norm of international law, a category that certainly includes fundamental norms of international humanitarian law such as the principles of distinction and proportionality.55 Such an unconditional optimism is utterly unsubstantiated. Specifically, the assumption whereby State responsibility for IHL violations would not require the ascertainment of a mental element is inaccurate. While it is true that “fault” is not viewed as a constitutive element of State responsibility under general international law, it is also quite uncontroversial that the relevance of a culpable mental element may be envisaged by the primary norm whose alleged violation is at stake.56 This is precisely the case of IHL rules. The prohibition to direct an attack against the civilian population, for instance, arguably presupposes an element of intentionality. An attack that, because of an unexpected technical problem, causes unwanted civilian losses does not qualify in itself as a breach of the principle of distinction, because it cannot be said to have been directed against civilians. Therefore, every time the establishment of individual criminal responsibility is hindered by AWS’ unpredictability, State responsibility will be no less problematic.57 State responsibility, in other terms, does not offer a legal panacea to resolve the accountability issues raised by autonomy in weapons systems. Significantly enough, the authors who look more optimist in this respect seemingly conceive the law of

 See, e.g., HRW and IHRC (2015), p. 13.  Gaeta (2016), p. 45. 55  Melzer (2013), p. 40. 56  Conforti (2018), pp. 410–413. 57  For a similar conclusion, see Geiss and Lahmann (2017), pp. 386–387. 53 54

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

225

State responsibility for internationally wrongful acts as a no-fault liability regime.58 This is wrong de lege lata, as States may escape responsibility if they successfully invoke force majeure to exclude that they acted with fault.59 Yet, the introduction of a strict liability regime for civilian damages—along the lines, for instance, of the 1972 Convention on the International Liability for Damage Caused by Space Objects—undoubtedly constitutes a promising option in a de lege ferenda perspective.60 But what about the law of State responsibility as it currently stands? It would be a mistake to believe that it is of no avail in the quest to close the AWS-related accountability gap. Indeed, while fault is a constitutive element of IHL violations, there is an IHL norm which sets the bar for the mental element at a particularly low level, namely the principle of precaution in attacks, whereby [e]ach party to the conflict must take all feasible precautions in the choice of means and methods of warfare with a view to avoiding, and in any event to minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects.61

The formula “all feasible precautions” arguably entails a due diligence standard, which may be violated by a negligent62 (or at least reckless)63 conduct. Unlike the doctrine of command responsibility, the principle of precaution does not presuppose the commission of war crimes by human subordinates, but solely refers to “the choice of means and methods of warfare”. This entails that, via the principle of precaution, the negligent (or reckless) deployment of an AWS resulting in civilian losses might trigger State responsibility, even when it is not possible to establish individual criminal responsibility.

5  Corporate Responsibility It has been sometimes suggested that the corporations involved in AWS’ programming and manufacturing could be held liable for their misdoings.64 Such a proposal has been seldom explored in particular depth, though. A more granular analysis is therefore required in order to better grasp the promises and pitfalls of corporate responsibility for AWS’ misdoings. To start with, it is necessary to distinguish three forms of corporate responsibility, namely tort liability for international crimes, product liability and strict liability.

 Hammond (2015) and Crootof (2016).  Conforti (2018), pp. 412–413. 60  In this sense, see Geiss and Lahmann (2017), pp. 390–391. 61  ICRC (2005), p. 56. 62  Ronen (2009), pp. 185–186. 63  Ohlin (2013), pp. 115–116. 64  See, e.g., ICRC (2014), pp. 8, 23 and 47. 58 59

226

D. Amoroso and B. Giordano

5.1  Tort Liability for International Crimes The possibility to hold corporations responsible for international crimes has been at the centre of a broad and well-known academic and jurisprudential debate, which is far from settled and certainly cannot be reproduced here.65 For the sake of the present discussion, therefore, we will assume that corporations can be regarded as recipients of the norms prohibiting international crimes. Given the lack of international forums having jurisdiction over corporate crimes,66 however, we must limit ourselves to gauge this question from the vantage point of national courts, where the issue is likely to be addressed through the lens of tort liability. Reliance on corporate tort liability in cases concerning international crimes committed through AWS would help to reduce the responsibility gap stemming from the “many hands” problem. As we have seen, if the perpetration of an international crime ensues from the joint action of a large number of individuals, e.g. a team of software programmers, it could prove highly challenging to ascertain individual (criminal) responsibility for it, having particular regard to the fault element. If responsibility is traced to the corporation as a whole, instead, these evidentiary and conceptual hurdles could be overcome, by resorting to the “collective knowledge” doctrine that “merely requires that the members of the company had knowledge in the aggregate”.67 In fact, although corporate entities do not have their own conscience, their involvement in the commission of atrocious crimes is often symptomatic “of a systemic issue that proliferates throughout the corporate culture of the organization”.68 Although this is an undoubted advantage, even this path to accountability is strewn with obstacles. To say the least, corporate tort liability for international crimes has been clearly asserted—and not without contestations—only by US courts, on the basis of a very peculiar piece of legislation, the 1789 Alien Tort Statute, and it is far from sure that it will ever develop in other legal systems.69 Furthermore, if the action for damages touches upon the legality (or even the appropriateness) of the military choices by the forum State, the risk is high that the court will decline jurisdiction on the basis of jurisprudential doctrines aimed at insulating issues of defence and foreign affairs from judicial scrutiny (political question, non-­ justiciability, atto politico, acte de gouvernement doctrines). Finally, and more importantly, corporate tort liability for international crimes (and the related “collective knowledge” doctrine), while providing a viable solution to the many hands problem, does not take away from the fact that a criminal mens rea, in the form of  For an overview, see Kaeb (2016).  See, above all, Article 21 of the ICC Statute, which rules out the Court’s jurisdiction over “legal persons”, including corporations. It has been carefully demonstrated (Clapham 2000), however, that this limitation was due to reasons other than the their (alleged) lack of legal personality under international criminal law. 67  See, also for further references, Kaeb (2016), p. 396. 68  Ibid., p. 385. 69  Stephens (2002). 65 66

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

227

dolus directus or indirectus, should be established. Accordingly, problems stemming from AWS’ inherent unpredictability are left unresolved.

5.2  Product Liability It has been observed that “[p]roduct liability laws are largely untested in robotics”.70 AWS make no exception, indeed, although some have alluded to product liability as a feasible alternative to individual and State responsibility.71 Since the matter is generally governed by domestic law (with the notable exception of European Directive 85/374/EEC),72 a comprehensive exposition of the problem is not practicable here. We will hence limit ourselves to some observations of general character. Despite the undoubted (and sometimes profound) differences in the various legal systems of the world, product liability regimes generally share a plaintiff-friendly nature, in that they set the fault element threshold to a standard of negligence and, in certain hypotheses, shift the burden of proof from the damaged party to the defendant company, which will have to demonstrate the applicability of one of the excuses provided by the law.73 If we consider the above-discussed difficulties concerning the proof of the fault element in AWS-related accidents, it would appear clearly that this feature of product liability regimes is likely to provide a major advantage to the damaged party. This is not the end of the story, though. Even in this case, legal and conceptual hurdles stand in the way of redress for victims. First and foremost, although  the evidentiary regime might be more favourable to the plaintiffs, product liability remains associated with a negligent behaviour by the defendant corporation. However low, this standard requires that the malfunction complained of is at least foreseeable by the manufacturer, the designer or the programmer.74 As repeatedly underlined, however, this is exactly what autonomy in weapons systems is bound to rule out in most cases of harmful events. And in fact some authors came to question the very possibility to characterise robots, including but not limited to AWS, as “products” in a legal sense and, accordingly, to treat their harmful decisions as “defects”. For, to the extent that a robot is endowed with learning capabilities and  Lin (2012), p. 8.  Krishnan (2009), pp. 103–104; NATO JAPCC (2016), pp. 29–30. 72  Quite remarkably, the 1977 European Convention on Products Liability in regard to Personal Injury and Death was signed by only 4 States and ratified by none. 73  See, for instance, American Law Institute 1998, Restatement of the Law, Third, Torts: Products Liability, para. 3 (“Circumstantial Evidence Supporting Inference of Product Defect”). 74  See, e.g., ibid., para. 2(b) (“[A product] is defective in design when the foreseeable risks of harm posed by the product could have been reduced or avoided by the adoption of a reasonable alternative design”); Directive 85/374/EEC, Article 7 (“The producer shall not be liable […] if he proves: […] e) that the state of scientific and technical knowledge at the time when he put the product into circulation was not such as to enable the existence of the defect to be discovered”). 70 71

228

D. Amoroso and B. Giordano

autonomous decision-making power, “it is hardly plausible that [it] was defect; it did what it was supposed to do: It reacted to new inputs and adapted its behaviour – thus the machine is not defective as such.”75 Besides, it is worth recalling that, before the courts of the country that is likely to be the largest producer and user of AWS, i.e. the United States, product liability lawsuits would be inexorably barred due to the so-called “government contractor” defence. Under this doctrine, issued by the US Supreme Court in the Boyle case,76 military contractors are deemed immune from product liability whenever the product at stake (including a weapons system) has been manufactured according to specifications provided or approved by a federal or state government agency—quite a likely occurrence in the case of AWS, due to the delicate and complex activities they are meant to carry out. The scope of this defence, moreover, has been subsequently expanded by federal courts so as to make it applicable in virtually every case concerning AWS’ misdoings. Reference is made to the approach followed by the Court of Appeals for the Ninth Circuit in Koohi v. United States et al., which—remarkably enough—concerned a forerunner of modern AWS, the Aegis air defence system. On that occasion, the Court held this doctrine to shield contractors from claims for damages “arising out of the combatant activities of the military or naval forces […] during time of war”77—basically what AWS are expected to do in the near and mid-future.

5.3  No-Fault Liability The problems emerged above could arguably be fixed by enacting a no-fault liability regime. As is known, the introduction of a regime of this kind might be appropriate when an inquiry as to the fault element is particularly complex.78 Moreover, both at the national and international level there is a tendency to establish regimes of this kind in relation to the performance of activities that may prove particularly dangerous because of their very nature or because of the means normally used to carry them out. No-fault liability is often resorted to, for example, in the field of environmental law.79 One could recall, in this respect, the International Convention on Civil Liability for Oil Pollution Damage (CLC), whose Article III states that: The owner of a ship at the time of an incident […] shall be liable for any pollution damage caused by oil which has escaped or been discharged from the ship as a result of the incident.

 Beck (2015), p. 475.  487 U.S. 500 (1988). 77  976 F.2d 1328 (1992), 1337. 78  See, also for further references, HRW and IHRC (2015), p. 35; Crootof (2016), p. 1395. 79  Kiss and Shelton (2007). 75 76

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

229

The rationale behind this kind of rule lies in the need to relieve the community from the cost burden of environmental damage, by transferring it to the person or entity taking advantage from the activity that caused it.80 The adoption of such a liability regime would be certainly advisable in relation to the damages caused by AWS.  After all, their use in armed conflicts could be properly characterised as “ultra-hazardous”, as “it involves a risk of serious harm that cannot be eliminated, even if utmost care is exercised”.81 In a de lege ferenda perspective, therefore, one could think of a treaty establishing, along the lines of the CLC, that corporations involved in the development and production of AWS are strictly obliged to compensate the damages caused by them.

6  Concluding Remarks In Furundžija, the ICTY’s Trial Chamber concluded a thorough review of the international legal regime outlawing torture by asserting that “[n]o legal loopholes have been left”.82 Should it have reviewed the legal consequences of AWS’ deployment, it would have surely passed a less enthusiastic judgement. As we attempted to demonstrate, autonomy in weapons systems is likely to magnify the proliferation of legal loopholes, making it difficult—when not impossible—to identify a responsible person or entity in case of harmful events. On the one hand, indeed, the enforcement of individual criminal responsibility would be precluded in a fair number of hypotheses, partly because of technical-legal problems concerning the formulation of international criminal norms (e.g., that on command responsibility), partly because of difficulties inherently related to machines’ autonomous decision-making. On the other hand, individual responsibility gaps cannot be properly filled by State and corporate responsibility, unless a regime of no-fault liability is enacted. In this latter respect, it should be underscored that the adoption of an international regime of no-fault liability for harmful events caused by AWS would fail to provide a wholly satisfactory response to the responsibility problems highlighted above. Those pointing at State and corporate (strict) liability as a potential substitute for individual criminal responsibility seem to consider all these forms of responsibility to be ultimately fungible and replaceable with each other. This assumption, however, completely overlooks the “complementarity” among responsibility regimes, which is rooted in the distinction between the “predominantly reparational aspect of state responsibility and the punitive character of criminal law proceedings against individuals”83 (corporate responsibility is arguably half-way between the two, but a civil liability regime would have a pre-eminently reparational nature).  Ibid., p. 1148.  Crootof (2016), p. 1395. 82  Prosecutor v. Furundžija, IT-95-17/1-T, Trial Judgment, 10 December 1998, para. 146. 83  Bianchi (2009), p. 24. See also Chengeta (2016), pp. 49–50. 80 81

230

D. Amoroso and B. Giordano

Even in case of adoption of an international regime of no-fault liability, therefore, the deployment of AWS would remain problematic insofar as it carries the risk of relegating to a marginal role a “cornerstone” of contemporary international community, viz. the principle of individual criminal responsibility. The foregoing substantiates the case, made by a number of NGOs, scholars and States, for a ban on Autonomous Weapons Systems.84 Admittedly, a comprehensive ban on AWS is made a formidable challenge by the fierce opposition of technologically advanced military powers (first and foremost, the United States and the Russian Federation).85 Far more promising appears the proposal, launched in 2013 by the NGO “Article 36”, to introduce a requirement of meaningful human control (MHC) over all weapons systems.86 Indeed, the notion of MHC is commonly viewed as a viable starting point for regulating autonomous weapons.87 Yet, its precise content is still shrouded in controversy, giving rise to many conflicting interpretations as to what a veritable “meaningful” human control should amount to. The analysis carried out in this Chapter could provide a plausible way forward to solve this challenging problem. To be “meaningful”, indeed, human control over weapons systems should as a minimum ensure that, in case of harmful events, a responsible person is clearly identified. This working hypothesis, which for quite obvious reasons cannot be substantiated here, could certainly represent a solid starting point for research on such a controversial issue and will be necessarily addressed in a different scholarly contribution.88

References Ambos, Kai. 2013. Treatise on International Criminal Law. Volume I: Foundations and General Part. Oxford: Oxford University Press. Amoroso, Daniele, and Guglielmo Tamburrini. 2017. The Ethical and Legal Case Against Autonomy in Weapons Systems. Global Jurist (on-line): 1–20. Arkin, Ronald. 2009. Governing Lethal Behavior in Autonomous Robots. Boca Raton: CRC Press. Badar, Mohamed. 2006. “Just Convict Everyone!” – Joint Perpetration: From Tadić to Stakić and Back Again. International Criminal Law Review 6: 293–302. Beck, Susanne. 2015. The Problem of Ascribing Legal Responsibility in the Case of Robotics. AI & Society 31: 473–481.  See, for references, Amoroso and Tamburrini (2017), pp. 1–2.  On a more optimistic note, it is worth adding that Germany has recently joined the list of countries that will not use AWS. see “German military has no plans to acquire robot weapons”, Reuters (15 February 2018). 86  Article 36, “Killer Robots: UK Government Policy on Fully Autonomous Weapons” (April 2013). 87  United Nations Institute for Disarmament Research, The Weaponization of Increasingly Autonomous Technologies: Considering how Meaningful Human Control Might Move the Discussion Forward, UNIDIR Resources No. 2, 2014. 88  For a first (and admittedly embryonic) attempt to define the MHC requirement on a principled ethical and legal basis, see Amoroso and Tamburrini (2017), pp. 13–14. 84 85

Who Is to Blame for Autonomous Weapons Systems’ Misdoings?

231

Bianchi, Andrea. 2009. State Responsibility and Criminal Liability of Individuals. In The Oxford Companion to International Criminal Justice, ed. Antonio Cassese, 16–24. Oxford: Oxford University Press. Bovens, Mark. 1998. The Quest for Responsibility. Accountability and Citizenship in Complex Organisations. Cambridge: Cambridge University Press. Chengeta, Thompson. 2016. Accountability Gap: Autonomous Weapon Systems and Modes of Responsibility in International Law. Denver Journal of International Law and Policy 45: 1–50. Clapham, Andrew. 2000. The Question of Jurisdiction Under International Criminal Law Over Legal Persons: Lessons from the Rome Conference on the International Criminal Court. In Liability of Multinational Corporations Under International Law, ed. Menno Y.  Kamminga and Saman Zia-Zarifi, 139–195. The Hague: Kluwer Law International. Conforti, Benedetto. 2018. In Diritto internazionale, ed. Massimo Iovane. Napoli: Editoriale Scientifica. Corn, Geoffrey S. 2016. Autonomous Weapons Systems: Managing the Inevitability of “Taking the Man Out of the Loop”. In Autonomous Weapons Systems: Law, Ethics, Policy, ed. Nehal Bhuta et al., 209–242. Cambridge: Cambridge University Press. Crootof, Rebecca. 2016. War Torts: Accountability for Autonomous Weapons. University of Pennsylvania Law Review 164: 1347–1402. Gaeta, Paola. 2016. Autonomous Weapon Systems and the Alleged Responsibility Gap. Speaker’s Summary. In Expert Meeting, Autonomous Weapon Systems Implications of Increasing Autonomy in the Critical Functions of Weapons (Versoix, Switzerland, 15–16 March 2016), ed. ICRC, 44–45. Geneva: ICRC. Geiss, Robin, and Henning Lahmann. 2017. Autonomous Weapons Systems: A Paradigm Shift for the Law of Armed Conflict? In Research Handbook on Remote Warfare, ed. Jens D. Ohlin, 371–404. Cheltenham: Edward Elgar Press. Hammond, Daniel M. 2015. Autonomous Weapons and the Problem of State Accountability. Chicago Journal of International Law 15: 652–687. Human Rights Watch (HRW) and Harvard’s International Human Rights Clinic (IHRC). 2015. Mind the Gap. The Lack of Accountability for Killer Robots. ICC. 2011. Elements of Crimes. ICRC. 1987. In Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949, ed. Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann. Geneva: Martinus Nijhoff. ———. 2005. In Customary International Humanitarian Law, ed. Jean-Marie Henckaerts and Louise Doswald-Beck. Cambridge: Cambridge University Press. ———, ed. 2014. Expert Meeting. Autonomous Weapon Systems. Technical, Military, Legal and Humanitarian Aspects (Geneva, Switzerland, 26 to 28 March 2014). Geneva: ICRC. ———. 2016. Summary Report. In Expert Meeting, Autonomous Weapon Systems Implications of Increasing Autonomy in the Critical Functions of Weapons (Versoix, Switzerland, 15–16 March 2016), ed. ICRC, 7-22. Geneva: ICRC. Johnson, Deborah G. 2014. Technology with No Human Responsibility? Journal of Business Ethics 127: 707–715. Kaeb, Caroline. 2016. The Shifting Sands of Corporate Liability Under International Criminal Law. The George Washington International Law Review 49: 351–403. Kiss, Alex, and Dinah L.  Shelton. 2007. Strict Liability in International Environmental Law. In Law of the Sea, Environmental Law and Settlement of Disputes: Liber Amicorum Judge Thomas A. Mensah, ed. Tafsir Malick Ndiaye and Wolfrum Rüdiger. The Hague: Brill. Krishnan, Armin. 2009. Killer Robots: Legality and Ethicality of Autonomous Weapons. Farnham: Ashgate. Lin, Patrick. 2012. Introduction to Robot Ethics. In Robot Ethics. The Ethical and Social Implications of Robotics, ed. Patrick Lin, Keith Abney, and George A. Bekey, 3–16. Cambridge, MA: MIT Press.

232

D. Amoroso and B. Giordano

Margulies, Peter. 2017. Making Autonomous Weapons Accountable: Command Responsibility for Computer-Guided Lethal Force in Armed Conflicts. In Research Handbook on Remote Warfare, ed. Jens D. Ohlin, 405–442. Cheltenham: Edward Elgar Press. Matthias, Andreas. 2004. The Responsibility Gap: Ascribing Responsibility for the Actions of Learning Automata. Ethics and Information Technology 6: 175–183. McFarland, Tim, and Tim McCormack. 2014. Mind the Gap: Can Developers of Autonomous Weapons Systems Be Liable for War Crimes? International Law Studies 90: 361–385. Melzer, Nils. 2013. Human Rights Implications of the Usage of Drones and Unmanned Robots in Warfare. Bruxelles: EU Directorate-General for External Policies. NATO Joint Air Power Competence Centre (JAPCC). 2016. Future Unmanned System Technologies. Legal and Ethical Implications of Increasing Automation. Kalkar (Germany): JAPCC. Nissenbaum, Helen. 1996. Accountability in a Computerized Society. Science and Engineering Ethics 2: 25–42. Ohlin, Jens D. 2013. Targeting and the Concept of Intent. Michigan Journal of International Law 35: 79–130. Reitinger, Nathan. 2015–2016. Algorithmic Choice and Superior Responsibility: Closing the Gap Between Liability and Lethal Autonomy by Defining the Line Between Actors and Tools. Gonzaga Law Review 51: 79–119. Ronen, Yaël. 2009. Avoid or Compensate? Liability for Incidental Injury to Civilians Inflicted During Armed Conflict. Vanderbilt Journal of Transnational Law 42: 181–225. Schmitt, Michael N. 2013. Autonomous Weapon Systems and International Humanitarian Law: A Reply to the Critics. Harvard National Security Journal Features 1: 1–37. Sparrow, Robert. 2007. Killer Robots. Journal of Applied Philosophy 24: 62–77. Stephens, Beth. 2002. Translating Filártiga: A Comparative and International Law Analysis of Domestic Remedies for International Human Rights Violations. Yale Journal of International Law 27: 1–57. Tamburrini, Guglielmo. 2016. On Banning Autonomous Weapon Systems: From Deontological to Wide Consequentialist Reasons. In Autonomous Weapons Systems: Law, Ethics, Policy, ed. Nehal Bhuta et al., 122–142. Cambridge: Cambridge University Press. Thompson, Dennis F. 1980. Moral Responsibility of Public Officials: The Problem of Many Hands. The American Political Science Review 74: 95–106. van Sliedregt, Elies. 2012. The Curious Case of International Criminal Liability. Journal of International Criminal Justice 10: 1171–1188.

Attribution to State of Cyber Operations Conducted by Non-State Actors François Delerue

Abstract  State-sponsored cyber operations constitute a real challenge for the law of State responsibility. One of the main issues is the impossibility in most cases, at least to date, to identify clearly the perpetrators of cyber operations, either individuals or State agents, and to determine whether their conducts are attributable to States or other subjects of international law. Most cyber operations generally alleged to be state-sponsored have not been clearly attributed to a State yet. International law cannot bring a solution to the technical problem of attribution. However, attribution cannot be limited to its technical aspects. Generally, attribution of cyber conducts has three different dimensions: firstly, the attribution to the machine from which the cyber operation was launched or had transited; secondly, the attribution to the person who conducted the cyber operations; and thirdly, the attribution to an aggregate entity, notably a State. The present Chapter focuses on attribution from an international law perspective, that is to say attribution of a conduct to a State or another subject of international law. More specifically, it focuses on the specific question of attribution of cyber operations conducted by non-state actors under the instructions, direction or control of the State.

1  Introduction Attribution refers to the process of attributing an act or conduct to its perpetrator. In other words, it aims at answering the question “who did it?”. The attribution, also referred to as the imputation, is the legal operation aiming at determining that an act or omission is to be characterized as an act of the State under international law. The State is an abstract entity. Thus, it can only act by the medium of one or more persons, which are considered for the purpose of the attribution to a State as the means

F. Delerue (*) Institut de recherche stratégique de l’École militaire (IRSEM), Paris, France e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_12

233

234

F. Delerue

by which the State acts. State-sponsored cyber operations, generally coined as cyber warfare, constitute a real challenge for international security and international law. One of the main issues is the extreme difficulty and sometimes impossibility, at least to date, of identifying clearly the perpetrators of cyber operations, either private individuals or State agents, and of determining whether their conduct is attributable to States or other subjects of international law. The present Chapter focuses on the attribution process from an international law perspective, and thus aims at answering the question: how to attribute a cyber operation to an alleged sponsoring State? This question is essential as most responses to cyber operations cannot be deployed without attribution. For instance, defensive measures and countermeasures cannot be taken nor can the responsibility of the perpetrating State be invoked without attribution. The identified perpetrator—a machine, a person or a State—will determine the possible technical or legal responses. The process of attribution is at the same time legal, factual and technical.1 There are several dimensions of attribution when it comes to cyber operations that are generally grouped into three categories: firstly, the attribution to the machines from which the cyber operation was prepared, launched or transited; secondly, the attribution to the person who conducted the cyber operations; and thirdly, the attribution to an aggregate entity, usually a State.2 It is, however, important to note that each of these three dimensions is distinct and independent, and it is sometimes possible to identify the responsible State even without any knowledge of the perpetrating machine or individuals involved. Furthermore, before considering the process of attribution, it is necessary to clearly identify the cyber operation, its nature and consequences.3 This procedure is, of course, not limited to cyber operations but rather applies to all investigations. The International Court of Justice (ICJ) highlighted this point in the Nicaragua case, holding that: One of the Court’s chief difficulties in the present case has been the determination of the facts relevant to the dispute. […] Sometimes there is no question, in the sense that it does not appear to be disputed, that an act was done, but there are conflicting reports, or a lack of evidence, as to who did it. The problem is then not the legal process of imputing the act to a particular State for the purpose of establishing responsibility, but the prior process of tracing material proof of the identity of the perpetrator. The occurrence of the act itself may, however, have been shrouded in secrecy. In the latter case, the Court has had to endeavour first to establish what actually happened, before entering on the next stage of considering whether the act (if proven) was imputable to the State to which it has been attributed.4

 Tsagourias (2012), p. 233; Tait (2016).  Landau and Clark (2010), p. 37; Clark et al. (2014), p. 58; Roscini (2015a), p. 240; republished with minor changes in: Roscini (2015b). 3  Brenner (2007), pp. 380 and 405. 4  ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, 27 June 1986, ICJ Reports 1986, pp. 38–39, para. 57. 1 2

Attribution to State of Cyber Operations Conducted by Non-State Actors

235

The problem of conduct “shrouded in secrecy” is even more relevant in the case of cyber operations. The victim State has first to establish that it is the victim of a cyber operation, and to determine what is actually happening. In the case of Stuxnet, for instance, the premature wear of the centrifuges of the Natanz nuclear facility may have been first attributed to a malfunction or to a defect of the centrifuges rather than to a malware. Identifying the cyber operation and its effect is a preliminary step in the attribution process. The question of the imputation of cyber operations to a State cannot be studied without dealing with questions of the imputation of cyber conduct to computers or individual perpetrators. The attribution to a machine or a person is mainly based on technical and forensics methods, while the attribution to a State is mainly based on international law and factual evidence. It is clear that international law cannot resolve the technical problem of attribution. The attribution of a cyber operation to a State depends on the available factual evidence, and thus it may depend on the identification of the machine or individual responsible. Private individuals, acting alone or in groups, are increasingly involved in State activities. The fact that the acts are conducted from the territory of a State5 or conducted by citizens of a State is not a sufficient reason to attribute these acts to the State.6 In certain circumstances, however, the conduct of individuals is attributable to the State, notably if they act under the instructions, direction or control of the State, if they use public power in the absence or default of the State, and finally if the State endorses a posteriori their conduct. The present Chapter focuses on the specific question of attribution of cyber operations conducted by non-state actors under the instructions, direction or control of the State. The attribution of conduct perpetrated under the instructions, direction or control of a State leads to various interpretations and debates that need to be analysed (Sect. 3) prior to identifying how it would apply in the cyber context (Sect. 4). Before that, it is necessary to distinguish the process of attribution of cyber operations conducted by a de facto organ of a State and the one applying to cyber operations conducted by non-state actors acting under the instructions, direction or control of a State (Sect. 2).

 ICJ, Corfu Channel (United Kingdom of Great Britain and Northern Ireland v. Albania), Judgment on the Merits, 9 April 1949, ICJ Reports 1949, p. 18; De Frouville (2010), p. 261. 6  De Frouville (2010), pp. 261–264.; see also Klabbers (2013), p. 128; ILC (2001), p. 47, commentary to Article 8, para. 1. For instance, in the Tehran Hostage case, the Court did not use the fact that the group of militant students, who occupied the US embassy in Tehran and US consulates in Shiraz and Tabriz, were Iranian citizens in order to attribute their conduct to Iran: ICJ, United States Diplomatic and Consular Staff in Tehran (United States of America v. Iran), Judgment, 24  May 1980, ICJ Reports  1980, pp.  30–31, paras. 58–60. The Court, however, noted that this “does not mean that Iran is, in consequence, free of any responsibility in regard to those attacks” (ibid., para. 61). 5

236

F. Delerue

2  Distinction Between De facto Organ of the State and Acts Perpetrated Under the Instructions, Direction or Control of the State The situation of acts conducted under the instructions, direction or control of the State is also sometimes labelled as acts of de facto organ of the State,7 but must be distinguished from the situation of de facto organs. The use of the label de facto organs to refer to two different situations is confusing. In the case of a de facto organ of the State, understood as a State organ not qualified as such under municipal law, all the conduct of this de facto organ can be attributed to the State, even if they amount to ultra vires acts. In the present situation, the individuals are not qualified as State organs, and thus not all their acts are attributable to the State; a case-by-case analysis is necessary to determine which acts were actually conducted under the instructions, direction or control of the State and thus attributable to this State. The reasoning of the ICJ in the Bosnian genocide case might be the best illustration of the distinction between these various tests and notions.8 The ICJ followed a three-step reasoning process for the question of the attribution of the Srebrenica Genocide to the Former Republic of Yugoslavia (FRY). Firstly, the Court analysed whether the attribution could be made on the basis of conduct by a de jure state organ of FRY, and came to a negative conclusion.9 Consequently, the Court analysed whether the entities involved in the acts could be considered de facto organs of the FRY, using the “complete dependence” test, and also here concluded negatively.10 It was then clear that the Srebrenica genocide had not been perpetrated by any State organ, either de jure or de facto, of the FRY. Finally, the Court analysed whether these entities had acted under instructions, direction or control of the FRY.11 It is this last question—the attribution of acts of entities acting under the instructions, direction or control—which is dealt with in the present Chapter.

 See for instance: De Frouville (2010), pp. 265–271; Palchetti (2010) and Cassese (2007).  ICJ, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgment, 26 February 2007, ICJ Reports 2007, p. 207, para. 397. 9  Ibid., paras. 385–389. 10  Ibid., paras. 390–395. 11  Ibid., paras. 396–412. 7 8

Attribution to State of Cyber Operations Conducted by Non-State Actors

237

3  D  iversity of Approaches on the Attribution of Acts Conducted Under the Instructions, Direction or Control of the State The ICJ, the International Criminal Tribunal for the Former Yugoslavia (ICTY) and the International Law Commission (ILC) have followed different approaches on the attribution of conduct of non-state actors acting under the direction, instructions or control of a State, which are analysed in the present section.

3.1  The ICJ’s Nicaragua Case and the “Effective Control” Test In the Nicaragua case, the ICJ applied two different tests to assess the degree of control of a State over a non-state actor: the “strict control” test and the “effective control” test. The first determines whether the non-state actor is a de facto organ of the State. The second, the “effective control” test, is a subsidiary test when the agency relationship of the first test cannot be proven.12 The “effective control” test is generally considered to be a stricter approach for the purpose of the attribution of acts conducted by non-state actors under the instructions, direction or control of the State. These two tests have, however, two different objectives: the first one aims to qualify a person or a group as a de facto organ and attribute all their acts to the State; the second one aims not to determine an agency relationship but only to attribute some acts on a casuistic basis when these specific acts are conducted under sufficient control from the State.13 The present subsection summarizes the Nicaragua case and describes how the Court developed the effective control test, which has been confirmed by the ICJ in its subsequent jurisprudence.14 The Nicaragua case before the ICJ arose from the activities of the Contras, a movement of guerrilla insurgency initiated in 1981 against the Sandinista government of Nicaragua. The Contras were funded and assisted, covertly and overtly, by the United States. The Court found, inter alia, that the United States violated their obligations under customary international law to not intervene in the affairs of another State, to not use force against another State, and to not violate the sovereignty of another State. In this case, the Court had to deal with the attribution question to determine whether the acts of the non-state actors supported by the United States were attributable to this State. It distinguished two situations arising from the facts of the case:  Milanovic (2006), pp. 577, 583; Talmon (2009), p. 502.  See, however, the contrary view expressed in Cassese (2007), p. 650. 14  The Court followed the same reasoning in two steps, first the “strict control test” and second the “effective control test” in both Armed Activities (Judgment) cit.; and Bosnian genocide (Judgment) cit. 12 13

238

F. Delerue

firstly, persons supported, financed and armed by a State organ and acting under its control; secondly, persons armed and financed by a State but retaining a certain degree of independence in the conduct of their operations, as in the case of the Contras.15 The ICJ had to first deal with a series of events not conducted by the Contras, but which Nicaragua alleged to be the direct action of either US military personnel or UCLAs.16 These events, such as the mining of Nicaraguan ports or waters, involved, so Nicaragua claimed, the responsibility of the United States “in a more direct manner”.17 The Court focusing on some incidents established that: Although it is not proved that any United States military personnel took a direct part in the operations, agents of the United States participated in the planning, direction, support and execution of the operations.18

Consequently, it appears that the participation of the agents of a State in the “planning, direction, support and execution” of acts is enough to hold this State responsible for these acts. Secondly, the Court had to determine whether all the conducts of the Contras were attributable to the United States. The Court started by analyzing whether the US was responsible for all acts of the Contras. The ICJ answered negatively, as it found that the Contras were not an organ of the United States.19 The Court based its reasoning on the ‘complete dependence’ test, also called the ‘strict control’ test. As the Contras were not an organ of the United States, the ICJ further enquired whether some of their acts were, nonetheless, attributable to the US. Indeed, the acts of non-state actors might be attributed to a State if they are conducted under a sufficient degree of control by this State. For this purpose, the Court then used the subsidiary ‘effective control’ test, used by the ICJ when the requirements of the strict control test are not fulfilled.20 This test does not seek to qualify a person or a group as the organ of a State, but rather to determine if a single act has been conducted under the effective control of a State and is thus attributable to this State. For the effective control test, a general degree of control or dependence of the group is insufficient; it is necessary to prove the effective control over each specific act concerned.21 In the case under discussion, the Court had to determine whether the United States had effective control of the military or paramilitary operations of the Contras involving violations of human rights and humanitarian law. If so, then this would  Cassese (2007), pp. 642–655.  “UCLA” stands for “Unilaterally Controlled Latino Assets” and refers to “persons of the nationality of unidentified Latin American countries, paid by, and acting on the direct instructions of, United States military or intelligence personnel”. This acronym borrowed from the CIA’s vocabulary was used by the ICJ in the Nicaragua case, Nicaragua (Merits) cit., para. 75. 17  Ibid. 18  Ibid., para 86. 19  Ibid., paras. 109–110, 115. 20  Milanovic (2006), p. 577; Talmon (2009), p. 502. 21  Talmon (2009), p. 502; Álvarez Ortega (2015), p. 11. 15 16

Attribution to State of Cyber Operations Conducted by Non-State Actors

239

give rise to legal responsibility on the part of the United States.22 The ICJ answered negatively, ruling that these violations of human rights and humanitarian law were the acts of the Contras that were not imputable to the United States.23 To be imputable to the United States, this State should have “directed or enforced the perpetration of the acts contrary to human rights and humanitarian law alleged by the applicant State”24 which was not the case in this instance. Antonio Cassese commented on these two criteria of direction as follows: It seems clear from these words that by ‘effective control’ the Court intended either (1) the issuance of directions to the contras by the US concerning specific operations (indiscriminate killing of civilians, etc.), that is to say, the ordering of those operations by the US, or (2) the enforcement by the US of each specific operation of the contras, namely forcefully making the rebels carry out those specific operations.25

In relation to the acts of the Contras, the ICJ had to deal with the attribution question a third and last time. Nicaragua claimed that the United States had violated the prohibition of the use of force by being engaged in the “recruiting, training, arming, equipping, financing, supplying and otherwise encouraging, supporting, aiding, and directing military and paramilitary actions in and against Nicaragua”.26 In order to answer this claim, the Court had to determine whether the “recruiting, training, arming, equipping, financing, supplying and otherwise encouraging, supporting, aiding and directing” were sufficient conditions to render the acts attributable to the United States. The ICJ was ultimately asked to analyse whether the acts constituted a use or threat of force. The Court had to first determine whether the acts were attributable to a State, and then analyse if they constituted a violation of the prohibition of the use of force by this State. The ICJ distinguished two forms of support and ruled that the arming and training of a guerrilla group engaged in hostilities against another State could be defined as a threat or use of force, whereas the mere supplying of funds to this group could not: In the view of the Court, while the arming and training of the contras can certainly be said to involve the threat or use of force against Nicaragua, this is not necessarily so in respect of all the assistance given by the United States Government. In particular, the Court considers that the mere supply of funds to the contras, while undoubtedly an act of intervention in the internal affairs of Nicaragua, as will be explained below, does not in itself amount to a use of force.27

 Nicaragua (Merits) cit., para. 115.  Ibid., para. 116. The Court found, however, the United States responsible for their own conduct in relation to the Contras, constituting violations of the principle of non-intervention and of the sovereignty of Nicaragua. Ibid., pp. 146–147, holdings paras. 3 and 5. 24  Nicaragua (Merits) cit., paras. 109–110, 115. 25  Cassese (2007), p. 653. 26  ICJ, Application of the Republic of Nicaragua, Application instituting proceedings, case concerning military and paramilitary activities in and against Nicaragua (Nicaragua v. United States of America) (filed in the registry of the International Court of Justice on 9 April 1984), p. 16, para. 26. 27  Nicaragua (Merits) cit., para. 228. 22 23

240

F. Delerue

The Court found that the US was responsible for their “arming and training” and, thus, their actions constituted an unlawful use of force by this State. To conclude on the Nicaragua case, the “effective control” test developed by the Court is generally considered as a strict standard.28 The reasoning developed along two tracks—firstly analyzing the “strict control” test and secondly applying the subsidiary “effective control” test—and it has been reused by the ICJ in its subsequent cases dealing with attribution of non-state actors’ acts to a State.29 The approach developed in the Nicaragua case was also the basis of the ICTY’s reasoning in the Tadić case,30 which will be developed in the following paragraphs.

3.2  The ICTY’s Tadić Case and the “Overall Control” Test In the Tadić case, the Appeals Chamber of the ICTY adopted another approach called the “overall control” test.31 This approach is generally considered to be looser and more flexible than the “effective control” test developed by the ICJ in the Nicaragua case.32 The ICTY had to determine whether the conduct of a non-state actor was attributable to a State. The question was, however, not to determine the responsibility of a State for its conduct, but to identify the applicable law by determining whether an armed conflict was of an international or a non-international character.33 This  Klabbers (2013), p. 129.  Armed Activities (Judgment) cit.; Bosnian genocide (Judgment) cit. 30  ICTY, Trial Chamber, Prosecutor v Dusko Tadić (Trial Judgement), Judgment of 7 May 1997, IT-94-1-T; ICTY, Appeals Chamber, Prosecutor vs Dusko Tadić (Judgment), Judgment of 15 July 1999, IT-94-1-A. 31  ICTY, Tadić (Appeals Chamber), cit.; for the purpose of this Section we focus on the Appeal Chamber decision, the question of attribution has also been dealt with in the first instance of the case: ICTY, Tadić (Trial Judgement) cit. 32  ICTY, Appeals Chamber, Prosecutor v. Zlatko Aleksovski, IT-95-14/1-A, Judgment of 24 March 2000 57, para. 145; ICTY, Appeals Chamber, Prosecutor v. Zenjnil Delalić Zdravko Musić also known as ‘PAVO’ and Hazim Delić Esad Landzo also known as ‘ZENGA’ (Čelebići Camp) (Appeal Judgement), Judgment of 20 February 2001, Case No. IT-96-21-A 8, para. 20; ICTY, Trial Chamber, The Prosecutor v Dario Kordić & Mario Čerkez (Judgment), IT-95-14/2-T, Judgment of 26 February 2001, 32, para. 112. See also Shaw (2014), p. 575; Klabbers (2013), p. 129. 33  ICTY, Tadić (Appeals Chamber) cit., pp. 43–42, para. 104; (“What is at issue is not the distinction between the two classes of responsibility. What is at issue is a preliminary question: that of the conditions on which under international law an individual may be held to act as a de facto organ of a State. Logically these conditions must be the same both in the case: (i) where the court’s task is to ascertain whether an act performed by an individual may be attributed to a State, thereby generating the international responsibility of that State; and (ii) where the court must instead determine whether individuals are acting as de facto State officials, thereby rendering the conflict international and thus setting the necessary precondition for the ‘grave breaches’ regime to apply. In both cases, what is at issue is not the distinction between State responsibility and individual criminal responsibility. Rather, the question is that of establishing the criteria for the legal imputability to a State of acts performed by individuals not having the status of State officials. In the one case 28 29

Attribution to State of Cyber Operations Conducted by Non-State Actors

241

d­ ivergence of objectives is one of the main bases for criticism of the approach adopted by the Appeals Chamber of the ICTY in the Tadić case.34 In this case, the ICTY tried Duško Tadić, a Bosnian Serb, for numerous offences committed during 1992 at the Omarska, Keraterm, and Trnopolje camps, and other locations in the Prijedor municipality in Bosnia-Herzegovina. After the takeover of Prijedor and the attack launched against the town of Kozarac in 1992, non-Serb civilians were detained in these camps, where they were mistreated, sexually assaulted, tortured, and killed. The Second Trial Chamber, and then the Appeals Chamber, had to determine whether the acts of Duško Tadić were in violation of Article 2 of the ICTY Statute.35 This Article concerns “Grave breaches of the Geneva Conventions of 1949”, and thus conducts during an armed conflict of an international character.36 An international armed conflict existed between Bosnia-Herzegovina and the FRY until 19 May 1992, when the Yugoslav People’s Army withdrew from the former’s territory.37 The Chamber thus had to determine whether after this date—that is when the examined conducts took place—the armed conflict was still of an international character or had taken on a non-international character. The Chamber famously ruled that “an armed conflict is international if it takes place between two or more States”,38 and thus it had to determine whether the Bosnian Serb forces were de facto organs of FRY.39 The Appeals Chamber decided to rely on the rule of State responsibility to examine the “notion of control by a State over individuals” acting as de facto organs, as

these acts, if they prove to be attributable to a State, will give rise to the international responsibility of that State; in the other case, they will ensure that the armed conflict must be classified as international”). 34  It was for instance the case in the analysis made by the ICJ: Bosnian genocide (Judgment) cit., para. 405. 35  Statute of the International Tribunal for the Prosecution of Persons Responsible for Serious Violations of International Humanitarian Law Committed in the Territory of the Former Yugoslavia since 1991 (adopted by UNSC Res 827 (1993) of 25 May 1993 amended by UNSC Res 1166 (1998) of 13 May 1998, Res 1329 (2000) of 30 November 2000, Res 1411 (2002) of 17 May 2002 and Res 1431 (2002) of 14 August 2002), Article 2 “Grave breaches of the Geneva Conventions of 1949”: “The International Tribunal shall have the power to prosecute persons committing or ordering to be committed grave breaches of the Geneva Conventions of 12 August 1949, namely the following acts against persons or property protected under the provisions of the relevant Geneva Convention: (a) wilful killing; (b) torture or inhuman treatment, including biological experiments; (c) wilfully causing great suffering or serious injury to body or health; (d) extensive destruction and appropriation of property, not justified by military necessity and carried out unlawfully and wantonly; (e) compelling a prisoner of war or a civilian to serve in the forces of a hostile power; (f) wilfully depriving a prisoner of war or a civilian of the rights of fair and regular trial; (g) unlawful deportation or transfer or unlawful confinement of a civilian; (h) taking civilians as hostages”. 36  ICTY, Tadić (Appeals Chamber) cit., para 80(i). 37  Ibid., para. 86. 38  Ibid., para. 84. 39  Ibid., para. 87.

242

F. Delerue

IHL does not deal with this question.40 The Chamber conducted an extensive and critical analysis of the approach adopted by the ICJ in the Nicaragua case.41 The Chamber noted, however, that it does not hold the Nicaragua test to be “persuasive”,42 because it considers it to be, on the one hand, “unconvincing” on the grounds of “the very logic of the entire system of international law on State responsibility”,43 and, on the other hand, “at variance with international judicial and State practice”.44 It seems, however, that the Appeals Chamber based its analysis on a wrong interpretation of the effective control test of the Nicaragua case.45 The ICTY refers notably to various cases to support this assertion: the Stepens case before the Mexico-United States General Claims Commission,46 the Yeager case of the Iran-United States Claims Tribunal,47 the Loizidou v. Turkey case before the European Court of Human Rights,48 and finally the Jorgić case before the Oberlandesgericht of Düsseldorf.49 Some authors have, however, challenged the Chamber’s reading of these cases, and do not support its approach.50 Ultimately, the Chamber decided to adopt its own approach, diverging from that of the ICJ.51 The Chamber examined the rationale of attribution to a State of the acts of private individuals and noted that “States are not allowed, on the one hand, to act de facto through individuals and on the other to disassociate themselves from such conduct when these individuals breach international law”.52 In the determination of the necessary degree of control for attribution, the Chamber ruled that it may vary according to the factual circumstances and the nature of the relationship. The

 Ibid., para. 98.  Ibid., para 99 ff.; see also Cassese (2007), pp. 653–655; Milanovic (2006), pp. 579–580. 42  ICTY, Tadić (Appeals Chamber) cit., para 115. 43  Ibid., para 116. 44  Ibid., para 124. 45  ICTY, Trial Chamber, Prosecutor v Dusko Tadić (Trial Judgement), Judgment of 7 May 1997, IT-94-1-T ‘Separate and Dissenting Opinion of Judge Mcdonald Regarding the Applicability of Article 2 of the Statute’, p.  288; De Hoogh (2002), p.  290; Milanovic (2006), p.  581; Talmon (2009), p. 507. 46  Mexico-United States General Claims Commission, Charles S. Stephens and Bowman Stephens (U.S.A.) v. United Mexican States, Judgment of 15 July 1927, RIAA 4, pp. 266–267; cited in ICTY, Tadić (Appeals Chamber) cit., p. 51, para 125. 47  Iran-US CTR, Yeager v. The Islamic Republic of Iran, Judgment of 2 November 1987, Iran-US CTR p. 17, p. 92; cited in: ICTY, Tadić (Appeals Chamber) cit., pp. 52–53, paras. 126–127. 48  Loizidou v. Turkey (Application No. 15318/89), ECtHR[GC], Judgment of 18 December 1996, cited in: ICTY, Tadić (Appeals Chamber) cit., p. 54, para. 128. 49  ICTY, Tadić (Appeals Chamber) cit., p. 54, para. 129. 50  Milanovic (2006), pp.  585–587. Antonio Cassese, who acted as a judge in the Tadić case, answered the critics of Marko Milanović in an article: Cassese (2007), p. 658, footnote 17. Antonio Cassese also argued that the approach developed in the Tadić case has been adopted in subsequent international cases and practice: ibid., pp. 659–661, especially footnotes 18–19. 51  See generally the analysis in Mahiou (2009), pp. 433–435. 52  ICTY, Tadić (Appeals Chamber) cit., para 117. 40 41

Attribution to State of Cyber Operations Conducted by Non-State Actors

243

Chamber thus distinguished between two degrees of control: “private individuals” and “organized and hierarchically structured groups”.53 In the case of private individuals, to attribute an act to a State it is necessary to prove that this State gave specific instructions for the performance of this very act.54 The “specific instruction” test applies to both individuals and unorganized military groups.55 As observed by Antonio Cassese, “this was clearly the ‘effective control’ test set out by the ICJ in Nicaragua”.56 Conversely, in the case of organized and hierarchically structured groups, the Chamber adopted the “overall control” test, which differs from the Nicaragua case “effective control” test. Once it has been established that a State has overall control of an organized group, there is no need to analyse each specific act to render them attributable to the State.57 The effective control test is fulfilled if the State has equipped, financed, trained or provided operational support to the group; the overall control test integrates looser forms of control such as coordinating and helping in general in the planning of military or paramilitary activity.58 There are two parts in the test developed by the ICTY: on the one hand, “[t]he provision of financial and training assistance, military equipment and operational support”; and on the other hand, “[p]articipation in the organisation, coordination or planning of military operations”. This has been confirmed in subsequent jurisprudence of the ICTY.59 The ICTY confirmed, nevertheless, that the mere provision of assistance, be this military, economic or any other form, is not sufficient.60 The Appeals Chamber found that the conduct of the armed forces of the Republika Srpska was attributable to the FRY, and thus that the conflict was of an international character.61 This finding reverses that of the Trial Chamber, which applied the “effective control” test enunciated in the Nicaragua case by the ICJ and found that it was not a de facto organ and thus that the conflict was not of an international character.62 It appears that there has been a misunderstanding between the ICTY and the ICJ. The ICJ in the Nicaragua case developed two tests: the “strict control” test for  Ibid., para. 117; for a comprehensive analysis see Cassese (2007), pp. 655–663.  ICTY, Tadić (Appeals Chamber) cit., paras. 118–119. 55  Ibid., para. 141. 56  Cassese (2007), p. 657. 57  ICTY, Tadić (Appeals Chamber) cit., para. 120. 58  Ibid., paras. 131 and 137. See generally Cassese (2007), p. 657; Talmon (2009), pp. 506–507. 59  ICTY, Kordić & Čerkez (Trial Judgment) cit., para 115; ICTY, Trial Chamber, Prosecutor V. Mladen Naletilić, aka “Tuta” and Vinko Martinović, aka “Štela”, IT-98-34-T, Judgment of 31 March 2003, para. 198; ICTY, Appeals Chamber, The Prosecutor v Dario Kordić & Mario Čerkez, IT-95-14/2-A, Judgment of 17 December 2004, para. 361. 60  ICTY, Tadić (Appeals Chamber) cit., paras. 131 and 137; ICTY, Čelebići (Appeal Judgement) cit., para 15. See also Talmon (2009), p. 506. 61  ICTY, Tadić (Appeals Chamber) cit., para. 162. 62  ICTY, Tadić (Trial Judgement) cit., para. 607. 53 54

244

F. Delerue

the determination of agency relationship (as in Article 4 of the Articles on State Responsibility), and the ‘effective control’ test for the attribution of some acts when the agency relationship was not proven (as in Article 8). Thus, the second test, the effective control test, is not aimed at qualifying a de facto organ of a State.63 The ICTY focused on the question of agency relationship and thus misinterpreted the “effective control” test and used it in the wrong context.64 The “overall control” test developed by the ICTY focuses, indeed, on the same situation as the “strict control” test developed in the Nicaragua case, the determination of agency relationship, and not on situation where this test has already been answered negatively as for the effective control test of the ICJ. This confusion has, however, misled both the ICJ and the ILC, which refers to the “overall control” test in the context of Article 8 of the Articles on State Responsibility (attribution when the agency relationship was not proven),65 and not in the context of Article 4 (agency relationship test) as it should be.66 This confusion and its consequences necessitate an analysis of the “overall control” test in the context of both the determination of an agency relationship and the attribution of some acts when the agency relationship was not proven.67

3.3  The ILC Articles on Responsibility of States The ILC Articles on State Responsibility also deal with the attribution of acts to a State for the purpose of State responsibility. Article 8, “Conduct directed or controlled by a State”, reads: The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.68

The three alternative criteria of “instructions”, “direction”, and “control” of the ILC differ from the Nicaragua and Tadić tests. The ILC’s approach seems less

 Bosnian genocide (Judgment) cit., para. 397.  ICTY, Trial Chamber, Prosecutor v Dusko Tadić (Trial Judgement), Judgment of 7 May 1997, IT-94-1-T ‘Separate and Dissenting Opinion of Judge Mcdonald Regarding the Applicability of Article 2 of the Statute’, p.  288; see also De Hoogh (2002), p.  290; Milanovic (2006), p.  581; Griebel and Plücken (2008), pp. 612–613; Talmon (2009), p. 507. 65  Bosnian genocide (Judgment) cit., para. 406; ILC (2001), p. 48, commentary to Article 8, para. 5. 66  Kreß (2001), p. 131; Talmon (2009), pp. 506–507. 67  The literature on cyber operations and international law has also mislead by this confusion: Schmitt (2013), p. 32, commentary to Rule 6, para. 10; Woltag (2014), pp. 89–91. 68   Articles on Responsibility of States for Internationally Wrongful Acts (adopted by the International Law Commission at its 53rd session in 2001, annexed to General Assembly resolution 56/83 of 12 December 2001, and corrected by document A/56/49(Vol I)/Corr4), Article 8. 63 64

Attribution to State of Cyber Operations Conducted by Non-State Actors

245

restrictive than the approach followed by the ICJ,69 and has been considered as “a good compromise, in the sense that it is sufficiently vague to allow different interpretations”.70 It appears, however, that the ILC favoured the “effective control” test of the ICJ over the “overall control” test of the ICTY.71 It must be noted that the ILC did not follow the distinction between, on the one hand, single individuals and unorganized groups, and on the other hand, organized groups, developed by the ICTY.  Its approach applies, without distinction, to any individuals or groups.72 The ILC adopted the three disjunctive and alternative criteria of “instructions”, “direction” and “control”.73 These criteria can actually be aligned in two categories, as noted in the Commentary to the Articles on State Responsibility: “[t]he first involves private persons acting on the instructions of the State in carrying out the wrongful conduct. The second deals with a more general situation where private individuals act under the State’s direction or control”.74 The instruction criterion is clearly the “effective control” and “specific instruction” tests developed by the ICJ and the ICTY. The direction and control criteria go beyond the ICJ’s approach but are not as broad as the ICTY’s overall control test. The degree of direction and control required depend on the facts of the complained conduct, and therefore need to be determined on a casuistic basis.

3.4  The Armed Activities and Bosnian Genocide Cases: Restating the “Effective Control” Test After the Tadić case of the ICTY and the adoption of the 2001 ILC Articles on State Responsibility, the ICJ examined this question on two more occasions: firstly, in 2005 in the Armed Activities case and; secondly, in 2007 in the Bosnian Genocide case.75 In both cases, the ICJ based its reasoning on the Articles on State Responsibility, and reused the “effective control” test previously developed by the ICJ in the Nicaragua case.

 Francioni (2011), p. 103; Milanovic (2009), pp. 309–310.  De Frouville (2010), p. 271; see however Cassese (2007), pp. 663–665. 71  Milanovic (2006), p. 583. 72  ILC (2001), p. 49, commentary to Article 8, para. 9. 73  Ibid., p. 48, commentary to Article 8, para. 7. 74  Ibid., p. 47, commentary to Article 8, para. 1. 75  Armed Activities (Judgment) cit.; Bosnian genocide (Judgment) cit. 69 70

246

F. Delerue

3.4.1  The Armed Activities Case In the Armed Activities case, the ICJ had to determine whether the conduct of the Congo Liberation Movement (MLC) was attributable to Uganda. In this case, only one paragraph deals with the question of attribution and the Court did not elaborate to any great extent on this question.76 The Court followed the same reasoning as in the Nicaragua case, analysing successively the two main aspects of attribution. Firstly, it analysed whether the MLC could be considered an organ of Uganda or an entity exercising elements of governmental authority on its behalf, on the basis of Articles 4 and 5 of the Articles on State Responsibility. The first aspect being negative, it then looked at whether the conduct of the MLC was on the instructions of, or under the direction or control of Uganda, on the basis of Article 8 of the Articles on State Responsibility. The Court answered negatively to both questions and concluded that the conduct of the MLC could not be attributed to Uganda.77 In the context of the present study, the interest of this case is limited, as the Court did not develop to a large extent the question of attribution. It is, however, important to note that it analysed the attribution question without using or referring to the approach adopted in the Tadić case. The Court solely referred to its previous jurisprudence, namely the Nicaragua case. 3.4.2  The Bosnian Genocide Case More recently, in the Bosnian Genocide case, the ICJ again reaffirmed the approach it adopted in the Nicaragua case. In this case, conversely to the Armed Activities case, the Court analysed the approach adopted by the ICTY in the Tadić case. It, however, discarded the overall control test and referred back to the effective control, previously used by the ICJ.78 In this case, the Court had to determine whether the massacres perpetrated at Srebrenica were attributable to Serbia and Montenegro.79 The Court determined that only the massacres committed by the Army of the Republika Srpska (VRS) at Srebrenica constituted acts of genocide in violation of the Genocide Convention.80 It had then to determine if these acts of the VRS were attributable to Serbia and Montenegro, the respondent in the case, and thus if this State was responsible for them. The Court noted on the attribution question that: This question has in fact two aspects, which the Court must consider separately. First, it should be ascertained whether the acts committed at Srebrenica were perpetrated by organs  Armed Activities (Judgment) cit., para. 160.  Ibid., para. 161. 78  Bosnian genocide (Judgment) cit., paras. 406–407; Abass (2007), p. 890; Griebel and Plücken (2008), pp. 606–611. 79  On the question of attribution in the Bosnian Genocide case, see generally: Griebel and Plücken (2008) and Milanovic (2009). 80  Bosnian genocide (Judgment) cit., paras. 297 and 376. 76 77

Attribution to State of Cyber Operations Conducted by Non-State Actors

247

of the Respondent, i.e., by persons or entities whose conduct is necessarily attributable to it, because they are in fact the instruments of its action. Next, if the preceding question is answered in the negative, it should be ascertained whether the acts in question were committed by persons who, while not organs of the Respondent, did nevertheless act on the instructions of, or under the direction or control of, the Respondent.81

The Court analysed first whether the VRS was a de jure organ of Serbia and Montenegro, and answered negatively.82 As pointed out above, it also considered whether it constituted a de facto organ of this State applying the “complete dependence” test developed in the Nicaragua case,83 and again answered negatively.84 As the VRS was neither a de jure nor a de facto organ of Serbia and Montenegro, the Court analysed whether the VRS was acting on the instructions of, or under the direction or control of, this State.85 The Court based its analysis on Article 8 of the Articles on State Responsibility,86 which enshrines the applicable norm of customary international law. The Court analysed the “overall control” test developed in the Tadić case, and found that the: logic does not require the same test to be adopted in resolving the two issues, which are very different in nature: the degree and nature of a State’s involvement in an armed conflict on another State’s territory which is required for the conflict to be characterized as international, can very well, and without logical inconsistency, differ from the degree and nature of involvement required to give rise to that State’s responsibility for a specific act committed in the course of the conflict.87

Moreover, the Court criticized the approach followed by the ICTY by saying that: It must next be noted that the “overall control” test has the major drawback of broadening the scope of State responsibility well beyond the fundamental principle governing the law of international responsibility: a State is responsible only for its own conduct, that is to say the conduct of persons acting, on whatever basis, on its behalf.88

Consequently, the ICJ did not follow the “overall control” test, but decided to return to the approach it developed in the Nicaragua case: the “effective control” test. In this respect, the Court noted that “it is on the basis of its settled jurisprudence that the Court will determine whether the Respondent has incurred responsibility

 Ibid., para. 384.  Ibid., paras. 385–389. 83  Nicaragua (Merits) cit., paras. 109–110. 84  Bosnian genocide (Judgment) cit., paras. 390–395. 85  Ibid., para. 397; the analysis of the question of attribution on the basis of direction or control is dealt with at paras. 396–412. 86  Ibid., para. 397; see the critical analysis of the reasoning of the Court on Article 8 of the Articles on State Responsibility in: Griebel and Plücken (2008). Marco Milanović criticized the interpretation made by these authors in Milanovic (2009). 87  Bosnian genocide (Judgment) cit., para. 405. 88  Ibid., para. 406. 81 82

248

F. Delerue

under the rule of customary international law set out in Article 8 of the Articles on State Responsibility”.89 It concludes that there is not a sufficient factual basis to establish that the acts were conducted under the direction or control of the FRY.90

3.5  Analysing and Navigating the Various Approaches The previous sections have described the various approaches adopted by the ICJ, the ICTY, and the ILC. These different approaches can be summarized as follows: any act conducted by any single individual, unorganized group or organized group under the specific instructions of a State for the perpetration of this very act, is attributable to this State; the ICJ, the ICTY and the ILC agreed on this point. This is the “effective control” test adopted by the ICJ and the “specific instructions” test adopted by the ICTY. Conversely, the situation is more complicated when it comes to acts conducted without the specific instructions of a State. The three juridical institutions adopted divergent approaches. For the ICJ, the lack of effective control prevents the attribution of the conduct to a State, whether perpetrated by single individuals, unorganized groups or organized groups. In such circumstances, the ICTY determines whether the acts are conducted by organized armed groups, or, instead, by single individuals or unorganized groups. In the first scenario, an overall control over the organized group perpetrating the conduct is sufficient to attribute it to the State according to the ICTY; this is the overall control test developed in the Tadić case. Conversely, in the second scenario, an act perpetrated by single individuals or unorganized groups cannot be attributed to the State without its specific instruction; this complies with the ICJ approach. The ILC seems to lean towards the second approach by using the alternative criteria of direction and control.91 It does not distinguish between conduct that is perpetrated by a single individual, an unorganized group or an organized group. Having a certain degree of control or direction over the perpetrator in relation to the conduct would be enough to attribute the conduct to the State.

 Ibid., para. 407.  Ibid., para. 412. 91  ILC (2001), pp. 47–49, commentary to Article 8. 89 90

Attribution to State of Cyber Operations Conducted by Non-State Actors

249

4  Applying the Various Approaches to Cyber Operations State-sponsored cyber operations are often conducted by non-state actors. This situation triggers the question of attribution, and in particular how to attribute their conduct to the State. First of all, it is undisputed that the rules on State responsibility governing attribution apply to cyber conduct.92 Cyber operations, and more generally the ubiquitous character of the Internet, appear to be particularly challenging for the existing rules governing the law of State responsibility, and in particular attribution. I assert that, in some cases, the degree of control required by the ICJ might amount to a too high threshold to be applicable and relevant to the use of new technology.93 We should also be wary, nevertheless, of lowering the threshold too significantly. Reflection is thus needed in order to define the most appropriate threshold to cater for attribution in cases of cyber operations. The following paragraphs discuss the two principal reasons for this approach; the first concerns the use of the Internet in general, not solely concerned with cyber operations, and the second centres on cyber operations. Firstly, the Internet offers the easiest way to coordinate activity with a lesser degree of organization. The cyber operations conducted in 1998 by various actors in support of the Zapatista Army of National Liberation (ZANL) clearly illustrate this point. The Electronic Disturbance Theater (EDT), a group of cyber activists established in 1997 in the United States, and the Anonymous Digital Coalition (ADC), a group of political activists from Italy, conducted cyber operations against the US and Mexican governments in support of the ZANL. They did not only conducted these operations but they also designed them, made an online tool (FloodNet) available to conduct them, and called on any interested individuals to participate in their online actions. These actions were well coordinated with a low degree of organization. In a similar manner, the actions of Anonymous show how an unorganized group is able to conduct widespread coordinated cyber operations; the same can be said of the Russian Business Network.94 These examples do not directly concern the question of whether the acts of non-­ state actors are attributable to a State. However, a State could just as easily coordinate cyber operations, and involve non-state actors in these actions, without necessarily having a very high degree of control over them. The State might then have a sufficient degree of control to achieve its goals without the risk of being held legally responsible for these acts, given the very high threshold that is required for attribution. Secondly, cyber operations offer an easy means to act and to incentivize others to act. For instance, standard “arming and training” means the physical delivery of weapons and the sending of agents to train the individuals on how to use these  Shackelford (2009), p.  27; Schmitt (2013), pp.  29–34, commentary to Rule 6, paras. 1–14; Woltag (2014), pp. 87–94; Roscini (2010), p. 100. 93  Shackelford (2009), p. 203; Woltag (2014), p. 91. 94  Roscini (2010), pp. 100–101; Woltag (2014), pp. 90–93. 92

250

F. Delerue

weapons. In cyberspace, the same objective can be achieved much more easily. Would posting online of a ready-to-use malware, or software, for the conduct of cyber operations, such as FloodNet, amount to “arming” the final users? This crude comparison between real arming and training and cyber arming and training might seem far-fetched, but the end result could easily be the same. Similarly, “training” might be carried out through online instructions. This example illustrates how analogous situations in the real world and in cyberspace might end up having divergent legal qualifications and effects. Finally, the lack of cooperation between States is an important challenge for the question of attribution involving any kind of cyber operation, and a fortiori when it involves alleged state-sponsored ones. In most cases, the necessary information and evidence required to identify the computers and human involved, as well as any sponsoring State, might be located in a foreign country. The identification and attribution processes depend on the good will and cooperation of the foreign State. In the case of Estonia, for instance, the country made unsuccessful requests seeking Russia’s legal cooperation to assist with the identification of the perpetrators of the 2007 cyber attacks.95 Unsurprisingly, no Russian perpetrators were thus identified, and the only perpetrator identified was an Estonian, Dmitri Galuškevitš, who acted from Estonia’s territory. Estonian authorities were able to gather evidence that led to his identification and conviction.96 The lack of cooperation constitutes an important challenge for the attribution of cyber operations. To give a concrete illustration of the application of attribution in the realm of cyberspace where a State directs or controls individuals, we will now consider its application in the context of the 2007 cyber operations against Estonia.

4.1  2007 Estonia DDoS Attacks The Estonian government accused Russia of being behind the 2007 cyber operations, but admitted that they had no actual evidence to prove Russia’s involvement.97 However, members of a Russian movement acknowledged their involvement: Russia has consistently denied any involvement. Yesterday, however, Konstantin Goloskokov, a ‘commissar’ in the youth group [Nashi], which works for the Kremlin, told the Financial Times that he and some associates had launched the attack, which appears to be the first time anyone has claimed responsibility.98

 Tikk and Kaska (2010).  Harju County Court (Estonia), Dmitri Galuškevitš, No. 1-07-15185, Judgment of 13 December 2007; Lindau (2012) and Ottis (2008). 97  RIA Novosti (2007). 98  Clover (2009). 95 96

Attribution to State of Cyber Operations Conducted by Non-State Actors

251

Moreover, Sergei Markov, a member of the Russian Parliament, confirmed that his assistant had carried out cyber operations against Estonia.99 Dmitri Galuškevitš, a 20-year-old Estonian from the Russian minority, has been the only perpetrator identified and convicted for the cyber operations that blocked the website of the Estonian Reform Party.100 The following paragraphs will not discuss the question of the veracity of this claim, or the legal characterization of these cyber operations. The analysis will solely focus on establishing the necessary conditions to attribute these cyber operations by non-state actors to Russia. I will first briefly restate the facts. The cyber operations against Estonia can be divided into two phases: the first phase was predominantly “emotionally motivated” and took place from 27 to 29 April 2007; the second phase was more coordinated and sophisticated and lasted from 30 April to 18 May 2007.101 The first phase consisted mainly of Denial of Service (DoS) attacks against governmental and media websites, coordinated through various online forums and chats. The second phase consisted in more coordinated and sophisticated cyber operations that had more harmful consequences. In the DoS attacks that were replaced by sophisticated DDoS attacks using large-scale and sophisticated botnets, the perpetrators rendered the question of attribution more difficult by using proxy servers in various countries and spoofing their IP addresses. In addition to DoS and DDoS attacks, cyber operations also took the form of defacement, targeting websites and comments, and email spamming. The following deductive reasoning is based on the limited facts and information made publicly available and does not thus constitute a comprehensive or final analysis of the case. It seems clear that most of these cyber operations were carried out by non-state actors, supporting the Russian minority living in Estonia. A natural question to ask is: what degree of control would Russia have had to exercise over these cyber operations in order to be held responsible? The cyber operations seem to have been coordinated through various online chats and forums. Consequently, the non-state perpetrators appear to be disorganized, and therefore do not constitute a single organized group. Instead, the perpetrators seem to be overwhelmingly single individuals or unorganized groups that decided to conduct cyber operations in support of a cause, which led them to collect information on the targets and develop means to conduct the online cyber operations. If this were the case, it would be difficult to say that any one individual had effective control over all the cyber operations, and thus a fortiori to claim a State was exercising such control. This is a general conclusion given the nature and the variety of actors involved in these cyber operations. It does not preclude the consideration that some of those involved might have actually acted on the specific instructions from Russia.  Radio Free Europe/Radio Liberty (2009).  BBC (2008). 101  Tikk et al. (2010). 99

100

252

F. Delerue

Consequently, it appears that the ICJ would clearly find that these cyber operations were not attributable to Russia because the effective control test would fail to be satisfied. The State obviously exercised a lesser degree of control than in the case where the State arms and trains, or even funds, the group. The ICTY would adopt the same approach concerning single individuals and unorganized groups. The first alternative criterion of “instruction”, formulated by the ILC, would clearly not be satisfied. Two possible grounds for attribution remain unresolved: the attribution to organized groups on the basis of the “overall control” test of the ICTY, and the criteria of direction and control set down by the ILC. Concerning the overall control test, it encompasses a wider degree of control over the group without requiring specific instructions for each individual act; it could, for instance, refer to no more than funding. As noted already, we cannot axiomatically maintain that these perpetrators constitute an organized group; however, some of them might have belonged to organized groups. It seems that even in such a scenario, the degree of control is still too trivial. Indeed, even if Russia was actually behind some of the forums or chats inciting people to perpetrate these cyber operations, which it must be pointed out has not been established to date, and subsequently gave instructions on how to carry these acts, this form of control or direction appears to be clearly below the threshold of the “overall control” test and the ILC criteria. As mentioned already, this analysis does not provide a comprehensive or final answer to the question of attribution concerning the cyber operations that were perpetrated against Estonia. It demonstrates, however, that even if more information and evidence were available, the attribution to Russia would be extremely difficult to establish under international law. The degree of control necessary to encourage non-state actors to conduct cyber operations can, as has already pointed out, be particularly low. If States increasingly rely on cyber operations and ultimately a case is brought before an international court or tribunal, it seems plausible that the judges would ask the question whether a lower threshold should be necessary, or at least conceivable, in such scenarios. However, it is important to not lose sight of the risk of lowering the threshold too low, which would open the floodgates to excessively loose criteria for attribution that would result in misinterpretation and mistaken attribution.

4.2  Private Cybersecurity Companies The conduct of private cybersecurity companies can be attributed to a State on various grounds, notably if they are de facto organs of a State or permitted to exercise governmental authority. In such cases, all their acts are attributed to the State even if they are ultra vires. Most private cybersecurity companies may, however, fall outside these categories and thus their acts would not be automatically attributable to the State. When they are not de facto organs, some of their acts would be

Attribution to State of Cyber Operations Conducted by Non-State Actors

253

attributable if they are exercised under a certain degree of control of the State, as described above. The question of private cybersecurity companies can be studied in conjunction with the broader notion of Private Military and Security Companies (PMSCs). PMSCs are increasingly employed by States to conduct functions previously exercised by armed forces, raising many legal questions.102 On the attribution of PMSCs’ conduct to a State, the “effective control” test of the ICJ seems too restrictive. The “overall control” test of the ICTY seems conversely more appropriate. These problems have been raised by Francesco Francioni, who highlighted these two tests in the context of State’s recourse to PMSCs: Under the Nicaragua test, a PMSC would engage the home state liability for a violation of human rights only if it was proved that, in conducting the specific activity which infringed a human right, the company or its employees were acting under the effective control of the home state. Under the Tadić test – also known as the Cassese test – it is sufficient that the home state maintains a general or ‘overall’ control of a political-military nature over the private military contractors, without being necessary that it has directed the specific commission of the wrongful act by the private actor.103

When recruiting private actors to conduct cyber operations, States may only give instructions about the result while leaving it to the discretion of the private actors to decide on what type of cyber operation to execute. For instance, if a State asks the private actors to conduct cyber operations in order to disrupt and cause physical damage to a nuclear plant in another State, this situation may, according to the “effective control” test, be difficult to attribute to the State, whereas it would be attributable according to the “overall control” test. The alternative criteria of instructions, direction or control, as defined by the ILC, would make such conduct attributable to the hiring State.

5  Conclusive Remarks Cyber operations conducted under the instructions, direction or control of a State may constitute one of the main categories, if not the main category, of State-­ sponsored cyber operations. As exposed in the present Chapter, the current international legal framework is applicable to the cyber realm; however, it is facing two important challenges. Firstly, the diversity of approaches on the attribution of acts conducted under the instructions, direction or control of the State, which may render the attribution process uncertain. Secondly, and most importantly, using overly strict criteria might make the attribution process particularly difficult in practice.

 See generally Lehnardt (2007), Tonkin (2011), Francioni and Ronzitti (2011), Bakker and Sossai (2012) and Tougas (2012). 103  Francioni (2011), p. 102. 102

254

F. Delerue

Acknowledgments  I am grateful to the organisers and participants of the workshop “New Technologies as Shields and Swords: Legal Challenges for International, European, and Domestic Law” organised at the University of Parma on 19-20 June 2017 for the discussion and insightful comments. The views expressed are mine in my personal capacity. All errors and omissions remain of course mine.

References Abass, Ademola. 2007. Proving State Responsibility for Genocide: The ICJ in Bosnia v. Serbia and the International Commission of Inquiry for Darfur. Fordham International Law Journal 31: 871–910. Álvarez Ortega, Elena-Laura. 2015. The Attribution of International Responsibility to a State for Conduct of Private Individuals Within the Territory of Another State. InDret, 1–40 Bakker, Christine, and Mirko Sossai, eds. 2012. Multilevel Regulation of Military and Security Contractors: The Interplay Between International, European and Domestic Norms. Oxford: Hart. BBC. 2008. Estonia Fines Man for “Cyber War”. http://news.bbc.co.uk/2/hi/technology/7208511. stm. Brenner, Susan W. 2007. “At Light Speed”: Attribution and Response to Cybercrime/Terrorism/ Warfare. The Journal of Criminal Law and Criminology 97: 379–475. Cassese, Antonio. 2007. The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia. European Journal of International Law 18: 649–668. Clark, David, Thomas Berson, and Herbert S. Lin, eds. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: National Academies Press. Clover, Charles. 2009. Kremlin-Backed Group Behind Estonia Cyber Blitz. Financial Times. http://www.ft.com/cms/s/0/57536d5a-0ddc-11de-8ea3-0000779fd2ac.html#axzz2TBcey8a5. De Frouville, Olivier. 2010. Attribution of Conduct to the State: Private Individuals. In The Law of International Responsibility, ed. Alain Pellet et al., 257–280. Oxford: Oxford University Press. De Hoogh, André. 2002. Articles 4 and 8 of the 2001 ILC Articles on State Responsibility, the Tadić Case and Attribution of Acts of Bosnian Serb Authorities to the Federal Republic of Yugoslavia. British Yearbook of International Law 72: 255–292. Francioni, Francesco. 2011. The Role of the Home State in Ensuring Compliance with Human Rights by Private Military Contractors. In War by Contract: Human Rights, Humanitarian Law, and Private Contractors, ed. Francesco Francioni and Natalino Ronzitti, 93–110. Oxford: Oxford University Press. Francioni, Francesco, and Natalino Ronzitti, eds. 2011. War by Contract: Human Rights, Humanitarian Law, and Private Contractors. Oxford: Oxford University Press. Griebel, Jörn, and Milan Plücken. 2008. New Developments Regarding the Rules of Attribution? The International Court of Justice’s Decision in Bosnia v. Serbia. Leiden Journal of International Law 21: 601–622. International Law Commission (ILC). 2001. Commentary to the Articles on State Responsibility. ILC Yearbook (Part II) 2: 31–143. Klabbers, Jan. 2013. International Law. Cambridge: Cambridge University Press. Kreß, Claus. 2001. L’organe de facto en droit international public: Réflexions sur l’imputation à l’etat de l’acte d’un particulier à la lumière du développements récents. Revue Générale de Droit International Public 105: 93–144. Landau, Susan, and David D. Clark. 2010. Untangling Attribution. In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S.  Policy, 25–40. Washington, DC: National Academies Press; Committee on Deterring Cyberattacks: Informing Strategies and Developing Options.

Attribution to State of Cyber Operations Conducted by Non-State Actors

255

Lehnardt, Chia. 2007. Private Military Companies and State Responsibility. In From Mercenaries to Market: The Rise and Regulation of Private Military Companies, ed. Simon Chesterman and Chia Lehnardt, 129–157. Oxford: Oxford University Press. Lindau, Katri. 2012. Cyber Security in Estonia: Lessons from the Year 2007 Cyberattack. Tallinn University. Mahiou, Ahmed. 2009. Le droit international ou la dialectique de la rigueur et de la flexibilité: cours général de droit international. Le Recueil des Cours de l'Académie de Droit International de La Haye 337: 9–516. Milanovic, Marko. 2006. State Responsibility for Genocide. European Journal of International Law 17: 553–604. ———. 2009. State Responsibility for Acts of Non-State Actors: A Comment on Griebel and Plücken. Leiden Journal of International Law 22: 307–324. Ottis, Rain. 2008. Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective. In Proceedings of the 7th European Conference on Information Warfare and Security, Plymouth, 163–168. Palchetti, Paolo. 2010. De Facto Organs of a State. Max Planck Encyclopedia of Public International Law. http://opil.ouplaw.com/home/EPIL. Radio Free Europe/Radio Liberty. 2009. Behind The Estonia Cyberattacks. http://www.rferl.org/ content/Behind_The_Estonia_Cyberattacks/1505613.html. RIA Novosti. 2007. Estonia Has No Evidence of Kremlin Involvement in Cyber Attacks. http:// en.ria.ru/world/20070906/76959190.html. Roscini, Marco. 2010. World Wide Warfare  - Jus ad bellum and the Use of Cyber Force. Max Planck Yearbook of United Nations Law 14: 85–130. ———. 2015a. Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations. Texas International Law Journal 50: 233–273. ———. 2015b. Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations. In Cyber War: Law and Ethics for Virtual Conflicts, ed. Claire Finkelstein, Jens David Ohlin, and Kevin Govern, 215–248. Oxford: Oxford University Press. Schmitt, Michael N., ed. 2013. The Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press. Shackelford, Scott. 2009. From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. British Journal of International Law 27: 192–251. Shaw, Malcolm N. 2014. International Law. 7th ed. Cambridge: Cambridge University Press. Tait, Matt. 2016. On the Need for Official Attribution of Russia’s DNC Hack. Lawfare. www. lawfareblog.com/need-official-attribution-russias-dnc-hack. Talmon, Stefan. 2009. The Responsibility of Outside Powers for Acts of Secessionist Entities. International & Comparative Law Quarterly 58: 493–517. Tikk, Eneken, and Kadri Kaska. 2010. Legal Cooperation to Investigate Cyber Incidents: Estonian Case Study and Lessons. In 9th European Conference on Information Warfare and Security, Thessaloniki, Greece, 288–294. Tikk, Eneken, Kadri Kaska, and Liis Vihul. 2010. International Cyber Incidents: Legal Considerations. NATO Cooperative Cyber Defence Centre of Excellence. http://www.ccdcoe. org/publications/books/legalconsiderations.pdf. Tonkin, Hannah. 2011. State Control Over Private Military and Security Companies in Armed Conflict. Cambridge: Cambridge University Press. Tougas, Marie-Louise. 2012. Droit international, sociétés militaires privées et conflit armé: Entre incertitudes et responsabilités. Bruxelles: Bruylant. Tsagourias, Nicholas. 2012. Cyber Attacks, Self-defence and the Problem of Attribution. Journal of Conflict and Security Law 17: 229–244. Woltag, Johann-Christof. 2014. Cyber Warfare: Military Cross-Border Computer Network Operations Under International Law. Cambridge: Intersentia.

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution Martina Buscemi

Abstract  The use of drones is typically associated with targeting strikes. Hence, it comes as no surprise that the debate on the opportunity for the United Nations to make use of this technology is still dominated by concerns on the “killer drones”. This Chapter emphasizes, instead, the magnitude and the crucial importance of the use of unarmed drones by the United Nations in missions conducted under their aegis. In peacekeeping operations in particular, unarmed drones are essential for fulfilling the UN mandate, as they can perform several non-lethal functions (i.e. monitoring, information gathering, surveillance and reconnaissance). However, drones—although unarmed and employed for peaceful purposes—pose a number of legal issues, particularly from the perspective of the protection of human rights and the liability of their operators. An often overlooked question relates to the (mis)use of drones by private actors who have been contracted by the United Nations to remotely operate the vehicles from ground stations and to collect, store and analyse the data thus captured. This issue will be tackled from the perspective of the Draft Articles on the Responsibility of International Organizations with the aim to assess whether private actors operating the drones can be considered as “agents” of the United Nations, thereby directly imputing their potential wrongdoings to the Organization for whom they have been contracted.

1  Introduction and Scope of the Chapter It cannot be denied that the advancement of technology has reshaped the reality of military conflicts by making the “human face” less visible. Today, a cornerstone of the tech-military assets is the Unmanned Aerial Vehicle (UAV)—also known as Remotely Piloted Aircraft (RPA), or more commonly “drone”—which is equipped with sensors and cameras, or even armed with missiles and other weapons. Flown remotely by pilots on ground stations through satellite relays, or autonomously, M. Buscemi (*) University of Florence, Florence, Italy e-mail: [email protected]; [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_13

257

258

M. Buscemi

UAVs can be used in military operations to perform a wide spectrum of functions: from intelligence and surveillance, to reconnaissance and to striking. The use of UAVs has already engendered several legal—as well as moral—questions, with the scholarship mainly focusing on the controversial practice of targeting killings by armed drones in the so-called “war on terror”.1 As weapon platforms, UAVs have also raised many concerns in the public opinion which perceives the remoteness and distance control under which these instruments operate as factors leading to potential civilian casualties (often labelled as “collateral damage”). On the contrary, little attention has been paid to the deployment of unarmed UAVs (hereinafter UUAVs) by States and International Organizations within the ambit of both military and humanitarian operations. The recent, and increasingly, deployment of UUAVs in United Nations missions breaks new—and underestimated—grounds.2 This Chapter aims to shed some light on (some of) the numerous legal issues surrounding the use of this technology, without discussing the contribution and the strategic value given by drones to peace, security or other UN missions’ objectives. To this end, the Chapter will firstly evaluate the current magnitude of the UN experience with UAVs (Sect. 2)—taking into account their use in both humanitarian actions (Sect. 2.1) and peacekeeping operations (Sect. 2.2)—and it will then look at the UN leading mission in Congo, where some accidents involving drones have recently been reported (Sect. 3). Against this factual background, the Chapter will identify the main legal issues that are posed by the use of drones in this context, focusing on the potential detrimental impact that they could have on human rights (Sect. 4). In this regard, a core question—one that is rarely addressed in legal scholarship—concerns the attribution of wrongdoings to the United Nations in cases when drones are supplied and (mis)used by private contractors (Sect. 5). Lastly, the Chapter will conclude with some final remarks (Sect. 6).

 The debate surrounding the use of “killer drones” in Afghanistan, Yemen, Pakistan and the Sahel is widely covered in the legal literature (see, ex multis, Heyns et  al. 2016, pp.  791–827). The European Parliament, for its part, recently fleshed out its position on the matter in the study “Towards an EU common position on the use of armed drones” conducted by the Directorategeneral for external policies and published in July 2017 (available at www.europarl.europa.eu/ RegData/etudes/STUD/2017/578032/EXPO_STU(2017)578032_EN.pdf). As for the legal hurdles underpinning the claims for reparation of damages caused by drones, see the recent publication of the European Center for Constitutional and Human Rights, “Litigating Drone Strikes. Challenging the Global Network of Remote Killing” (2017). 2  See Sect. 2 below. 1

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

259

2  T  he United Nations and the Use of Drones: From “Drones for Good” to “Drones for Peace” Despite the lack of coverage, the UN’s experience with drones began over a decade ago, although their use has remained confined—for the time being—to the utilization of unarmed drones. In the last decade, UUAVs were deployed in several missions that were conducted under the auspices of the UN’s mandate. Coming with varying size, range and capabilities, the drones that are employed by the Organization are considered to be a crucial asset that is capable of improving UN missions’ capacity to assess needs and to fulfil their mandate—not to mention that the high-­ tech equipment can reduce the Organization’s carbon footprint. The UUAVs’ system is being used primarily in two different actions conducted under the UN flag, each of which will be briefly examined; the employment of armed remote-control aircraft by its Member States in UN authorized missions will be left aside in this discussion.3

2.1  The Use of UUAVs in Humanitarian Actions Today, drone technology is widely considered to be the “game-changer” in humanitarian missions that are conducted by both public and private operators, as it is capable of fostering the humanitarian assistance and the material aid that are provided thereby.4 The establishment of the “Humanitarian UAV Network” clearly exemplifies this trend.5  This latter scenario raises a different question, that is to say whether and to what extent the UN Security Council can lawfully delegate Member States to use force without assuring that the said States make use of weapons that are in accordance with international law standards. This issue— which clearly exceeds the scope of the present study—is addressed from a much broader perspective by Lozanorios (2014), pp. 109–151. 4  UUAVs can perform a large set of arduous civilian tasks, including the following: to reach remote rural areas with inexistent or difficult networks; to capture imageries after natural disasters, thus collecting real-time information which can prompt timely action and prevent other risks; to monitor danger scenarios both at night and during the day, by reporting rapid damage assessments with a view to better organizing emergency responses; to transport and deliver relief items and primary goods, such as foods, water and medical supplies, in a more timely fashion; to bring connectivity to areas with no cell or Wi-Fi signals, by extending Wi-Fi connectivity from the sky to the ground; and many others. 5  With over 3000 members in more than 120 States, the Humanitarian UAV Network is committed “to promote the safe, coordinated and effective use of UAVs for data collection and cargo delivery in a wide range of humanitarian and development settings” (for the background of this initiative see www.uaviators.org/). Interestingly enough, the Network—wherein the UN Office for the Coordination of the Humanitarian Affairs sits as member of the Advisory Board—elaborated a first Code of Conduct for the use of UAVs in humanitarian settings, containing guidelines on data protection and privacy. A presentation on the topic “Humanitarians in the Sky: Using UAVs for Disaster Response” was delivered by the Network in the “Remotely Piloted Aircraft Systems 3

260

M. Buscemi

On their side, the UN humanitarian agencies and programmes are exploring ways to scale-up the use of UAVs and high-tech equipment in aid missions. A recent study undertaken by the United Nations Office for the Coordination of Humanitarian Affairs (OCHA) on “Unmanned Aerial Vehicles in Humanitarian Response” listed a number of potential humanitarian uses for this technology, which included data collection and observation, search and rescue, mapping, logistics and package-­ delivery.6 The UN Children’s Fund (UNICEF) conducted research on the possible use of UUAVs7 and it ultimately decided to deploy them to support the Malawian Government in their response to a recent flood, thus moving away from speculation and towards reality. More recently in 2017, UNICEF launched the First Drone Corridor for UUAVs, in order to test their potential humanitarian and development uses, focusing particularly on their capability to deliver vaccines.8 The UN’s experience with “drones for good” has also involved the International Atomic Energy Agency, which used UAVs to map radiation at Japan’s Fukushima Daiichi nuclear plant that was damaged as a result of the 2011 tsunami.9 The International Organization of Migration, for its part, in the aftermath of several disasters that took place in Haiti (an earthquake, a cholera epidemic and a devastating hurricane), deployed drones in a mapping operation so as to support relief activities and to prevent and reduce disaster risks.10 The same affected Haitian communities were also monitored by drones by the United Nations Institute for Training and Research.11 Moreover, the United Nations Development Program used drones in Mali in order to enable real-time monitoring “to support the activities of humanitarian and development actors in the field”.12

Conference” that was held in Brussels in 2014 (the study can be accessed at the webpage www. irevolutions.org/2014/06/25/humanitarians-in-the-sky/). 6  OCHA Policy Paper, June 2014. 7  Recently, the UNICEF together with the Office of the UN High Commissioner for Refugees (UNHCR) chaired the UN Innovation Network, to share experiences and advance discussions on innovation across UN agencies (www.refugeesmigrants.un.org/ feature-does-drone-technology-hold-promise-un). 8  The corridor launched by the UNICEF together with the Government of Malawi has been “designed to provide a controlled platform for the private sector, universities and other partners to explore how UAVs can be used to help deliver services that will benefit communities” (UNICEF, Stories of Innovation, www.unicefstories.org/2017/06/29/africas-first-humanitarian-drone-testingcorridor-launched-in-malawi-by-government-and-unicef/, 29 June 2017). 9  Information related to public contracts for the supply of UUAVs that have been awarded by the International Atomic Energy Agency can be accessed at www.ungm.org/Public/ContractAward. 10  OCHA Policy Paper cit., p. 7. 11  www.unitar.org/unosat-carries-out-first-uav-mission-iom-haiti. 12  UNDP Innovation Facility-Innovation for the Sustainable Development Goals Build Peaceful Society, Prevent Violent Conflict, 2016, Year in Review, p. 37 (www.undp.org/content/dam/undp/ library/innovation/IF%202015%20Report%20For%20Web%20final(1).pdf).

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

261

2.2  The Use of UUAVs in Peacekeeping Operations The deployment of UUAVs perfectly aligns with the purpose and the ambitions of the United Nations to establish “smart” peacekeeping operations which benefit from innovative and technological assets. In the conflict settings and complex environments where these missions typically take place, UUAVs can perform crucial logistic and support functions (i.e. information-gathering, intelligence services and reconnaissance) so as to deliver, more successfully, the missions’ mandate by enhancing situation awareness. Notably, UUAVs can be used to improve timely decision-making and to develop peace strategies that can be adopted at ground level: for instance, by monitoring armed groups, UUAVs can activate an early warning system, thus preventing conflicts and ensuring the security of both civilians and UN personnel from hostile attacks.13 Moreover, UUAVs, as a “watching” presence, may function as a commanding deterrent for crimes that are committed in such volatile environments. Like “bird eyes” in the sky, UUAVs have already flown over and monitored various troublesome situations. Surveillance drones for protection purposes were used as far back as 2006 within the context of the UN peacekeeping mission in the Democratic Republic of Congo14—although, at that time, the flying cameras were introduced by the Belgian troops as part of the European Force (EUFOR) in support of the UN mission. In 2007, UUAVs were reported to have flown over Haitian airspace in order to drop leaflets informing the population that the United Nations Stabilization Mission in Haiti (MINUSTAH) “did not seek to harm innocent civilians and that UN operations were solely aimed at defeating the gangs”.15 However, it was only in 2013 that the UN Security Council, by adopting resolution 2098 (2013), officially permitted the use of contract UAVs in peacekeeping operations, most notably for the mission established in Congo.16 As has been remarked by  Recently, the Under-Secretary General for Peacekeeping Operations, in a press interview with the Africa Section of the United Nations Department of Public Information, affirmed that “UAVs do a better job in protecting civilians because they provide real-time pictures of situations as they develop on the ground” (www.un.org/africarenewal/web-features/ unmanned-aerial-vehicles-are-effective-protecting-civilians%E2%80%94herv%C3%A9-ladsous). 14  The study “Performance Peacekeeping. The Final Report of the Expert Panel on Technology and Innovation UN Peacekeeping” notes that “[i]n 2006, the European Union Force (EUFOR) flew Belgian B-Hunter UAVs during the tense election period in the DRC. UN personnel were invited to view UAV imagery on large screens in EUFOR headquarters near Kinshasa, but the UN did not have its own data feed” (www.peacekeeping.un.org/sites/default/files/performance-peacekeeping_ expert-panel-on-technology-and-innovation_report_2015.pdf, 22 December 2014, p.  134). Likewise, it was reported that in 2008 a Contributing State brought surveillance drones while participating in the transition process between the EUFOR and UN mission in the Central African Republic (MINURCAT), to protect refugees and IDPs (see in this regard Karlsrud and Rosén 2013, p. 2). 15  The episode is reported in Dorn (2009), p. 816. 16  See Sect. 3 below. 13

262

M. Buscemi

s­ everal authors, this decision marked a significant turning-point in the UN’s peacekeeping policy, since UUAVs—for the first time—were required as a UN mission asset and were not deployed by a Contributing Member State as part of its own equipment.17 One year later, the UN Procurement Division published another expression of interest for the use and provision of UUAVs in support of the peacekeeping operation in Mali.18 In 2015, a group of experts, tasked by the UN UnderSecretary General for Peacekeeping Operations to enquire into the use of innovative technology in UN missions, highly recommended the deployment of this technology.19 The experts concluded that: UN police should make greater use of vehicle and personnel mounted cameras interlinked with shot spotting technology and should be able to easily access and task UAS [unmanned aircraft system] platform such as that deployed in MONUSCO. Mini-or tactical UAVs will measurably aid in regular policing work.20

Interestingly, unarmed drones in the context of UN peacekeeping assets have been used to attain “collateral” achievements in the Host State’s mission. It was reported, for instance, that UUAVs with a UN flag system was successfully used in 2014 for saving lives from a sinking boat in Lake Kivu (Congo)21 and, in 2015, they were used to keep a (flying) eye over on the city of Bangui in the Central African Republic during the Pope’s official visit to the country.22

 Dorn and Webb (2017), p. 413.  Surveillance drones were later engaged in 2016  in the United Nations Multidimensional Integrated Stabilization Mission in Mali (MINUSMA), whose peculiar and innovative mandate has been recently outlined in Pineschi (2018), pp.  5–57. The UN Procurement Division issued a Request for Expression of Interest (EOI) “for the provision of Unmanned Aerial System (UAS) with multiple Unmanned Aerial Vehicles (UAVs) in support of peace-keeping operations in Mali” (www.innercitypress.com/icpeoi9777mali.pdf). A three-year contract was awarded to Thales UK Ltd, a British company, for 61,000,000 dollars (www.un.org/Depts/ptd/contract-awards/hq-Contracts/pdc024515). Moreover, Mali’s UNDP office uses drones and satellite imagery “to enable real-time monitoring to support the activities of humanitarian and development actors in the field, particularly those working on community development for emergency services” (see UNDP Innovation Facility, Innovation for the Sustainable Development Goals, www.undp.org/content/ dam/undp/library/innovation/Version%2024%20web%20friendly%20-%20August%202%20 -%20%20Annual%20Report%202016%20V17.pdf, p. 37). 19  See Performance Peacekeeping. The Final Report of the Expert Panel on Technology and Innovation UN Peacekeeping cit. 20  Ibid., p. 79. 21  The full story is available at www.un.org/apps/news/story.asp?NewsID=47727#.U6CtbPl_tqU. 22  See www.dailymail.co.uk/wires/afp/article-3312855/UN-sends-peacekeepers-drones-C-Africa. html. 17 18

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

263

3  The MONUSCO Experience with UUAVs The United Nations undoubtedly gained its most significant experience with “drones for peace” in the Democratic Republic of the Congo (DRC).23 The UN Mission— established as an observation mission in 1999 and later fostered—was renamed the “UN Organization Stabilization Mission in the Democratic Republic of the Congo” (known by its French acronym as MONUSCO) in 2010, with a more robust mandate “relating, among other things, to the protection of civilians, humanitarian personnel and human rights defenders under imminent threat of physical violence and to support the Government of the DRC in its stabilization and peace consolidation efforts”.24 The operation also supported the “disarmament, demobilization and reintegration” (DDR strategy), with its mandate stepping more in the direction of peace enforcement against local armed groups. In 2012, the Secretary-General, in a letter addressed to the President of the UN Security Council, recalled the need for additional and advanced information collation, analysis and dissemination, through “external imagery/electronic equipment and associated analysis capabilities, notably surveillance capability such as that provided by unmanned aerial systems”.25 The President of the Security Council replied to this point by affirming that the use of UUAVs was “in line with the Secretariat’s intention to use assets to enhance situation awareness […] without prejudice to the ongoing consideration by relevant United Nations bodies of legal, financial and technical implications of the use of unmanned aerial systems”.26 As anticipated, UNSC resolution 2098 (2013), which granted the offensive battalion (“Force Intervention Brigade”) with the mandate of neutralizing armed groups, marked the first official integration of UUAVs in a UN peacekeeping operation.27 Paragraph 12 of the resolution authorized the Force to take all necessary measures to “monitor the implementation of the arms embargo […] and in particular observe and report on flows of military personnel, arms or related materiel across the eastern border of the DRC, including by using surveillance capabilities provided by unmanned aerial system”.28

 According to some authors “[t]here is no doubt that the ‘MONUSCO drones’ represent a defining moment in the history of UN peacekeeping and aerial surveillance” (Karlsrud and Rosén 2013, p. 2). 24  For the background of the UN mission in Congo, see www.monusco.unmissions.org/en/ background. 25  Letter dated 27 December 2012 from the Secretary-General addressed to the President of the Security Council, UN Doc. S/2013/43. 26  Latter dated 22 January 2013 from the President of the Security Council addressed to the Secretary-General, UN Doc. S/2013/44. 27  On the “offensive” feature of the UN peacekeeping in Congo and its consequences as a precedent for future UN missions see Kearney (2016), pp. 100–141. The initial legal issues related to the mission in Congo were addressed by Simmonds (1968). 28  UN Doc. S/RES/2098 (2013), para. 12. 23

264

M. Buscemi

All in all, the UUAVs presence in Congo served as a powerful deterrent force for rebel armed groups,29 thus enhancing the security of both the local civilian population and the UN personnel.30 In this regard, the Organization itself expressed its satisfaction in relation to this experience on several occasions. Firstly, the UN Secretary General remarked the fundamental drones’ function of gathering information on the movement of illegal armed groups and on the identification of ­cross-­border smuggling routes31 was successfully shared with the Armed Forces of DRC.32 Secondly, the Expert Panel on Technology and Innovation in UN Peacekeeping that was appointed by the Under-Secretaries-General affirmed that the deployment of UUAVs in Congo “ha[s] proved immensely useful in expanding the mission’s situational awareness. In short, this was a pioneering and successful step forward in making use of a powerful emerging technology”,33 recommending the use of UAV systems “such as that deployed in MONUSCO”,34 and concluding that “unmanned aerial systems constitute an indispensable source of information and should not only remain part of the peacekeeper’s toolkit, but their use should also be immediately expanded”.35 Thirdly, the majority of UN Member States were generally positive regarding the experience with drones in Congo during a debate that was raised in 2015 by the Special Committee on Peacekeeping Operations on the use of UUAVs to protect peacekeepers—although some delegates expressed concerns over the scaling up of this technology in other peacekeeping contexts.36 Moreover, drones in

 See Andrews (2017), p. 5.  In this latter regard, the New York Times recalled an episode whereby UN personnel were under attack by rebel groups and the use of drones proved to be crucial in preventing it from occurring (see Unarmed Drones in Aid U.N. Peacekeeping Mission in Africa, New York Times, 2 July 2014, the full story can be accessed at www.nytimes.com/2014/07/03/world/africa/unarmed-drones-aidun-peacekeepers-in-africa.html). 31  “Since their operationalization, the unmanned aerial systems have provided MONUSCO with a responsive, controlled and timely source of information, particularly in terms of supplementing the Force’s intelligence, surveillance and reconnaissance efforts against the illegal activities of armed groups” (UN Doc. S/2014/157, para. 43). 32  UN Doc. S/2015/486, 26 June 2015, para. 18. 33  Performance Peacekeeping. The Final Report of the Expert Panel on Technology and Innovation UN Peacekeeping cit., p. 134. 34  Ibid., p. 79. 35  Ibid., p.  54. The Report affirms that “such operational-level assets, such as the system in MONUSCO, provide powerful surveillance and visualizations capabilities in addition to functioning, under the right circumstances, as a commanding deterrent”, thus concluding that “the MONUSCO experience could be replicated in many other missions with requirements for mediumaltitude long-endurance UAVs”. 36  Notably, the delegate from the Russian Federation welcomed the experimental deployment of UAVs in Congo, but noticed that a deeper analysis of the legal, operational and financial consequences was needed (UN Doc. GA/PK/221, 18 February 2015, p.  3, available at www.un.org/ press/en/2015/gapk221.doc.htm). For further considerations on the use of UAVs in peacekeeping operations expressed by UN Member States, see Sect. 4 below, especially footnote 49. 29 30

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

265

Congo have been viewed favourably, thanks to the said positive “collateral” emergency performances, other than their original one.37 However, the MONUSCO experience with drones has been associated not only with successful achievements but also with some minor accidents that have taken place. For instance, in 2006, two Belgian drones, operating in Congo within the framework of the EUFOR and under a UN mandate, went sideways: one was shot down and the other crashed, killing one person and injuring two persons in Kinshasa.38 Recently, a Foreign Policy reporter covered an interesting story concerning a UN drone which took off in a rainstorm and crashed in October 2014 in Nyiragongo, a rural area north of Goma, the capital of Congo’s eastern North Kivu province. The accident resulted in no human casualties. However, due to the burning of the wrecked drone, a field cropped by and an old widow was seriously damaged.39 According to the media, the UN failed to remove the debris from the field for over eight months and eventually they compensated the victim by offering a lump-­ sum of 500 dollars.40 What strikes the attention of the MONUSCO experience is that the drones were not supplied by a State’s contributing troops, but, instead, they were contracted out to specialized private companies.41 Precisely, it was Leonardo S.p.A. (the former Selex Es S.p.A.), part of Finmeccanica, the Italian giant aerospace enterprise, that in December 2013 supplied five aircrafts (named “Falco”),42 with a ground control

 Drones were used for the foregoing rescue of a boat in the Lake Kivu and in assisting an NGO to monitor humanitarian projects (full story is reported at www.monusco.unmissions.org/ node/100043465). See above footnote 21. For an overview of the main goals achieved by UUAVs see Dorn and Webb (2017), p. 414; Morrell Andrews (2017), pp. 4–5. 38  The case was reported by Karlsrud and Rosén (2013), who cited a media source of Washington Post dated October 2006 (www.washingtonpost.com/wp-dyn/content/article/2006/10/03/ AR2006100300778.html) and by Sari and Wessel (2012), p. 23, footnote 126. 39  The full story can be read at www.foreignpolicy.com/2015/09/10/how-a-u-n-drone-crashedin-congo-and-was-promptly-forgotten/. 40  From an exchange of e-mails with the reporter, it emerged that the sum arrived only when an intermediary (a male neighbor from the local community where the victim resided) went to the UN headquarters to fill out a demand for compensation at the UN claims department in Goma. 41  Normally, military air assets are acquired by the United Nations through letter of assists signed with troop-contributing States, whereby assets and services are provided for reimbursement (in this regard see Novosseloff 2017, p. 7, footnote 21). A template of a Letter of Assist signed by the UN and Member States is available at www.cc.unlb.org/COE%20Documents/Letters%20of%20 Assist%20(LOA)/Sample%20LOAs/Sample%20Short-Term%20Air%20Transport%20LOA%20 (As%20at%205%20Mar10).pdf. 42  From the information available on the website of Procurement Division of the United Nations, it can be inferred that Vendor Selex ES S.p.A. (now Leonardo S.p.A.) was awarded the contract to provide unmanned aerial systems from November 2013 to November 2016, for the payment of 50,000 dollars (www.un.org/Depts/ptd/contract-awards/hq-Contracts/pdc010313). This news was also covered by several media outlets, such as the Italian IlSole24Ore (www.ilsole24ore.com/art/ notizie/2013-12-07/i-droni-italiani-falco-azione-congo-172937.shtml?uuid=ABVGmci) and by the New York Times (www.nytimes.com/2014/07/03/world/africa/unarmed-drones-aid-un-peacekeepers-in-africa.html). 37

266

M. Buscemi

station based in Goma43 (which was subsequently relocated to Beni),44 obtaining full operational capability in April 2014.45 Leonardo S.p.A. was also contracted to provide the crew and personnel to fly and manoeuvre the drones, to operate their camera and to analyse the data collected as a result.46 In a nutshell, the private company supplied the Organization not only with goods (the drones), but also with crucial services (manoeuvring and data analysis).

4  L  egal Challenges Posed by the (Mis)Use of UUAVs in UN Peacekeeping Operations Given this factual background, it now appears necessary to address some of the legal challenges surrounding the use of drones within the context of UN peacekeeping operations. From a general standpoint, UUAVs—as is the case with every innovative technology tool—are a double-edged sword from the perspective of the protection of human rights. One dark side of the use of UUAVs relates to the collection, storage and management of the big aerial data that is captured (videos, pictures, etc.). Many concerns have been expressed—and rightly so—over the amount of information that is obtained, since their (mis)use might pose serious challenges to individual human rights, in particular the right to privacy.47 Moreover, the amount of data captured by unarmed drones might also pose a threat to the security of the Host States.48 Unsurprisingly, some UN Member States delegates have expressed concerns that drones’ activity might constitute “meddling” in internal State affairs.49 From this  UN Doc. S/2013/757, 17 December 2013.  UN Doc. S/2014/956, 30 December 2014. 45  UN Doc. S/2014/450, 30 June 2014, para. 75. 46  Leonardo S.p.A. offers its clients a full package of utilities, which includes not only the provision of the goods, but also several associated services (see www.leonardocompany.com/-/ falco-evo-service-monusco). 47  This issue was addressed by Morrell Andrews (2017), p. 7 and by De Pascali (2014), p. 29. The latter author made reference to the UN Policy on Monitoring and Surveillance Technology in Field Missions which, building on the presumption that “[m]onitoring and Surveillance Technology comprises system such as Remotely Piloted Vehicles (RPV)”, states that “[p]rocessed information will be shared within the UN only, including UN HQ. The Head of Mission will decide on the distribution list within the United Nations Country Team (UNCT) based on the ‘need-to-know principle’, and taking into account safety and privacy of individuals” (UN DPKO and DFS Ref. 2010.34, paras. 11 and 23). 48  See Østensen (2011), p.  30. The risk in this regard is that the use of high-tech equipment in peacekeeping operations might result in an illegitimate interference with the internal affairs of a State and that the information gathered can be exploited in other contexts. 49  The delegate from Venezuela questioned the access to the information gathered through drones, the protection of the confidentiality of the information, especially when provided by private companies. Similarly, the delegate from Cuba spoke critically on this subject. The Turkish delegate noted, from a more general standpoint, that UUAVs must be used in line with international law, the Charter of the United Nations and the principle of transparency (see UN Doc. GA/PK/221 cit.). 43 44

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

267

angle, it goes without saying that the UN are obliged to collect and store the big aerial information that is captured by drones in a manner that satisfies data protection standards, and a failure to do so may entail the responsibility of the Organization under international law. In addition to data protection and security issues, another critical aspect of the use of drones in UN peacekeeping operations pertains to individual safety. Since high-tech drones crash with some frequency (as was exemplified by the accident reported in Congo), although serious injuries are less frequent, the liability of operators for damages occurred to persons and property in case of accidents becomes a matter of primary concern.50 However, whilst it is true that drones—as is the case with every vehicle—might become harmful towards individuals and their property, it is more doubtful whether drone-related accidents give rise to the international responsibility of the Organization who deployed them. One standpoint is that a crash involving a UN drone—as a common accident with a UN vehicle—triggers, in the first place, a strict tort liability of the Organization under domestic law. As it is well known, claims of a private law character against the United Nations are typically impeded before domestic judges due to the immunities enjoyed by the Organization. Such claims are typically settled through the internal dispute procedures that are established by the Organizations itself—which thus far have proved to be largely unsatisfactory.51 Conversely, a proper responsibility under international law might only arise when the accident is the consequence of a failure of the operators to exercise due diligence in order to prevent it from occurring. Accordingly, it is reasonable to maintain that the Organization is required—under the positive obligations that stem from human rights—to exercise the necessary due diligence in order to prevent such risks from materializing. This implies a duty to take all the (reasonable) measures to assure that drones fly over the skies in accordance with aviation security and safety

 “The main concern of regulators is safety and liability” (OCHA Report cit., p. 9).  According to Section 29 of the Convention on the Privileges and Immunities of the United Nations “[t]he United Nations shall make provisions for appropriate modes of settlement of: (a) disputes arising out of contracts or other disputes of a private law character to which the United Nations is a party”. The content of the latter provision is indirectly recalled in Article VII of the UN Model Status of Forces Agreement (UN Model SOFA) which affirms that “any dispute or claim of private character to which the operation or any member thereof is a party and over which the courts of [host State] do not have jurisdiction because of any provision of the present Agreement, shall be settled by a standing claims commission to be established for that purpose” (see UN Model Status of Forces Agreement, UN Doc. A/54/595, 9 October 1990, para. 51). However, the permanent standing commission has never come to light. Tort liability disputes are, instead, addressed by local claims review boards established in every peacekeeping operation, with financial and temporal limitations stemming from resolution 52/247 of the General Assembly (UN Doc. A/RES/52/247, 26 June 1998; in this respect see Bodeau-Livinec (2013), Forteau (2013), Palchetti (2015); see also the Secretary-General’s 1996 Peacekeeping Budget Report, UN Doc. A/51/389, 20 September 1996, para. 20 and Administrative and budgetary aspects of the financing of the United Nations peacekeeping operations, UN Doc. A/51/903, 21 May 1997, para. 10). On the shortcomings of these dispute settlement mechanisms see, among many, Dannenbaum (2010) and Boon (2016). 50 51

268

M. Buscemi

standards. Such measures include the adoption, on the one hand, of protocols and regulatory frameworks that are capable of preventing drone-related accidents and, on the other hand, the establishment of claims compensation schemes in case there is a failure to do so. Therefore, should the UN fail to take such preventive and reparative measures, the Organization would be held internationally responsible towards the injured individuals and/or States.52 Besides a finding of responsibility for failing to exercise due diligence, it is possible to conceive that the Organization violates human rights obligations as a result of a conduct that makes use of drone technology. Let us assume, for instance, that flying cameras used in the context of a UN peace-enforcement operation are instrumental for launching an offensive action against an armed group of rebels, who then turn out to be civilians, due to an incorrect analysis of the data captured by the UUAVs system. This hypothetical (mis)use of unarmed drones undoubtedly leads to a violation of human rights, thus giving rise to the international responsibility of the Organization. What is less clear, however, is whether and under what conditions the wrongful act in question can be directly imputable to the Organization, especially when it is originated by an activity (the wrong data analysis) which is performed by private actors. This kind of situation is not entirely unforeseeable, as private companies are increasingly carving out their role in peacekeeping operations as operators of

 Needless to say, the UN, like every International Organization, can be held responsible according to the 2011 Draft Articles on the Responsibility of International Organizations for Wrongful Acts (hereinafter DARIO) when the conduct in question (i) is attributable to the Organization under international law; and (ii) constitutes a breach of an international obligation of that Organization (see Draft Articles on the Responsibility of International Organizations, with commentaries, in Yearbook of the International Law Commission, 2011). Detecting what obligations are breached and who the holder of respective rights is becomes crucial for the purposes of who—between individuals and/or States—the injured party is and who is entitled to the right of reparation; on the much broader debate on the existence of an individual right to reparation see, among many, Pisillo Mazzeschi (1999), and contra Tomuschat (1999)). 52

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

269

UUAVs’ system,53 with the United Nations often contracting out both the production of UUAVs and also the associated crucial services.54 Resorting to private suppliers, instead of obtaining them from Member States through letters of assists, normally implies the establishment of a public procurement procedure and, once the tender is closed, the signing and conclusion of contracts (whether they be short-term or long-term) between the UN and the private companies for the provision of goods (aircrafts and devices) and related services (manoeuvring and data analysis).55 This is, in fact, what precisely occurred in the MONUSCO operation when Leonardo Selex was awarded the contract: as a matter of fact, Leonardo operators—not the peacekeepers or UN experts and analysts— were in charge of manoeuvring the Falco drones from the ground station in Congo and they were also responsible for analysing the data that were collected. Whilst a wrongful use of drones that is directly operated by UN peacekeepers triggers the classical (and thorny) question of the allocation of responsibility between the States contributing troops and/or the Organization, on the basis of the degree of control exercised by these two subjects,56 flying cameras operated by  While the general trend towards the use of private contractors in conflict settings has been already outlined by several authors (see ex multis Francioni and Ronzitti 2011 and Spinedi 2006, pp. 67–103), and is currently under study within the United Nations Human Rights Council (see the HRC open-ended intergovernmental working group to consider the possibility of elaborating an international regulatory framework on the regulation, monitoring and oversight of the activities of private military and security companies), the engagement of private contractors in UN peacekeeping operations performing security and even military functions has been studied only relatively recently (see Pressler 2015, pp. 152–187 and Lilly 2000, pp. 53–62). It is worth noting that the recent Status of Forces Agreement (SOFA) signed between the Organization of the United Nations and the South Sudan included the category of “contractors”, that was not originally envisioned in the 1990 UN Model SOFA, as a subject under the regulation thereby provided. According to this SOFA “contractors means persons, other than members of UNMISS, engaged by the United Nations, including juridical as well as natural persons and their employees and sub-contractors, to perform services for UNMISS and/or to supply equipment, provisions, supplies, materials and other goods including spare parts and means of transport, in support of UNMISS activities” (the text of the Agreement is available at www.un.org/en/peacekeeping/missions/unmiss/documents/ unmiss_sofa_08082011.pdf). 54  See above Sect. 3. Interesting figures on the number of UUAVs supplied to the United Nations by private companies—through public procurement—and by Member Contributing States–through letters of assists—can be accessed in Novosseloff (2017), p.  8. For the purpose of the present analysis, the fact that a portion of the companies’ shares is often held by the States is not relevant, because this circumstance doesn’t imply—per se—that such companies can be considered as “organs” of the States. 55  According to the letter of interests that are normally released by the UN Public Procurement Division, private companies are requested to provide their own staff to “track, control, monitor the drones and provide analysis of data received” (the letter of interests can be accessed at www. unmannedsystems.ca/wp-content/uploads/2016/02/UN-expression-of-interest-UAS-11-Feb-2016. pdf). 56  When wrongdoings in peacekeeping operations are committed by military forces put at the disposal of the Organization by the State contributing troops, it becomes critical to establish whether such conduct is imputable to the sending State and/or to the receiving Organization. The approach adopted by the DARIO—enshrined in Article 7 thereof—relies on the degree of “effective control” 53

270

M. Buscemi

p­ rivate actors pose a completely different legal challenge to the law on international responsibility.

5  A  ttributing the Wrongdoings Committed by Private Actors Operating the Drones to the UN. An Analysis Under the 2011 Draft Articles The question of whether potential wrongdoings committed by the private actors should be attributed (directly) to the Organization cannot but be addressed in light of the DARIO rules of attribution. In our opinion, the answer tends to be positive, considering that private companies operating drones in UN peacekeeping operations fall—under specific conditions—within the notion of “agents” of the Organization that is envisioned in the DARIO. According to Article 6 of the DARIO “[t]he conduct of an organ or agent of an international organization in the performance of functions of that organ or agent shall be considered an act of that organization under international law, whatever position the organ or agent holds in respect of the organization”.57 Article 2 of the DARIO, for its part, makes it clear that the term “agent” refers to “an official or other person or entity, other than an organ, who is charged by the organization with carrying out, or helping to carry out, one of its functions, and thus through whom the organization acts”.58 To understand which functions are entrusted by the Organization to an agent, Article 6, para. 2, of the DARIO relies—albeit not exclusively—59 on the “rules of the organization”, which include a broad range of acts, exercised by the States and/or by the Organization (see UN Doc. A/CN.4/541, 2 April 2004, para. 7). This criterion, as is well known, has led to different interpretations both in the literature and in judicial decisions, thus providing more questions than solutions (in this regard, the literature is particularly extensive; the issue of the attribution of wrongful acts committed by peacekeepers has been addressed in the pioneer study conducted by Condorelli (1995), further developed in Condorelli (2014), as well as in several works of Palchetti, among many, see Palchetti (2007), p. 681). 57  See Draft Articles cit., p. 17 (emphasis added). 58  As is well known, the definition of “agent” endorsed by the International Law Commission is largely based on the definition given by the International Court of Justice. In the advisory opinion on Reparation for Injuries Suffered in the Service of the United Nations, it was affirmed that “[t]he Court understands the word ‘agent’ in the most liberal sense, that is to say, any person who, whether a paid official or not, and whether permanently employed or not, has been charged by an organ of the organization with carrying out, or helping to carry out, one of its functions – in short, any person through whom it acts” (ICJ, Reparation for Injuries Suffered in the Service of the United Nations, Advisory Opinion, 11 April 1949, I.C.J. Reports 1949, p. 177). 59  On this point, the Commentary of the Draft Articles on the Responsibility of International Organization makes it clear that “[b]y not making the rules of the organization the only criterion, the wording of paragraph 2 is intended to leave the possibility open that, in exceptional circumstances, functions may be considered as given to an organ or agent even if this could not be said to be based on the rules of the organization” (Draft Articles cit., p. 19, para. 9).

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

271

such as “the constituent instruments, decisions, resolutions and other acts of the international organization adopted in accordance with those instruments, and established practice of the organization”.60 In the light of the foregoing provisions, it is possible to argue that: (i) private actors that operate unarmed drones can be considered as “agents” of the United Nations insofar as they are entrusted with carrying out one of the functions of the Organization; (ii) notably, the tasks of information-gathering and aerial reconnaissance that are exercised by the private drone operators are essential to fulfilling the UN mission’s mandate, and therefore they fall within the functions entrusted to the Organization; (iii) the contract signed between the Organization and private companies should be considered as the “rule of the Organization which confers certain functions to the agent”. Applying this principle to the MONUSCO scenario, it follows that, as Leonardo S.p.A. operated the UUAVs system, they can be fairly considered as “agents” of the United Nations, within the meaning of the DARIO. Two considerations support this conclusion: on the one hand, Leonardo operators were empowered to exercise (elements of) “one of the functions of the Organization”—that is to say the intelligence services in support of the mandate of MONUSCO61; and on the other hand, the contract for the provision of goods and services that was signed by the two parties serves as a “rule of the Organization” for the conferral of the given functions. In this regard, it is worth noting that the functions outsourced by the United Nations to Leonardo Selex are—in our opinion—truly “institutional” as they are an expression of the proper competences entrusted to the Organization by the Member States. To put it differently, the private contractor in question has been charged with providing not just mere “instrumental” or “support” tasks to the Organization, such as the maintenance of the drones or the catering for the UN organs that operate this technology, but rather they operate substantial tasks. The nature of the functions that are outsourced to the private companies operating the drones can be seen, ultimately, as “public” or “(quasi-)governmental” according to the expression stipulated in Article 5 of the Draft Articles on States Responsibility.62 In fact, private drone  See Draft Articles cit., p. 6.  Generally, the functions that are mostly outsourced to private contractors in peacekeeping operations cover three areas: logistical and support service, security and policing tasks as well as military support (see Lilly 2000, p. 55). Equally, the outsourced activities conducted by drones can serve—in certain circumstances—as a support for one of these three areas with a view to fulfilling the UN mandate. 62  See Draft Articles on Responsibility of States for Internationally Wrongful Acts, in Report of the International Law Commission, 2001, Article 5. In this regard, the International Law Commission explained in the DARIO that “Article 5 of the articles on the responsibility of States for internationally wrongful acts concerns ‘conduct of persons or entities exercising elements of governmental authority’. This terminology is generally not appropriate for international organizations. One would have to express in a different way the link that an entity may have with an international organization. It is however superfluous to put in the present draft articles an additional provision in order to include persons or entities in a situation corresponding to the one envisaged in article 5 of the articles on the responsibility of States for internationally wrongful acts. The term ‘agent’ is given in subparagraph (d) of article 2 a wide meaning that adequately covers these persons or enti60 61

272

M. Buscemi

o­ perators, although they do not resort—at least directly—to the use of lethal force or coercive measures, they perform crucial “public” tasks such as surveillance and gathering information which, in some circumstances, can be instrumental to the use of force. In the mission in Congo, for example, drones provide support services for, and are associated with, the offensive military Force Intervention Brigade.63 This offers an example of pure delegation, by means of a procurement procedure, of public functions that are closely linked to the UN peacekeeping mandate. Moreover, the letter of interests for the provision of drones indicates a certain proximity between the private contractors and the official structure of the mission, as it states that “[t]he staff of the independent contractor will operate closely with UN aviation and military personnel and interact with the host nation as and when required”.64 Although the control exercised by the UN over (the conduct of) private contractors is not required by DARIO per se to classify such actors as “agents” of the Organization, this circumstance further supports and strengthens the conclusion that private companies operating drones fall under the notion of “agents” of the Organization. Therefore, should the UN decide to outsource the provision of drone assets and services to private companies, instead of requiring them through letter of assists from States contributing troops, hypothetical wrongful conducts taken by contractors (such as the one above mentioned) can only be attributable to the Organization.65 This conclusion cannot be contradicted by the existence of specific clauses that are commonly attached to contracts with the Organization that are aimed at excluding the incorporation de iure of private contractors within the UN personnel structure.66 This pattern of clauses cannot be interpreted, as is argued by many scholars, ties” (Draft Articles cit., p. 19, para. 10). Interestingly, paragraph 5 of the Elements for the Draft Legally Binding Instrument on Transnational Corporations and Other Business Enterprises with Respect to Human Rights has been drafted along the same lines of Article 5 of the Draft Articles on Responsibility of States for Internationally Wrongful Acts (see www.ohchr.org/Documents/ HRBodies/HRCouncil/WGTransCorp/Session3/LegallyBindingInstrumentTNCs_OBEs.pdf, p. 9). Unfortunatelly, the Draft Legally Binding Instrument does not address—for the time being— the responsibility of International Organizations for actions and omissions committed by their contractors companies. 63  Arguably, this circumstance might open the door, in the future, to the deployment of drones to launch directly offensive actions. 64  See, for instance, the Request for Expression of Interest (EOI) published in 2016 and available at www.ungm.org/Public/Notice/42758. 65  As for the different question of strict liability under domestic law arising from damages caused by drones, it is likely that private contractors do rely on insurance schemes of compensation covering loss or damage sustained by third parties on the ground. 66  The tender procedure launched by the United Nations normally contains contract clauses that read as follow: “the flight operating crew and all maintenance personnel shall at all times remain the servant or agent of the contractor” and that “[t]he UAS provider will be an independent contractor who remains in control of the system and aerial vehicles and shall be responsible for operation and maintenance of the Unmanned Aerial System. All personnel as part of the vendor’s offer, including but not limited to, flight crew (pilots and payload operators), Data Analysts and all maintenance personnel shall at all times remain the servant or agent of the contractor” (www. ungm.org/Public/Notice/42758).

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

273

to eschew the responsibility of the Organization—at the international level—for the conduct committed by entities that are empowered to exercise one of its functions.67

6  Conclusive Remarks Arguably, the use of unarmed drones can enhance situation awareness in peacekeeping operations, thus effectively contributing to the implementation of the missions’ mandate, as it enables them to act more quickly and more decisively, to foster the mobility of peacekeepers, to become aware of prior warnings of ambushes or attacks, and so on. This prompts the question of what would have happened in Srebrenica, if the Dutch battalion part of the UNPROFOR mission was able to assess, by flying cameras, what the situation on the ground was before decisions were taken.68 This study has pointed out, however, that the use of UUAVs might pose serious questions in relation to the protection of human rights; primarily, the question of how data (images and videos) captured by the flying cameras are collected and stored. Another urgent question is what the legal consequences are if drones are involved in accidents: the issue of procedural remedies available against the United Nations then arises. Besides a tort liability under domestic law, a responsibility under international law for the (mis)use of UUAVs is likely to arise in some circumstances (for instance, supposing that the data collected are interpreted in a wrongful manner that leads to an attack against civilians, or a decision not to act so as to protect their safety). A legal hurdle in the inquiry into a potential finding of UN responsibility is constituted by the presence of private companies who are often contracted to supply the drones, to operate their commands, and to collect, store and interpret the data that are captured over the course of a UN peacekeeping operation. It is maintained that private drone operators should be considered as “agents” of the United Nations under the 2011 DARIO, insofar as the said private companies are contractually in charge of performing functions incumbent, in principle, upon the Organization. From this perspective, intelligence and gathering information support services form an integrated and crucial part of planning the daily activities that are conducted by the UN peacekeepers. It follows that their potentially wrongful acts are directly attributable to the Organization itself, regardless of the contractual clauses that are aimed at excluding the incorporation of the said contractors in the institutional UN structure. Should the UN decide to resort to private contractors for the supply and the manoeuvring of drones, as well as for the analysis of the data

 In this regard we fully agree with Magi (2010), pp. 753–780, especially para. 4.  On the events before and after the fall of Srebrenica and the role played by the Dutchbat see, among many, Baehr (2010), pp. 269–286. 67 68

274

M. Buscemi

collected—instead of obtaining them from the Member States—the Organization must bear any responsibility that arises as a result of their (mis)use.

References Andrews, S. Morell. 2017. Drones in the DRC: A Case Study for Future Deployment in United Nations Peacekeeping. Intersect 10: 1–10. Baehr, Peter. 2010. Accountability of the United Nations: The Case of Srebrenica. In Accountability for Human Rights Violations by International Organisations, ed. Jan Wouters, Eva Brems, Stefaan Smis, and Pierre Schmitt. Antwerp: Intersentia. Bodeau-Livinec, Pierre. 2013. Les faux-semblants de la lex specialis – L’exemple de la résolution 52/247 de l’Assemblée générale des Nations Unies sur les limitations temporelles et financières de la responsabilité de l’ONU. Revue belge de droit international 1: 117–136. Boon, Kristen E. 2016. The United Nations as Good Samaritan: Immunity and Responsibility. Chicago Journal of International Law 16: 341–385. Condorelli, Luigi. 1995. Le statut des forces de l’ONU et le droit international humanitaire. Rivista di diritto internazionale 78: 881–906. ———. 2014. De la responsabilité internationale de l’ONU et/ou de l’État d’envoi lors d’actions de Forces de Maintien de la Paix: l’écheveau de l’attribution (double?) devant le juge néerlandais. QIL-Questions of International Law 1: 3–15. Dannenbaum, Tom. 2010. Translating the Standard of Effective Control into a System of Effective Accountability: How Liability Should Be Apportioned for Violations of Human Rights by Member State Troop Contingents Serving as United Nations Peacekeepers. Harvard Journal of International Law 51: 113–192. De Pascali, Alessio. 2014. The Strategic and Legal Impact of the Use of Unmanned Aerial Vehicles in UN PeaceKeeping. ITPCM International Commentary 10: 27–32. Dorn, A. Walter, and Stewart Webb. 2017. Eyes in the Sky for Peacekeeping: The Emergence of UAVs in UN Operations. Intelligence and National Security 32: 413–417. Dorn, A.Walter. 2009. Intelligence-led Peacekeeping: The United Nations Stabilization Mission in Haiti (MINUSTAH), 2006–07. Intelligence and National Security 24: 805–835. European Center for Constitutional and Human Rights, ed. 2017. Litigating Drone Strikes. Challenging the Global Network of Remote Killing. Accessed April 5, 2018. https://www. ecchr.eu/en/documents/publications/articles/litigating-drone-strikes-eng-neu.html. Forteau, Mathias. 2013. Régime general de responsabilité ou lex specialis? Revue belge de droit international 1: 147–160. Francioni, Francesco, and Natalino Ronzitti, eds. 2011. War by Private Contract: Human Rights, Humanitarian Law and Private Contractors. Oxford: Oxford University Press. Heyns, Christof, Akande Dapo, Lawrence Hill-Cawthorne, and Thompson Chengeta. 2016. The International Law Frameworks Regulating the Use of Armed Drones. The International and Comparative Law Quarterly 65: 791–827. Karlsrud, John, and Frederik Rosén. 2013. In the Eye of the Beholder? UN and the Use of Drones to Protect Civilians. Stability: International Journal of Security and Development 27: 1–10. Kearney, Diana. 2016. The Slippery Slope of UN Peacekeeping: Offensive Peacekeeping in Congo and Beyond. Max Planck Yearbook of United Nations Law 19: 100–141. Lilly, Damian. 2000. The Privatization of Peacekeeping: Prospects and Realities. Disarmament Forum. Accessed April 5, 2018. www.peacepalacelibrary.nl/ebooks/files/UNIDIR_pdf-art135. pdf. Lozanorios, Frédérique. 2014. Responsibility of the United Nations for Wrongful Acts Occurred in the Framework of Authorized Operations in Light of the Draft Articles on the Responsibility of International Organizations (DARIO). Max Planck Yearbook of United Nations Law 18: 109–151.

The Use of Unarmed Drones in UN Peacekeeping Operations: Issues of Attribution

275

Magi, Laura. 2010. Sull’attribuzione ad una organizzazione internazionale dell’attività di società private che operano per suo conto. Rivista di diritto internazionale 93: 753–801. Novosseloff, Alexandra. 2017. Keeping Peace from Above: Air Assets in UN Peace Operations. International Peace Institute Publication. Accessed April 5, 2018. www.ipinst.org/2017/10/ air-assets-un-peace-ops. Østensen, Åse Gilje. 2011. UN Use of Private Military and Security Companies: Practices and Policies. The Geneva Centre for the Democratic Control of Armed Forces. Accessed April 5, 2018. www.dcaf.ch/sites/default/files/publications/documents/SSR_PAPER3.pdf. Palchetti, Paolo. 2007. Azioni di forze istituite o autorizzate dalle Nazioni Unite davanti alla Corte europea dei diritti dell’uomo: i casi Behrami e Saramati. Rivista di diritto internazionale 90: 681–704. ———. 2015. Unità, pluralità o inutilità dei regimi di responsabilità internazionale applicabili alle Organizzazioni? In Il futuro delle organizzazioni internazionali: prospettive giuridiche, ed. Michele Vellano, 43–60. Napoli: Editoriale Scientifica. Pineschi, Laura. 2018. Tutela internazionale del patrimonio culturale e missioni di pace delle Nazioni Unite: un binomio possibile? Il caso MINUSMA. Rivista di diritto internazionale 101: 5–57. Pisillo Mazzeschi, Riccardo. 1999. International Obligations to Provide for Reparation Claims? In State Responsibility and the Individual, ed. Albrecht Randelzhofer and Christian Tomuschat. The Hague: Martinus Nijhoff Publishers. Pressler, Jessica. 2015. Responsibility of the United Nations for the Activities of Private Military and Security Companies in Peackeeping Operations: In Need of a New International Instrument. Max Planck Yearbook of the United Nations Law 18: 152–187. Sari, Auriel, and Ramses A. Wessel. 2012. International Responsibility for EU Military Operations: Findings the EU’s Place in the Global Accountability Regime. In The Legal Dimension of Global Governance: What Role for the EU? ed. Bart Van Vooren, Steven Blockmans, and Jan Wouters. Oxford: Oxford University Press. Simmonds, Kenneth. 1968. Legal Problems Arising from the United Nations Military Operations in the Congo. The Hague: Martinus Nijhoff. Spinedi, Marina. 2006. La responsabilità dello Stato per comportamenti di private contractors. In La codificazione della responsabilità internazionale degli Stati alla prova de fatti. Problemi e spunti di riflessione, ed. Marina Spinedi, Alessandra Gianelli, and Maria Luisia Alaimo, 67–106. Milano: Giuffrè Editore. Tomuschat, Christian. 1999. Individual Reparation Claims in Instances of Grave Human Rights Violations: The Position Under General International Law. In State Responsibility and the Individual, ed. Albrecht Randelzhofer and Christian Tomuschat. The Hague: Martinus Nijhoff Publishers.

Digital Rights and Jurisdiction: The European Approach to Online Defamation and IPRs Infringements Ornella Feraci

Abstract The new media and communication technologies have significantly increased the number of online cross-border disputes involving the security and protection of personal identity as well as of intellectual property creations. The persistent lack of a uniform private international law approach on the matter determines a substantial gap in Internet governance, which results in the application of domestic rules or, where existing, of regional ones. This legal scenario is conducive to conflicts of jurisdiction and, ultimately, to legal uncertainty and instances of forum shopping. The Chapter focuses on the allocation of adjudicative jurisdiction at European level by examining the current EU approach to cross-border online disputes resolution involving the main types of infringements of digital rights (notably, personality rights and IPRs). The absence of EU rules on jurisdiction concerning online tort disputes has encouraged the elaboration of a prolific and controversial case law of the CJEU over the interpretation of Article 7(2) of Brussels I-bis Regulation (i.e. eDate, BOÜ/Ilsjan, Wintergeister, Pinckney and Hejduk rulings). The Chapter provides a thorough and critical insight over the characteristics and trends of this development and comes to propose a brand-new “less is more” normative approach, aimed at reducing the range of eligible fora in light of a well-­balanced system of assessment of the competing interests involved.

1  Introduction Cyberspace is increasingly affecting the rights of individuals and the activities of businesses worldwide. Internet is not just an incredibly powerful means of communication: it rather represents the pulsing heart for the vast majority of social relationships and commercial transactions as well as the main instrument of storage and management of digital content of any kind, both professional and private one. As such, it entails a remarkable potential for violations of human rights. It is equally O. Feraci (*) University of Siena, Siena, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_14

277

278

O. Feraci

undisputed that the quantity (and complexity) of cross-border disputes arising in the digital environment increases year after year, raising a wide spectrum of regulatory concerns.1 This trend leads to a growing exploitation of intangible rights on a global scale. Such development is of particular significance when it comes to dealing with the protection of Intellectual Property Rights (IPRs) or privacy and personality rights. Any legal reflection over online conducts moves from the general assumption that Internet gives rise to an intangible and evanescent space—the cyberspace—, which is intrinsically borderless and independent from any geographical location.2 Indeed, it is commonly accepted that any activity performed within the digital environment has a ubiquitous nature. The same content placed online (e.g. photographs, audio and video files regardless of format, personal info about identity or privacy etc.) is potentially (and simultaneously) available in the same manner worldwide, regardless of the place where the person accessing the website is located and of the type of electronic device connected to the Internet. Therefore, the virtual and global dimension of online disputes challenges the traditional legal categories and calls for new legal solutions or, at least, for an appropriate adaptation of the existing rules, that are devised for similar situations which occur in the physical environment. At the same time some new digital technologies allow for a mitigation of the borderless nature of Internet. In particular, the so-called geolocation technologies permit nowadays to ascertain the geographical location of Internet users with a high degree of accuracy,3 thanks to GPS installed on smart devices such as smartphones and tablet computers or WIFI hotspots or server-side geo-location technologies. From a strict legal perspective, one of the most important debates raised by Internet governance concerns how to assert jurisdiction in relation to online cross-­ border non-contractual liability,4 namely how to delimit the jurisdictional power of a State’s courts to hear such disputes (“adjudicative jurisdiction” or “conflict of jurisdictions”). The interaction between Internet and jurisdiction often results in conflicts of jurisdiction between national authorities and online actors, given the “Internet’s decentralised underlying infrastructure”,5 thus fostering legal uncertainty. Such difficulties depend on the traditional methods of allocation of jurisdiction as envisaged by Private International Law (PIL), which are geographically-­ orientated and generally rely on the territoriality principle. Furthermore, the disconnection between the effects of Internet activities and geographical boundaries increases the risk of both positive and negative conflicts of jurisdiction:  Hörnle (2009).  See ex multis: Johnson and Post (1996), p. 1367; Slane (2008), pp. 129–151; Geist (2001). 3  See on this topic: Svantesson (2004, 2012a, b). 4  On the interplay between the Internet and private international law, see Svantesson (2012a, b), Hörnle (2009) and Boele-Woelki and Kessedjan (1998). 5  Kohl (2017), p. 31. See also: Kohl (2007), Goldsmith and Wu (2006), De Miguel Asensio (2015), Hörnle (2008), Svantesson (2012a, b), Hörnle (2009), Boele-Woelki and Kessedjan (1998) and Wang (2010). The new boundaries of technologic innovation and optimization, like the deployment of cloud computing may complicate the determination of jurisdiction when disputes arise. See on topic Wang (2013). 1 2

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

279

One of the Internet’s most challenging issue is how to bring the seemingly borderless Internet to a bordered world. … If courts are unable to assert jurisdiction, the Internet becomes a proverbial “wild west”. Conversely, if every court asserts jurisdiction, the Internet becomes overregulated with a myriad of potentially conflicting laws asserting jurisdiction regardless of the impact on other despite minimal o maximum connections to the State.6

It is apparent then that the tension between Internet and jurisdiction can only be solved by striking a fair balance between the opposite poles of “non-regulation” and “overregulation”, while avoiding an arbitrarily extraterritorial expansion of domestic jurisdiction.7 This situation may ultimately render practically impossible for businesses to engage in cross-border trade or may lead to forum shopping. Some commentators have argued that the intrinsic features of Internet would preclude national judicial authorities from exercising jurisdiction on claims arising out of online activities.8 According to this approach, cyberspace should be conceived of as a separate and independent area and be regarded as an autonomous jurisdiction. Therefore, it would be for Internet itself to develop its own effective institutions to establish rules and enforce them (global self-regulation). However, the opposing view tends to prevail: according to this, national jurisdictional authorities shall regulate Internet activities and their legal implications.9 It is equally undisputed that the increasing forms of Alternative Dispute Resolution (ADR) mechanisms, included arbitration, may provide an effective alternative remedy in that regard.10 Uniform rules on jurisdiction over Internet conducts are still lacking at the international level. Indeed, the international organizations that have been proactive in establishing uniform rules in certain areas of Internet-related situations, such as UNCITRAL and UNIDROIT, did not address either jurisdiction or torts: the UNCITRAL Model Law on Electronic Commerce11 and the United Nations Convention on the Use of Electronic Communications in International Contracts

 Geist (2017), p. 26.  Themelis (2012) in relation to the extraterritorial application of EU competition law in respect to online jurisdiction. 8  Johnson and Post (1995–1996). 9  Goldsmith and Wu (2006) and De Miguel Asensio (2015). 10  See Hörnle (2009) on arbitration and the different forms of ODR along with the technologies currently being used or developed for dispute resolution. It is worth noting that ICANN has established ADR mechanisms concerning conflicts between trademark owners and domain name registrants. However, they are not binding on national courts and do not prevent the parties from submitting the dispute to a national court. 11  The UNCITRAL Model Law on Electronic Commerce has been adopted on 12 June 1996. It purports to enable and facilitate commerce conducted using electronic means by providing national legislators with a set of internationally acceptable rules aimed at removing legal obstacles and increasing legal predictability for electronic commerce. In particular, it is intended to overcome obstacles arising from statutory provisions that may not be varied contractually by providing equal treatment to paper-based and electronic information. Such equal treatment is essential for enabling the use of paperless communication, thus fostering efficiency in international trade. 6 7

280

O. Feraci

(New York, 2005)12 do not provide for any rules on jurisdiction. The absence of a multilateral agreement on the matter determines a substantial gap in Internet governance, which results in the application of domestic rules or, where possible, of regional ones. Similar deficiencies also emerge at the European level. The EU PIL lacks specific rules on jurisdiction vis-à-vis online torts. The European instrument specifically devised for addressing Internet contractual activities (the EU E-commerce Directive: Directive 2000/31/EC)13 either does not contain any provision in that regard. On the contrary, the EU PIL is still rooted on a technology-neutral lawmaking, which is mitigated by the creative, case-by-case based, interpretation of the CJEU. In light of this overall framework, the scope of this paper is restricted under three different perspectives. Firstly, it does not aim at exploring all jurisdictional issues concerning Internet, but merely the ones arising out of torts committed through it (online civil disputes deriving from torts). Secondly, the Chapter will address the regulation of cross-border civil disputes involving two categories of digital rights. As it is known, such notion encompasses, in general, the human rights allowing individuals to access, use, create and publish digital media or to access and use computers other electronic devices on communication networks. The term particularly relates to the protection of rights as the right to privacy, the right to data protection, freedom of opinion and expression online, as well as rights related to digital intellectual creations in the context of new digital technologies. For the sake of brevity and clarity, given the multifaceted world of digital rights, this Chapter will exclusively examine the main types of infringements occurring online: i.e. violations of privacy and rights relating to personality (e.g. defamation) and Intellectual Property Rights (IPRs), focusing, in particular, on copyright. Therefore, it will not cover digital trade rights concerning cross-border electronic commercial transactions, i.e. business-to-business (B2B) and business-­ to-­consumer (B2C).14 Thirdly, the Chapter will focus only on EU online cross-border litigation. Consequently, it will analyse the current EU PIL’s approach to the delimitation of jurisdiction over online defamation and copyright infringements, e.g. as they involve two or more Member States (intra-EU dimension). In that regard, in the absence of specific European rules on jurisdiction over online torts, the Chapter will survey the various existing de iure condito rules as deriving from the combination of the  The UN Convention has been adopted on 23 November 2005 with the view to facilitating the use of electronic communications in international trade by assuring that contracts concluded and other communications exchanged electronically are as valid and enforceable as their traditional paperbased equivalents. 13  Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”) OJ L 178, 17.7.2000, pp. 1–16. 14  Wang (2008, 2010) on cross-border disputes in electronic commercial contracts under the EU, US and China approach. 12

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

281

a­vailable uniform grounds on jurisdiction and the related interpretative CJEU’s jurisprudence. Upon these premises, the Chapter will investigate the suitability of the European legislative jurisdictional criteria in this field and will finally propose an alternative and innovative solution premised on a “less is more” approach.

2  A  sserting Jurisdiction Over EU Cross-Border Online Defamation and Online IPRs Infringements: The Brussels I-bis Regime The existing EU PIL does not differentiate between offline and online torts as to jurisdiction. Both fall in the legal regime provided for by Regulation (EU) No. 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (“Brussels I-bis”),15 which, as from 10 January 2015, has replaced Regulation (EC) No 44/2001 (“Brussels I Regulation”)16 as between all Member States, including United Kingdom, Ireland and Denmark.17 Brussels I-bis provides for a well-structured set of rules on jurisdiction vis-à-vis EU cross-border disputes concerning civil and commercial matters (i.e. contractual obligations, torts and property rights). In principle, the uniform jurisdiction rules of “Brussels I-bis regime” apply only when the defendant is domiciled within the EU, in accordance with the personal scope of the Regulation, set out in Article 4(1). Such rule intends to found the exercise of jurisdiction on a significant connection between the proceedings to which the Regulation applies and the European Union. If such a connection exists, the uniform rules can confer jurisdiction only on the courts of a Member State. Conversely, with the exception of certain provisions (concerning the exclusive jurisdiction, the choice-of-court agreement, the consumer

 Regulation (EU) No. 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (recast), OJ L 351/1. 16  Council Regulation (EC) No. 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, OJ L12/1. The Regulation takes its name from having replaced, as from 1st March 2002, the Brussels Convention of 27 September 1968 on jurisdiction and the enforcement of judgments in civil and commercial matters. 17  Pursuant to Article 3 of Protocol No. 21 annexed to the TEU and to the TFEU, the United Kingdom and Ireland have notified their wish to take part in the adoption and application of the Regulation (“opting-in” rule). Under Articles 1 and 2 of Protocol No 22 annexed to the TEU and to the TFEU, Denmark, as a rule, does not take part in the adoption of the acts relating to the area of “Freedom, Security and Justice” and is not bound by them (“opting-out” rule). Nevertheless, on 19 October 2005, Denmark entered into a Convention with the EU with a view of extending the Brussels I regime to the relations between itself and the other EU Member States. According to Article 3 of the above agreement, Denmark has then accepted to be subject to the amendments contained in Brussels I-bis. 15

282

O. Feraci

contracts and the employment contracts),18 when the defendant is domiciled in a third State, the national Member States’ rules on jurisdiction shall apply (residual domestic competence rule).19 This implies that, for an online civil claim being brought before a Member State on the ground of Brussels I-bis, the alleged wrongdoer must be domiciled in the EU. That condition considerably restricts the number of civil disputes in Europe based on EU law if one considers that an online defamation or an IPRs’ infringement affecting the EU (i.e. involving EU citizens, third-­ country nationals habitually resident in EU or businesses operating in MSs), may also result from actors established outside the European territory. This ultimately undermines the access to justice of victims, who, in such a case, would be forced to invoke their domestic jurisdiction rules on the matter, which may significantly differ from one country to another and, generally, are not technology-oriented provisions. In line with Regulation (EC) No. 44/2001, the Brussels I-bis does not provide for a special rule on jurisdiction either for Intellectual Property Rights infringements or for personality rights infringements. Consequently, both types of tort fall within the general regime. A person asserting to be the victim of an online defamation or an online IPRs infringement may choose to claim before the court of the Member State designated by the general rules (i.e. prorogation and the defendant’s domicile rule) or before the court of the Member State resulting from the special rule of locus commissi delicti (Article 7(2)).

2.1  T  he General Fora: Party Autonomy and the Defendant’s Domicile The fact that a tort dispute concerning the infringement of personality rights or IPRs occurs in the digital context does not preclude, theoretically, a choice-of-court agreement by the parties. In practice, submission plays a crucial role only in the contractual framework as to e-commerce disputes, since it constitutes a valuable instrument to reduce litigation risks and costs. Provided that no exclusive jurisdiction is granted under Article 24, the Brussels I-bis Regulation allows party

 According to Article 6(1) of Brussels I-bis Regulation: “If the defendant is not domiciled in a Member State, the jurisdiction of the courts of each Member State shall, subject to Article 18(1), Article 21(2) and Articles 24 and 25, be determined by the law of that Member State”. 19  Article 6(1) of Brussels I-bis Regulation. According to the case-law of the CJEU, the expression “is not domiciled in a Member State”, used in that provision, means that application of the national rules rather than the uniform rules of jurisdiction is possible only if the court seized of the case holds firm evidence that the defendant is domiciled outside the EU (Case C-327/10 Lindner (2011), ECLI:EU:C:2011:745, para. 42). 18

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

283

autonomy in terms of both choice-of-court agreement (prorogation of jurisdiction)20 and submission by appearance, as the defendant enters an appearance before the court seised without contesting its jurisdiction (prorogation by appearance).21 Party autonomy clearly derogates from the jurisdiction rules that would otherwise apply (general, residual or special rules). In particular, in respect to the torts here at stake, it would allocate jurisdiction in favour of the court of a Member State other than the one set out in Article 4 (defendant’s domicile rule) or Article 7(2) of Brussels I-bis Regulation (locus commissi delicti). Such theoretical possibility results in negative terms from the absence of explicit indications within  the Regulation, where limitations are placed on the effectiveness of jurisdiction agreements only in respect of insurance, consumer and employment contracts, in light of the vulnerability of the supposedly weaker party, along with an express prohibition for exclusive jurisdiction.22 In practice, while the prorogation by appearance in this context might occasionally occur, due to procedural negligence or, less frequently, deliberate acquiescence of the alleged responsible, the choice-of-court agreement appears rather unrealistic in this matter, given the opposing interests of the parties involved and the nature of the relevant facts. This state of affairs, with respect to cross-border online defamation and copyright infringements, considerably reduces the chances of conferring jurisdiction on the courts of a Member State other than those resulting from the application of the general forum of the defendant or the special rule on torts. Accordingly, the defendant’s domicile will serve as the general ground of jurisdiction in the framework of Brussels I-bis. As a rule, the victim of any online tort might sue the allegedly responsible before the court of the Member State where s/­he is domiciled, regardless of the nationality (Article 4). This provision relies on the traditional assumption that a defendant can most easily conduct the defence in the court of his/her domicile (actor sequitur forum rei). The defendant’s domicile represents the competent forum for all claims falling within the material scope of the Regulation and applies irrespective of the concrete means used to commit the infringement, only requiring that the defendant’s domicile be determined within a Member State’s territory. The comprehensive vocation of the provision implies that the latter may apply to all types of Internet conducts regardless of the nature of the claim at stake (contractual or non-contractual one) and of the specific characteristics of the unlawful act involved. In order to facilitate compliance with the subjective requirement set out in Article 4, the Regulation provides some guidance to determine the place of domicile, by distinguishing between individuals23 and businesses. Concerning the latter, in  Article 25 of Brussels I-bis Regulation. See ex multis on prorogation in the Brussels I-bis Regulation: Queirolo (2013/2014). 21  Article 26 of Brussels I-bis Regulation. 22  Articles 15, 19, 23 and 24 of Brussels I-bis Regulation. 23  Article 62 of Brussels I-bis provides that the Member State of the forum shall apply its domestic law (lex fori) to determine whether a party is domiciled in its own jurisdiction. Should the court of that State decide that the defendant is domiciled in another Member State, the law of the latter would apply. 20

284

O. Feraci

p­ articular, the Regulation establishes a uniform substantive definition by stating that the domicile of a legal person must be autonomously defined at European level, without referring to the national legal orders. Indeed, pursuant to Article 63(1): a company or other legal person or association of natural or legal persons” is deemed domiciled at the place where it has (a) its statutory seat, or (b) its central administration, or (c) its principal place of business.24

Consequently, the legal person’s domicile may be determined with reference to three different connecting factors—two of which (central administration and principal place of business) inspired by effectiveness considerations—that could ­potentially lead to different countries. However, when dealing with Internet-related situations, it can be difficult to ascertain the defendant’s domicile, given the potential relevance of different places, e.g. where the server (storing the information) or the content provider (uploading it) are located. Indeed, the CJEU has recently addressed the issue of determining jurisdiction in respect of an action for damages resulting from the publication of photographs on an Internet site edited by a person whose domicile was unknown. On that occasion the Court has held that Article 5(3) of Regulation 44/2001 could nevertheless be applied to a situation where the defendant, who was probably a EU citizen but whose whereabouts were unknown, if the court seised did not hold firm evidence to conclude that the latter was domiciled outside the EU. Therefore, in such a case the uniform rules of jurisdiction established by the Brussels I Regulation applied instead of those in force in the Member States.25 In principle, the general rule pursuant to Article 4 of Brussels I-bis Regulation appears advantageous when dealing with online torts for several reasons. First, as far as IPRs are concerned, it satisfies the defendant’s interest to defend himself/ herself before one single forum in the State of his/her domicile as well as the right-­ holder’s interest to obtain an efficient enforcement of his/her Intellectual Property Rights. Conversely, such forum appears less attractive in respect of personality rights infringements, where the victim may not have any material interest in seeking compensation in a place when the latter does not coincide with the centre of gravity of his/her life. In such a case, the general forum might discourage the victim from suing the alleged infringer before his/her domicile’s courts in the light of the unfamiliar procedural law applicable to the claim and the potential costs of the judicial proceedings. Secondly, the recourse to the defendant’s domicile offers some benefits under the perspective of online infringements as a whole, in terms of easing, in particular, the ascertainment of the forum and conferring on that court the competence to assess and compensate all damages occurred. Besides, the general forum allows for

 It is worth noting that for the purposes of common law (applicable in Ireland, UK and Cyprus) the “statutory seat” has to be interpreted as the registered office or, failing that, as the place of incorporation or, failing that, as the place under the law of which the formation took place (Article 63(2)). 25  Case C-292/10 G v Cornelius de Visser [2012] ECLI:EU:C:2012:142, para. 42. 24

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

285

c­ oncentration of claims involving the infringement of several national Intellectual Property Rights that are subject to different national laws or related to defamatory contents affecting multiple States.

2.2  The Special Forum of Locus Commissi Delicti: From the “Ubiquity Theory” to the “Mosaic Approach” According to Brussels I-bis, the victim of an online tort (included defamation and IPRs violations) committed within the EU may found the competence upon an alternative ground of jurisdiction based on considerations of proximity of the court to the action or of sound administration of justice, i.e. the efficient conduct of proceedings and the ease in the taking of evidence.26 In particular, Article 7(2) on matters relating to “tort, delict or quasi-delict” establishes that a person domiciled in a Member State may be sued in another Member State before “the courts for the place where the harmful event occurred or may occur” (locus commissi delicti). In several decisions the CJEU has clarified that the scope of application of this provision does not merely apply to torts in the strict sense but extends to all actions which seek to establish the liability of a defendant and which are not contractual matters within Article 7(1).27 Thus, Article 7(2) of the Brussels I-bis objectively localizes the infringement on the constitutive element of civil liability, i.e. the harmful event. The locus commissi delicti ensures predictability, avoiding that the plaintiff may sue the defendant in a court of a Member State that he/she could not reasonably foresee. In accordance with a settled jurisprudence of the CJEU, dating back to the 1976 leading-case Mines de potasse d’Alsace,28 the locus delicti of Article 7(2) must be interpreted in light with the “ubiquity theory”. Therefore, the place of the harmful event may be regarded both as the “place of the event giving rise to the damage” (locus actionis) and as the “place where the damage occurred” (locus damni). Accordingly, the alleged infringer may be sued, at the plaintiff’s option, either in the courts for the place of acting and in courts for the place of harm. Later, in relation to multiple infringements causing damages in several Member States, i.e. defamation by means of a newspaper article distributed in several countries, the CJEU has developed the so-called “mosaic theory” (Shevill case).29 According to it, the claimant could only bring proceedings in the courts of the “place where the damage occurred” insofar that the damage actually occurred within that territory, i.e. the Member State in which the publication is distributed and where the victim claims to have suffered injury to his/her reputation (locus  See, inter alia, case C-189/08 Zuid-Chemie [2009] ECLI:EU:C:2009:475, para. 24.  See case C-189/87 Athanasios Kalfelis [1988] ECLI:EU:C:1988:459 and Mankowski (2012), p. 271. 28  Case C-21/76 Mines de Potasse d’Alsace [1976] ECLI:EU:C:1976:166. 29  Case C-68/93 Shevill [1995] ECLI:EU:C:1995:61. 26 27

286

O. Feraci

damni, State of distribution). On the contrary, whenever the claimant intends to concentrate all proceedings before one single court, he/she should address the courts of the place where “the harmful event giving rise to the liability occurred” or the courts of the place where the defendant is domiciled. However, while the courts of locus actionis shall have jurisdiction to award damages for the entire harm caused by defamation, those of locus damni shall rule solely in respect of the harm occurred in the forum. Accordingly, the place of publication criterion inevitably leads the defamation victim to bring as many actions as many Member States are affected. That outcome entails an undesirable multiplication of fora, which may lead to a fragmented regulation, since different laws (as designated by the competent national PIL rules of the court seised) will apply for compensation of damage occurred in the forum.30 Through the mosaic theory, the Court aimed to pursue two opposing policies. On the one hand, it intended to enhance the effectiveness of the protection of the victim of defamation, and, at the same time, to allow the latter to claim wherever his/her reputation is affected. On the other hand, it seeks to safeguard the predictability of jurisdiction, i.e. to enable publishers to foresee the courts before which they could face liability. However, this doctrine clearly relies on the specific characteristics of printed means of communications and, in any case, leaves room for forum shopping, which is particularly frequent in areas like the protection of personality and privacy where the relevant substantive law significantly differs from one country to another (so-called “libel tourism”).

2.3  T  he Interpretation of “Place Where the Harmful Event Occurred or May Occur” with Regard to Online Defamation: The eDate and Martinez and BOÜ/Ilsjan Rulings As far as defamation is concerned, the main challenge as to the applicability of locus delicti rule in the Internet context consists of how to reconcile the place of the harmful event, as interpreted by the CJEU’s case law, with the potential universal localization of multiple damages caused to the victim. The CJEU addressed this issue in the joined cases eDate and Martinez,31 where it has interpreted Article 5(3) of Regulation (EC) No. 44/2001 (corresponding to  This outcome is strengthened by the persistent lack of a uniform conflict-of-laws rule at European level as to violations of privacy and personality rights. Indeed, the latter are excluded from the material scope of Regulation (EC) No. 864/2007 (Rome II Regulation) on the law applicable to non-contractual obligations. Therefore, as to the determination of the applicable law to such a tort, the national Member States PIL rules still apply. See on the matter: Feraci (2009) and Nagy (2012). 31   Joined cases C-509/09 and C-161/10 eDate Advertising and Olivier Martinez [2011] EU:C:2011:685. For some critical remarks see: Reymond (2011), Bollée and Haftel (2012), Feraci (2012) and Francq (2012). 30

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

287

Article 7(2) of Brussels I-bis). The facts concerned two cases of online defamation arising out of the publication on a website of information and photographs regarding two individuals (one of which was a French actor, known in several countries), that resulted in an unlawful interference with their private lives and their right to image. The Court took the view that the Shevill doctrine was applicable even to digital context and that it merely required to be adapted to the peculiarities of online publications. The CJEU thus transformed the State of distribution’s criterion into the more evanescent and ubiquitous “State of accessibility”, on the one hand, and introduced a new general forum, based on “the place of the centre of interests of the victim”, on the other. In accordance with this “updated Shevill doctrine” the Court argued that the person who has suffered an infringement of a personality right by means of the Internet may bring an action for liability, in respect of all damages caused before two general fora and, in respect of the territorially-limited damages, before a number of potentially-multiple special fora. In particular, under the first perspective, the victim may claim (1) before the courts of the Member State in which the publisher of that content is established (locus actionis) or (2) before the courts of the Member State in which the centre of his/her interests is located. Both courts shall have jurisdiction to rule on the entire damages occurred. Under the second one, the victim may also bring his/her action (3) before the courts of each Member State in whose territory the content placed online is or has been accessible (place of accessibility). However, these courts will have jurisdiction only to rule in respect of the damages occurred in their own territory.32 The brand-new criterion of the centre of interests of the victim responds to the need to concentrate jurisdiction in favour of one single court, which is significantly connected to the situation at stake and which is therefore in the best position to assess the impact of the Internet content on the affected individual’s rights. The CJEU clarified that the place where a person has the centre of her interests coincides, in general, with the habitual residence.33 However, the centre of interests may also be elsewhere, in so far as other factors may establish the existence of a particularly close link with that State, for instance the pursuit of a professional activity.34 The Court held that the attribution of jurisdiction to the court of the victim’s centre of interests “corresponds to the objective of the sound administration of justice” and is “in accordance with the aim of predictability of the rules governing jurisdiction  eDate and Martinez, para. 52.  See, on the concept of habitual residence in EU PIL, Mellone (2010). From a domestic PIL perspective, it is worth noting that a similar approach, as to conflict-of-laws, has been adopted by the recent Law of the People’s Republic of China on the Application of Law for Foreign-Related Civil Relations (adopted at the 17th session of the Standing Committee of the 11th National People’s Congress on 28 October 2010), which has entered into force on 1 April 2011. The law in fact provides for a technology-specific provision on Internet defamation, stating: “Where such personal rights as the right of name, portrait, reputation and privacy are infringed upon via network or by other means, the laws at the habitual residence of the infringed shall apply” (Article 46 of the Law). 34  eDate and Martinez, paras. 48–49. 32 33

288

O. Feraci

also with regard to the defendant, given that the publisher of harmful content is, at the time at which that content is placed online, in a position to know the centres of interests of the persons who are the subject of that content. … therefore … the centre-of-interests criterion allows both the applicant easily to identify the court in which he may sue and the defendant reasonably to foresee before which court he may be sued”.35 Yet, the CJEU did not provide parameters through which the place of the centre of interests of the victim should be determined, leaving the floor to the need for an overall factual assessment of the concrete circumstances of the case. In that regard, it is to be noted that, in its Opinion on the case delivered on 29 March 2011, AG Cruz Villalón had proposed to allocate jurisdiction in favour of the court where the “centre of gravity of the dispute”36 is located, with the purpose of simplifying the regulation of online disputes and preventing forum shopping. It is unfortunate that the Court did not accept this proposal: in my view, the latter showed the right direction for developing a reasonable solution with the view of reducing the potentially relevant for online defamation. Such a place appeared to be the one where a court is best placed to adjudicate over a dispute between freedom of information and the right to one’s own image under the most favourable conditions.37 In determining the place of the “centre of gravity of the dispute”, two elements were needed. The first required that such place was located where that individual has his “centre of interests”. In that regard, it would not be sufficient for the victim merely to be known, but, on the contrary, one should identify the place where the individual concerned, in the enjoyment of his personality rights, essentially carries out his life plan, if this exists.38 The second element concerned the nature of the information: the latter should be objectively relevant in a particular territorial area.39 The AG also provided a list of potential items of evidence, which could have contributed to the identification of such factor.40  Ibid., para. 50.  Opinion of Advocate General Cruz Villalón delivered on 29 March 2011  in the joined cases C-509/09 and C-161/10 eDate and Martinez, ECLI:EU:C:2011:192, paras. 58–65. 37  Ibid., para. 58: “That situation occurs in the State where the potential for an infringement of the right to one’s own reputation or the right to privacy and the value inherent in the dissemination of certain information or a particular opinion, as the case may be, may be visualised or are more evident. That is the State where the holder of personality rights will suffer the most extensive and serious harm. Furthermore, and this is undoubtedly important from the point of view of legal certainty, it is the territory where the media outlet could have foreseen that that harm might have occurred and, accordingly, that there was the risk of being sued there”. 38  Ibid., para. 59. 39  Ibid., para. 60. 40  Ibid., para. 65: “ … the fact that the information may be distributed on a website with a top-level domain name which is different from that of the Member State where the publisher is established, thereby demonstrating the existence of a particular territorial area in which the information is likely to be followed with particular interest. Likewise, the language of a website helps to delimit the sphere of influence of the information published. Any advertising which may be on the website may also indicate the territorial area where the information is intended to be read. The section of the website in which the information is published is also relevant for the purposes of achieving an 35 36

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

289

In my view, the introduction of the “place of interests of the victim” in the framework of online defamation does not confirm the suitability of the Shevill doctrine at all. Rather, it marks the need to emancipate Internet jurisdiction from the narrow boundaries of the past and to rethink the locus delicti in a more modern manner, in order to meet the needs of a globalized world. The accessibility criterion, by contrast, has been firmly criticized by the doctrine,41 since the mere accessibility of the information, which would justify an automatic connection with all Member States, gives rise to forum shopping. This would be untenable for any media outlet operating on the Internet. Moreover, the limited jurisdictional power of the court seized as regards compensation would lead to an excessive burden on the claimant along with time-consuming legal proceedings in different countries and hurdles in terms of parallel proceedings. More recently, the CJEU has confirmed the eDate approach in a situation where the victim of an online defamation was a legal person. In the BOÜ/Ilsjan ruling,42 the Court was asked to establish whether the Estonian courts had jurisdiction to rule over a claim brought by an Estonian company against a Swedish employers’ federation which had published on its website incorrect statements about the claimant and the following comments of users, including incitement to violence against the company and its employees. The defendant had refused to take these statements down. Therefore, the company and one of its employees had filed a request for a take-down injunction and damages (primarily for loss of profit). The claimant company carried out most of its business activities in Sweden, but its office functions were performed in Estonia and it did not have foreign representatives or branches outside Estonia. The BOÜ/Ilsjan case has raised two new issues. Firstly, the issue as to whether the centre of interests criterion could operate also in respect to legal persons and, if so, how to determine it. Secondly, the question of the nature of the actions that can be brought before the competent forum: respectively, a claim for damages seeking for compensation and an injunction to have information deleted and corrected in a different Member State. Indeed, the (Estonian) referring court intended to know whether it had jurisdiction to grant an order requiring rectification of the incorrect

impact in a particular territory. One example might be an online newspaper in which the news sections are divided by State. The publication of information under the heading ‘Germany’ will be an indication that news made available in that section has a particularly significant impact in that country. The keywords supplied to search engines to identify the media outlet’s site are also capable of providing clues as to the place in which the information is objectively relevant. Finally, and without intending this to be an exhaustive list, the website access log, despite its lack of reliability, may be a purely illustrative source for the purposes of confirming whether or not certain information has had an impact in a particular territory.” 41  See Reymond (2011); Feraci (2012), p. 467; Bollée and Haftel (2012), p. 1285. The same objection had been raised with regard to the interpretation of another ground of jurisdiction of Brussels I Regulation relevant with regard to contractual liability arising out online consumer contracts. See Bogdan (2010), p. 565. 42  C-194/16 Bolagsupplysningen OÜ, Ingrid Ilsjan v Svensk Handel AB (BOÜ/Ilsjan) [2017] ECLI:EU:C:2017:766. See on it the critical remarks of Bach (2017).

290

O. Feraci

information and deletion of the comments, and also whether it could award damages for all the injury suffered by the plaintiff. Closely adhering to the eDate doctrine, the CJEU clarified that both legal and natural persons can benefit from the special jurisdiction rule of Article 7(2) as to online defamation, allowing them to sue the alleged responsible before the court of their centre of interests. As regards legal persons pursuing an economic activity, the Court stressed that: centre of interests of such a person must reflect the place where its commercial reputation is most firmly established and must, therefore, be determined by reference to the place where it carries out the main part of its economic activities.43

Now, the centre of interests of a legal person may coincide with the place of its registered office when it carries out all or the main part of its activities in the Member State in which that office is situated; its reputation there will consequently be greater than in other Member States. That said, the location of the office is not, in and of itself, a conclusive criterion for the purposes of such an analysis. Thus, when the relevant legal person carries out the main part of its activities in a Member State other than the one in which its registered office is located, as in the case decided by the Court, the latter requires to assume that the commercial reputation of that legal person, which is liable to be affected by the publication at issue, is greater in that Member State than in any other and that, consequently, any injury to that reputation would be felt most keenly there.44 Concerning the second issue, the Court clarified that a person who alleges that his personality rights have been infringed by the publication of incorrect information on the Internet and by the failure to remove comments relating to him cannot bring an action for rectification of that information and removal of those comments before the courts of each Member State in which the information published on the Internet is or was accessible.45 Although, under the mosaic approach, a claimant could sue for defamation in each Member State where there was publication and damage to reputation, “however, in the light of the ubiquitous nature of the information and content placed online on a website and the fact that the scope of their distribution is, in principle, universal … an application for the rectification of the former and the removal of the latter is a single and indivisible application and can, consequently, only be made before a court with jurisdiction to rule on the entirety of an application for compensation for damage … and not before a court that does not have jurisdiction to do so”.46 Consequently, an application to rectify incorrect information and to have content taken down was a single and indivisible application and could only be made in the jurisdiction where the court was able to rule on the entire claim for damages (centre of interests of the victim). The need to preclude the States of accessibility from  BOÜ/Ilsjan, para. 41.  Ibid., paras. 41–43. 45  Ibid., paras. 45–49. 46  Ibid., para. 48. 43 44

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

291

exercising the power to issue injunctions for only small portions of the overall damage had led the AG Bobek in its Opinion on the case to suggest a reduction of the eligible fora under Article 7(2).47 In particular, he considered that a claimant should be able to bring an action only in one place, that being either the defendant’s domicile (under Article 4(1) of Brussels I-bis) or the place where the claimant had its centre of interests. Both fora would confer upon the competent court full jurisdiction to adjudicate on the totality of the damages claimed along with the power to take all remedies available under the respective national laws, including the issue of a possible injunction if so requested.

2.4  T  he “Locus Delicti” vis-à-vis Online IPRs Infringements: The Wintergeister Case on Trademark The case law just discussed above shows that the place where the alleged damage occurred under Article 7(2) of Brussels I-bis Regulation varies in accordance with the nature of the right allegedly infringed. In the context of IPRs, which are marked by ubiquity, this trend is confirmed, and even made more complicated. Indeed, the constant increase of data uploading and sharing (such as posting and streaming) on the Internet (on websites, blogs, peer-to-peer networks and social networking sites) by content-providers and users has multiplied the cases of IPRs infringements (which include patents, industrial design rights, copyright, trademarks and similar exclusive) at the global level. The phenomenon is multifaceted, due to the nature of the rights involved and the potential ways of their violation, and is particularly remarkable with regard to copyright. The rights granted by (national, international and European Union) law to an author (composer, playwright, publisher, or distributor) to exclusive publication, production, sale, or distribution of a literary or artistic work are daily exposed to the risk of infringements, by simply hosting, distributing or downloading a copyrighted work on a web-site without the consent of the copyright owner. The CJEU dealt for the first time with the interplay between Internet and the jurisdiction over IPRs’ infringements in Wintersteiger ruling,48 where it adapted the Mines de Potasse’s principle in regards to an online infringement of a national trademark. However, in assessing the compatibility of the forum delicti commissi with IPRs infringements committed via Internet, the CJEU did not rely on the eDate’s jurisdictional criteria; rather, it formulated a brand-new solution by combining the theory of ubiquity of Mines de Potasse d’Alsace with the territoriality principle typical of IPRs.

 Opinion of Advocate General Bobek delivered on 13 July 2017  in the case C-194/16 Bolagsupplysningen OÜ Ingrid Ilsjan v. Svensk Handel AB, ECLI:EU:C:2017:554, para. 97. 48  C-523/10 Wintersteiger CJEU [2012] EU:C:2012:220. See on the judgment the comments of Birgit (2012) and Azzi (2012a, b). 47

292

O. Feraci

The dispute concerned the claim of an Austrian company brought against a German enterprise in order to prevent the defendant from using the trademark “Wintersteiger”, which had been registered in Austria, as a keyword on the website of a paid referencing service provider. In particular, the alleged infringement was deriving from the use, by an advertiser, of a keyword that was identical to the Austrian trademark on the website of an Internet search engine operating under a top-level domain (“.de”) other than the one of the Member State (Austria) where the trademark was registered. On that occasion, the Court held that the locus delicti had to be interpreted as meaning that an action relating to the online infringement of a national trademark registered in a Member State may be brought (1) either before the courts of the Member State’s registration (locus damni) or (2) before the courts of the Member State of the place of establishment of the advertiser (locus actionis). The characterization of the State of registration as the locus delicti is reasonable since trademarks need to be registered in a place in order to obtain protection. The courts of the State of registration (Austria) were, therefore, the best placed to assess whether a situation such that at stake actually infringed the protected national trademark,49 in line with the objectives pursued by the provision. It is for that reason that the CJEU conferred on those courts the power to compensate not only the damage occurred in the forum, as stressed in the eDate judgment, but all damage allegedly caused to the owner of the protected right and, moreover, the power to hear an application seeking cessation of all infringements of that right. However, it is to be noted that the above reasoning only applies to national trademarks violations. In fact, in the event of an online infringement of a Community trademark, which has a unitary character and produces equal effect throughout the European Union, Articles 94-108 of Regulation No 207/2009 (Trademark Regulation) shall apply.50 The application of the Wintersteiger principle entails some inconveniences when the infringement concerns a trademark protected in several countries. In fact, every Member State where the IPR gets protection would have jurisdiction to hear the action for damages, but it is unclear whether a single action would be sufficient for compensating the overall damage occurred. In fact, it seems more realistic that every Member State’s court should be competent only to assess over the damage caused in its own jurisdiction. Further remarks arise in relation to the alternative forum as indicated by the Court, i.e. the locus actionis. In Wintersteiger the CJEU localized the “place where  See, in that sense: joined cases C-236/08 to C-238/08 Google France and Google [2010] ECLI:EU:C:2010:159 and C-324/09 L’Oréal and Others [2011] ECLI:EU:C:2011:474. 50  Council Regulation (EC) No. 207/2009 of 26 February 2009 on the Community trademark (EC), OJ L 78, 24.3.2009, which has amended and consolidated the Council Regulation (EC) No. 40/94 of 20 December 1993, OJ L 11, 14.1.1994, p. 1. According to Articles 95 and 96 of the Trademark Regulation, within each Member State the most important proceedings concerning Community trademarks are assigned to a limited number of its courts, designated as Community trademark courts (CTM courts). The allocation of international jurisdiction between the CTM courts of the Member State is governed by Articles 97 and 98 of the Trademark Regulation. 49

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

293

the event giving rise to the damage occurred” in the Member State of the place of establishment of the advertiser on the ground that such place lied in the actions of the advertiser using the referencing service for its own commercial communications. As the Court had already asserted in the context of EU substantial law on trademarks,51 it is the advertiser choosing a keyword identical to the trademark who uses it in the course of a trade, rather than the provider of the referencing service.52 Therefore, in the case of an alleged infringement such as that relevant in Wintersteiger, it was the activation by the advertiser of the technical process displaying the advertisement, according to pre-defined parameters, which had to be considered as the event giving rise to an alleged infringement and not the mere display of the advertisement itself. That solution seems satisfactory, because the place of the server’s establishment is often uncertain, its location possibly being fortuitous and entirely disconnected from the tort. Moreover, it should not be disregarded that the place of establishment of the advertiser would have the advantage of easing the taking of evidence in relation to an event such the one at stake. The Wintersteiger judgment also departed from the eDate reasoning by rejecting the criterion of the centre of interests of the alleged victim. The Court clearly pointed out that the reasons of that choice rely on the intrinsic nature of IPRs, which significantly differs from that of personality rights.53 In particular, while the latter are protected in all Member States, the protection afforded by the registration of a national trademark is, in principle, limited to the Member State’s territory in which it is registered, so that, in general, its right-holder cannot invoke that protection outside that territory. Moreover, the immaterial goods safeguarded by IPRs can be perceived independently and detached from the person of the right-holder, unlike the person’s reputation. 2.4.1  T  he “Locus Delicti” vis-à-vis Online Copyright Infringements: The Pinckney Ruling The solution of Wintersteiger judgment was strictly related to registered IPRs (i.e. patents, trademarks, industrial designs, utility models, and plant variety protection). Conversely, such an approach could not be automatically transferred to online infringements of unregistered rights, like copyright, since they do not require any registration or formalities to carry out. In the Pinckney judgment54 the CJEU addressed, for the first time, the issue of localization of locus delicti in the event of an online infringement of copyright resulting from the online offer of a material support reproducing a protected work.  First Council Directive 89/104/EEC of 21 December 1988 to approximate the laws of the Member States relating to trademarks, OJ, L 40/1. 52  Joined cases C-236/08 to C-238/08 Google France and Google [2010] ECLI:EU:C:2010:159 para. 52 and para. 58. 53  Wintersteiger, paras. 24 and 25. 54  C-170/12 Pinckney [2013], EU:C:2013:635. 51

294

O. Feraci

In particular, the dispute concerned the delimitation of the national jurisdiction in relation to a case where some songs had been reproduced on a Compact Disc (CD) without the author’s consent. The CDs had been pressed in Austria, by an Austrian company, and were subsequently marketed by two United Kingdom companies through various Internet sites, which were accessible, inter alia, from the copyright-­ holder’s (Mr. Pinckney) residence in Toulouse. The CJEU, shifting from the above-mentioned case law over online torts, elaborated a new approach, partially merging eDate and Wintersteiger criteria.55 On the one hand, the Court connected the place of locus delicti to the accessibility of the website whose contents infringed copyright. On the other hand, it applied the principle of territoriality, requiring that the latter courts should be those of the State of copyright’s protection. Accordingly, the CJEU concluded that the courts of the Member State (1) where the copyright was protected and (2) within whose jurisdiction the Internet site was accessible were competent to hear the action for compensation brought by the copyright-­holder. However, the latter court had jurisdiction only to determine the damage caused in the forum, since the protection granted by that Member State is applicable only in that jurisdiction.56 In the Court’s view: If that court also had jurisdiction to adjudicate on the damage caused in other Member States, it would substitute itself for the courts of those States even though, in principle, in the light of Article 5(3) of the Regulation and the principle of territoriality, the latter have jurisdiction to determine, first, the damage caused in their respective Member States and are best placed to ascertain whether the copyrights protected by the Member State concerned have been infringed and, second, to determine the nature of the harm caused.57

This reasoning seems to collide with that developed in Wintersteiger in relation to the competence for the damage compensation attributed to the Member State of registration. Moreover, it does not appear convenient in order to satisfy the interests of the injured person. Nevertheless, in the light of the principle of territoriality to which copyright is subject, the CJEU argued that those courts were the best placed to determine whether the alleged infringement was well founded, in accordance to the rationale of Article 5(3) of Brussels I Regulation. It remained questionable whether the CJEU would have come to the same conclusion when the alleged copyright infringement resulted from the online placing of dematerialized content (i.e., by up-loading the songs directly on a web-site), and not, as the case at issue, from the online sale of a material support reproducing that content (i.e., online sale of CDs). The Court did not pay attention to this feature, which, by contrast, the referring court had highlighted in one of its preliminary questions. The latter only noted, within its admissibility assessment, that: it is common ground that the referring court is dealing with an allegation of copyright infringement resulting from the online offer of a material support reproducing a protected

 See Grünberger (2015).  Pinckney, para. 45. 57  Ibid., para. 46. 55 56

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

295

work and that the issue as to whether the French courts have jurisdiction to hear that allegation is the very subject-matter of the dispute in the main proceedings.58

Apparently, the Court also refrained from assessing whether, in the event of an online copyright infringement, the alleged victim may sue the responsible person before the court of the “event giving rising to the damage” (locus actionis). The Court limited itself to pronouncing on the localization of the “place where the damage occurred” (locus damni), being, probably, the latter the place most difficult to identify. Personally, I do not deem that, in so doing, the Court intended to abandon the Shevill doctrine. I would rather justify the omission in the light of the situation at stake and of the preliminary questions referred to the CJEU. However, it is uncertain in which place the locus actionis should be located in the event of the online copyright infringement suffered by Mr. Pinckney and it is questionable whether it should coincide with the State of songs’ reproduction (Austria) or/and with the State where the CDs had been placed online for sale (United Kingdom). In any event, it is remarkable that the Court (implicitly) rejected the mere accessibility criterion invoked by Mr. Pinckney to justify the French jurisdiction, in line with the eDate doctrine. Such connecting factor, according to which the potential harm should arise in all places where the website can be accessed, would lead, in fact, to a dangerous multiplication of competent courts. The mere circumstance that a person, regardless of his/her location within the EU, accesses a web page on the Internet, and may thus determine the jurisdiction for an IP right’s infringement action, would considerably encourage forum shopping, in contrast with the CJEU’s case law, which has consistently attempted to prevent that risk in interpreting the Brussels regime.59 Such hurdles may not be easily overcome neither considering, as suggested by some authors,60 that the national court of accessibility will be able to award only the damages occurred in the territory of that particular State. However, it is apparent that in Pinckney the principle of territoriality served to neutralize the universal vocation of the accessibility criterion. In fact, even though copyright is an unregistered IPR, it is firmly based on territoriality.61 This means that the national rules govern copyright within the territory of a given Member State. It also means that, currently, absent an EU copyright, the same work is protected by different laws in each Member State, with the effect that a conduct may infringe a certain Member State’s law, but not that of another Member State. Although the EU law has harmonized the matter, such harmonization is not complete yet: national approaches on the matter still significantly differ. Many areas, most notably moral rights, limitations and exceptions including private copying, certain related rights as well as copyright contract law, are not harmonized yet. Moreover, as regards the

 Ibid., para. 20.  See also in that sense the opinion of Advocate General Jääskinen, delivered on 13 June 2013 in Pinckney case cit., para. 68. For a criticism of such connection: Lopez Tarruella (2012), p. 329. 60  In that sense: Rosati (2014a, b), p. 19. 61  Neumann (2011), p. 583. 58 59

296

O. Feraci

subject matters that have been regulated by several EU copyrights Directives,62 national laws may differ from each other, either because Member States enjoy a discretionary power with regard to the implementation of EU Directives (pursuant to the general rule of Article 288 TFEU), and because the statutory language implementing the Directives varies depending on each Member State’s national legislative language tradition.63 This point has been clearly highlighted in Pinckney judgment, where the Court stressed that copyright must be automatically protected in all Member States by virtue of Directive 2001/2009, so that it may be infringed in each country in accordance with the applicable substantive law.64 It is worth noting that the CJEU did not follow the solution suggested by Advocate-General Jääskinen. The latter, by applying the Shevill doctrine, had proposed to offer the alleged injured person the chance of bringing proceedings either before the courts of the place of establishment of the persons who sold the compact discs (CDs) online or placed the content online, i.e. the UK courts, in order to seek compensation for all damages suffered (locus actionis), or before the courts of the Member State at which the website in question aims its activity, in order to seek compensation for the damage suffered in that territory (locus damni).65 Remarkably, the reasoning of the AG moved from the assumption that the infringement in question might be considered as a lost profit from the unauthorized broadcast of the songs. Consequently, it seemed to be appropriate to confer jurisdiction (although limited to the damage arisen in that territory) on the courts of the State to which the Internet site was directed.66 The State of destination could be identified by considering the language used on the website involved (e.g. an online music streaming website with a Swedish interface, although accessible in various countries, will mainly attract Swedish users). The “target-direction” approach, which substantially results from the French “theory of focalization”,67 seems remarkable with regard to online copyright  Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs, OJ L/16 (“Computer Programs Directive”); Directive 2006/115/EC of the European Parliament and of the Council of 12 December 2006 on rental right and lending right and on certain rights related to copyright in the field of intellectual property, OJ L 376/28 (“Rental and Lending Right Directive”); Council Directive 93/83/EEC of 27 September 1993 on the coordination of certain rules concerning copyright and rights related to copyright applicable to satellite broadcasting and cable retransmission, OJ L 248/15 (“Satellite and Cable Directive”); Directive 2006/116/EC of the European Parliament and of the Council of 12 December 2006 on the term of protection of copyright and certain related rights, OJ L 372/12 (“Term Directive”) as amended by Directive 2011/77/EU; Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, OJ L 77/20 (“Database Directive”); Directive 2001/29/EC (“Information Society (InfoSoc) Directive”); Directive 2001/84/ EC of the European Parliament and of the Council of 27 September 2001 on the resale right for the benefit of the author of an original work of art, OJ L 272/32 (“Resale Right Directive”). 63  See Kur and Dreier (2013), p. 245 ff.; Rosati (2013). 64  Pinckney cit., para. 39. 65  Opinion of Advocate General Jääskinen in Pinckney cit., para. 73. 66  Ibid., paras. 64–66. 67  See Cachard (2010), p. 19. 62

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

297

i­ nfringements.68 However, sometimes, it may be difficult to establish whether a certain content provider had the intention of targeting the public of a particular Member State. Establishing the “target intention” implies, therefore, a flexible approach that allows for a discretionary assessment by the national courts involved. Indeed, the CJEU had already adopted this solution, notably in relation to Internet conducts giving rise to contractual liability based on consumer contracts, with respect to the interpretation of a ground of jurisdiction’s requirement set out in Article 15(1)(c) of Brussels I Regulation (now Article 17(1)(c) of the Brussels I-bis Regulation).69 In fact, in the joint cases Pammer and Hotel Alpenhof 70 the CJEU addressed the question whether the consulting of a website in the Member State of the consumer’s domicile was a sufficient element to justify a finding that commercial or professional activities were being directed to that Member State within the meaning of the said provision. On that occasion, the CJEU reached the conclusion that, in order to determine whether a trader could be considered to be “directing” its activity to the Member State of the consumer’s domicile, one should ascertain whether it was apparent from those websites and the overall activity that the latter was intentioned to conclude a contract with consumers domiciled in one or more Member States.71 The Court also cited a number of non-exhaustive items of evidence that might be relevant in determining the intention of the trader to direct its activities to a certain Member State.72 However, in Pinckney the Court rejected the “target direction” method held in Pammer, on the mere basis of the wording of Article 5(3) of Regulation (EC) No. 44/2001, which does not require that the activity concerned must be “directed to” the Member State in which the forum is located.73

 In favour to the extension of the “target direction” approach to the interpretation of Article 5(3) of Brussels I Regulation as to online torts, see Marino (2012), p. 890. 69  Article 15 (1) of the Brussels I Regulation states: “1. In matters relating to a contract concluded by a person, the consumer, for a purpose which can be regarded as being outside his trade or profession, jurisdiction shall be determined by this Section, without prejudice to Article 4 and point 5 of Article 5, if: … (c) in all other cases, the contract has been concluded with a person who pursues commercial or professional activities in the Member State of the consumer’s domicile or, by any means, directs such activities to that Member State or to several States including that Member State, and the contract falls within the scope of such activities”. 70   Joined cases C-585/08 and C-144/09CJEU, Pammer and Hotel Alpenhof [2010] ECLI:EU:C:2010:740. 71  Ibid., para. 95. 72  Ibid., para. 95. However, some factors mentioned by the Court have appeared problematic: see Bogdan (2010), p. 567. 73  Pinckney cit., para. 42. 68

298

O. Feraci

2.4.2  The Hejduk Case By enhancing the trend of specialization within the special jurisdiction of Article 7(2) of Brussels I-bis the CJEU has subsequently confirmed the application of the accessibility criterion as a general ground of jurisdiction for online copyright infringements. In particular, an absolute version of accessibility74 emerges in the 2015 Hejduk ruling.75 The case concerned the posting online of copyright images without the consent of the copyright’s owner. The facts of the case differed from the ones in Pinckney, not dealing with a sale of copyrighted work on the Internet, but with the mere divulgation of a protected work (professional photos) on the Internet, giving rise thus to “dematerialized damage”, whose territorial location cannot be objectively determined. Following the interpretation provided in Pinckney, including the exclusion of any relevance of the targeting approach in determining the place of damage, the CJEU concluded that the Member State’s court in whose jurisdiction an allegedly infringing copyright work is merely accessible on a website does have jurisdiction to hear the relating infringement action.76 Nevertheless, that court shall have jurisdiction solely to rule on the damage caused in the jurisdiction of the Member State of the forum.77 It is not to stigmatize that in Hejduk the CJEU has rejected the proposal advanced by AG Cruz Villalón to determining the jurisdiction only on the ground of the “place giving rise to the harmful event” (locus actionis),78 not being possible to ascertain where a dematerialized damage occur on the Internet. The Advocate General did not clarify, however, where such a place was, although it appeared to be that of the up-­ loader’s establishment, which usually may coincide with its own domicile. Moreover, the Advocate General did not exclude that, in the event of a communication to the public clearly and undoubtedly directed towards Member State/s other than that of access to the website, “it should be necessary to modulate or integrate the proposed criterion”.79 Such conclusion may be applied, a fortiori, to the accessibility principle, in general. It is questionable, in fact, whether the Hejduk doctrine may be automatically applied to any unauthorised online postings of all kinds of copyright works and to any other copyright infringements committed by the Internet, with the effect that new criteria might be formulated in the future. In any case, in my view, the mere accessibility criterion appears unsatisfactory for several reasons. First of all, it is inconsistent with the specific objectives of Article 7(2) of the Brussels I-bis Regulation and deviates from the rationale of locus  For critical remarks on the excessive version of accessibility criterion see Kohl (2017), pp. 38–49.  C-441/13 Hejduk [2015] ECLI:EU:C:2015:28. 76  Ibid., para. 34. 77  Ibid., para. 38. 78  Opinion of Advocate General Cruz Villalón rendered on 11 September 2014  in Hejduk case, para. 45. 79  Ibid., para. 46. 74 75

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

299

commissi delicti. Secondly, the accessibility principle produces disadvantages for both parties to the dispute. On the one side, it prevents the alleged responsible from forecasting before which court he/she could be sued, in contrast with the general purpose of Brussels I-bis jurisdictional regime, which is aimed to provide highly predictable rules of jurisdiction.80 On the other side, such criterion, being totally un-conditioned, may potentially be prejudicial to the right-holder, since the competent court’s jurisdiction is restricted to the damage arising in the forum and the protected work is merely accessible by its territorial jurisdiction.81 According to some authors, a satisfactory solution for online copyright infringement claims would be to seize the court of the Member State where the public is targeted and where the exploitation of the work can be established, thus allowing the right-holder to claim compensation for the most part of the alleged damage.82 However, as already pointed out, it may not be easy to determine the targeting of online activities. On the other hand, since a user may potentially accede a website from everywhere, the mere fact that a website was accessed in a certain jurisdiction does not imply that the latter is the State of destination.83 In such a case, in my view, it would be appropriate to identify, on a subsidiary basis, an additional criterion based on the “centre of gravity of damage” by looking at all relevant circumstances of the case.

3  C  onclusive Remarks: The Need for a European “Less is More” Normative Approach The EU legislative approach on the assertion of jurisdiction in respect of the most common forms of online torts (i.e. cross-border defamation and IPRs infringements) has experienced a remarkable development in the latest years, thanks to a prolific activism of the CJEU. This case law basically aims at adequating the ordinary rules on jurisdiction (which have been clearly devised for offline torts) provided for by “Brussels I-bis regime” to the new challenges posed by the cyberspace. This trend is underpinned by the general belief that the judicial application of the existing uniform grounds of jurisdiction allows them to evolve gradually and to adapt to the constantly new developments of Internet technology. However such a process inevitably reflects the natural limitations of any strictly case-by-case approach along with the unsuitability of the traditional location-centric rules when compared with the borderlessness and geographic independence of cyberspace. The European approach on the matter, which stems from the CJEU’s trend to temper (and to further specialize) the rule of locus commissi delicti set out in Article  See recital 15 of the Brussels I-bis Regulation and recital 11 of the Brussels I Regulation.  Depreeuw and Hubin (2014), p. 764. 82  Ibid. 83  Pammer cit., para. 94. 80 81

300

O. Feraci

7(2) of Brussels I-bis Regulation appears largely unsatisfactory. Indeed, this process clearly entails two negative implications: the unreasonable (and unconvenient) fragmentation of jurisdiction (along with the territorially-limited judicial powers of the forum as to assessing compensation), on the one hand, and the unpredictability of the outcome of litigation, on the other. In particular, with regard to online defamation, the eDate and BOÜ/Ilsjan rulings show the obsolescence of the “mosaic principle” as established by the Shevill case and rather call for concentrating jurisdiction in favour of the court of the Member State where the centre of interests of the victim is located. Similarly, as to online copyright infringements, the Pinckney and Hejduk judgments clarify that the accessibility criterion entails serious disadvantages if applied as a general and un-conditioned ground of jurisdiction in this field, both for the plaintiff (in terms of expensive and time-consuming legal proceedings) and for the defendant (in terms of unpredictability and legal costs). Accordingly, I deem appropriate for the European legislator to design a more coherent and comprehensive normative approach on Internet torts with a view of leading to a rational and fair allocation of jurisdiction in the EU. A new model of governance on the matter, i.e. a special regime of jurisdiction rules for online torts should be shaped under a brand-new “less is more” normative approach, for the purpose to reduce the range of eligible fora, in light of a well-balanced system of assessment of the various interests involved. The new rules should be devised under two different modalities. In the first place, they should result from a process of simplification-minimalism, i.e. a “less is more” approach through the drafting of a transparent and comprehensive set of brand-new rules of jurisdiction, conducive to one single eligible forum (both alternative to the general defendant’s domicile of Article 4 of Brussels I-bis and subsidiary to the choice-of-court agreement of Articles 25 and 26 of the latter). Such legislative development should revise the Brussels I-bis Regulation, by inserting new special provisions for online infringements inspired by an hybrid ground of jurisdiction, notably the locus delicti as declined in the light of the closest connection principle: the centre of gravity of damage. This would neutralize the non-geographical nature of the Internet while maintaining the traditional location-centric method of PIL. Moreover, it would be consistent with the reasonable expectations of both parties. Finally, the proposed connecting factor, in establishing a real close connection between the infringement at stake and the territory of a certain Member State, would identify the best placed court to assess and compensate the entire damage occurred. The new jurisdiction rules should also be neutrally-oriented as to the material interests involved, by balancing the conflicting interests at stake and preserving predictability for either party to the dispute. In the second place, the proposed normative approach should be inspired by specialization, i.e. by specifying for each sub-category of online tort one single forum by the application of different connecting factors, all useful to determine the centre of gravity of damage (e.g. centre of interests of the victim of defamation; the targeted State as to IPRs infringements). The rationale underlying a “less is more approach” would be threefold. The first reason is intrinsic to the peculiarities of the Internet, on the one hand, and to the

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

301

purposes of the special rule on jurisdiction of Brussels I-bis, on the other. Indeed, the current mosaic system as created by the CJEU, in the attempt of adapting the forum commissi delicti of Article 7(2) of Brussels I-bis to the peculiarities of online infringements, deviates from the general purposes of legal certainty and foreseeability, as pursued by the Regulation. Moreover, it collides with the specific objective of Article 7(2), namely the proximity between the dispute and the forum along with the sound administration of justice. By contrast, over the years the CJEU has always insisted on the idea that, in determining the locus delicti within the Brussels regime, proximity and predictability must represent a permanent concern. The second reason is instrumental to the effective protection of the rights involved, since it allows for concentration of claims and compensation of the harm suffered as a whole. Finally, this approach would satisfy the needs for procedural proximity and efficiency. Indeed, linking jurisdiction to a truly substantial element of the relationship in dispute, like the centre of gravity of damage, would represent a means to ensure that litigation takes place where the taking of evidence is easier, and—more generally—where proceedings are likely to be efficiently managed. A “less is more” approach would be also coherent with the purpose of Brussels I-bis regime as to avoid lis pendens on the ground of procedural economy. Indeed, the opposite approach (i.e. mosaic theory and accessibility criterion) is likely to lead not only to jurisdiction being exercised on insubstantial connections but also to a high incidence of parallel and related proceedings. By preventing the delivery of irreconcilable decisions, the minimalist approach could ultimately facilitate the recognition and enforcement of judgments within the European judicial area. Therefore, de jure condendo, as far as personality rights are concerned, it would be appropriate to abandon the territorially-limited Shevill-type “mosaic” jurisdiction (which has little meaning with regard to content made accessible on the Internet when a situation of multiple infringements occurs in different Member States). On the contrary, in line with the Mines de Potasse doctrine, the place of damage should serve as a general forum (competent to assess all damage suffered by a libel’s victim) coinciding with the centre of interests of the person involved. Such place should be differently declined with regard to natural persons and to legal persons, in accordance with the criteria established by the eDate and the BOÜ/Ilsjan cases. Conversely, the place of acting would exceptionally remain absorbed by the general rule of the defendant’s domicile set out in Article 4 of Brussels I-bis (i.e. the country of the publisher’s establishment). The preference towards the forum actoris would balance the competing interests of the parties involved, thus reaching predictability. Moreover, it would be justified under the consideration that a victim of an online defamation essentially amounts to an atypical “weaker party”, given the particularly broad offensive capacity of such type of tort. Therefore, the need to protect the victim, along with that to prevent the alleged wrongdoer from being subject to a disproportionate “universal” jurisdiction, manifestly collides with the current multiplication of fora as between all Member States and the related fragmentation of judicial powers for damages’ compensation.

302

O. Feraci

Conversely, in the case of online copyright infringements, the absolute version of the accessibility criterion should be avoided and substituted by a more moderate targeting approach solution (State of destination). The special rule should be based on the territoriality principle as mitigated by the targeting approach, which would represent a more suitable option to prevent the territorial fragmentation of Internet disputes and to drastically reduce forum shopping and costs. Only when the State of destination could not be clearly detected, it would be appropriate, on a subsidiary basis, to identify the centre of gravity of damage by looking at all relevant circumstances of the case. However, even in this case the plaintiff would remain entitled to base jurisdiction on the general grounds in line with the jurisdictional scheme of Brussels I-bis.

References Azzi, Tristan. 2012a. Contrefaçon de marque sur Internet: interprétation de l’article 5§3 du règlement Bruxelles I. Recueil Le Dalloz: 1926–1929. ———. 2012b. Tribunal compétent et loi applicable en matière d’atteintes aux droits de la personnalité commises sur internet. Recueil Le Dalloz: 1279–1285. Bach, Ivo. 2017. Klage von Online-Firmen auf Schadensersatz im Schadensland. Neue juristische Wochenschrift 2: 3436 ff. Birgit, Clark. 2012. Off Piste? ECJ Decides Austrian Supreme Court’s ‘Adwords’ Jurisdiction Question in Wintersteiger. Journal of Intellectual Property Law and Practice 7: 701–703. Boele-Woelki, Katharina, and Catherine Kessedjan, eds. 1998. Internet: Which Court Decides? Quel tribunal décide?  - Which Law Applies? Quel droit s’applique? The Hague: Walters Kluwer International. Bogdan, Michael. 2010. Website Accessibility as a Basis for Jurisdiction Under Art. 5(1)(c) of the Brussels I Regulation: Case Note on the CJEU Judgments Pammer and Alpenhof. Yearbook of Private International Law XII: 565–570. Bollée, Sylvain, and Bernard Haftel. 2012. Les nouveaux (dés)équilibres de la compétence internationale en matière de cyberdélits après l’arrêt eDate Advertising et Martinez. Recueil Dalloz: 1285 ff. Cachard, Olivier. 2010. Juridiction compétente et loi applicable en matière délictuelle: retour sur la méthode de la focalisation, 16 ff. Revue Lamy Droit de l’immatériel. De Miguel Asensio, Pedro A. 2015. Derecho privado de Internet. Madrid: Civitas Thomson Reuters. Depreeuw, Saari, and Jean-Benoît Hubin. 2014. Of Availability, Targeting and Accessibility: Online Copyright Infringements and Jurisdiction in the EU. Journal of Intellectual Property Law & Practice 9: 750–764. Feraci, Ornella. 2009. La legge applicabile alla tutela dei diritti della personalità nella prospettiva comunitaria. Rivista di diritto internazionale 4: 1020–1085. ———. 2012. Diffamazione internazionale a mezzo Internet: quale foro competente? Alcune considerazioni sulla sentenza eDate. Rivista di diritto internazionale 2: 461–469. Francq, Stéphanie. 2012. Responsabilité du fournisseur d’information sur Internet: affaires eDate Advertising et Martinez. La Semaine Juridique - édition générale 1–2: 35–38. Geist, Michael. 2001. Is There a There There? Towards Greater Certainty for Internet Jurisdiction. Berkeley Technology Law Journal 16. http://aix1.uottawa.ca/~geist/geistjurisdiction-us.pdf. ———. 2017. Why Less Is More When It Comes to Internet Jurisdiction. Magazine Communications of the ACM 1: 26–28.

Digital Rights and Jurisdiction: The European Approach to Online Defamation…

303

Goldsmith, Jack L., and Tim Wu. 2006. Who Controls the Internet? Illusions of a Borderless World. Oxford: Oxford University Press. Grünberger, Michael. 2015. The Place of an Alleged Infringement of Copyright Under the Brussels I-Regulation. Praxis des Internationalen Privat-und Verfahrensrechts (IPRax) 1: 56 ff. Hörnle, Julia. 2008. The Jurisdictional Challenge of the Internet. In Law and the Internet, ed. Lilian Edwards and Charlotte Waelde, 121 ff. Oxford: Hart Publishing. ———. 2009. Cross-Border Internet Dispute Resolution. Cambridge: Cambridge University Press. Johnson, David, and David Post. 1996. Law and Borders: The Rise of Law in Cyberspace. Stanford Law Review 48: 1367 ff. Kohl, Uta. 2007. Jurisdiction and the Internet: Regulatory Competence Over Online Activity. Cambridge: Cambridge University Press. ———. 2017. Jurisdiction in Cyberspace. In Research Handbook on International Law and Cyberspace, ed. Nicholas Tsagourias and Russell Buchan, 30–54. Cheltenham: Edward Elgar Publishing. Kur, Annette, and Thomas Dreier. 2013. European Intellectual Property Law. Text, Cases & Materials. Cheltenham: Edward Elgar Publishing. Lopez Tarruella, Aurelio. 2012. The International Dimension of Google Activities: Private International Law and the Need of Legal Certainty. In Google and the Law, ed. Aurelio Lopez Tarruella, 329 ff. The Hague: Springer. Mankowski, Peter. 2012. Article 7. In Brussels I-bis Regulation, ed. Ulrich Magnus and Peter Mankowski, 271 ff. Münich: Sellier European Law Publishers. Marino, Silvia. 2012. Nuovi sviluppi in materia di illecito extracontrattuale on line. Rivista di diritto internazionale privato e processuale 4: 879–896. Mellone, Marco. 2010. La nozione di residenza abituale e la sua interpretazione nelle norme di conflitto comunitarie. Rivista di diritto internazionale privato e processuale 46: 685–716. Nagy, Csongor I. 2012. The Word Is a Dangerous Weapon: Jurisdiction, Applicable Law and Personality Rights in EU Law  – Missed and New Opportunities. Journal of Private International Law 2: 251–296. Neumann, Sophie. 2011. Intellectual Property Rights Infringements in European Private International Law: Meeting the Requirements of Territoriality and Private International Law. Journal of Private International Law 3: 583–600. Queirolo, Ilaria. 2013/2014. Choice of Court Agreements in the New Brussels I-bis Regulation: A Critical Appraisal. Yearbook of Private International Law XV: 113–142. Reymond, Michel. 2011. The ECJ eDate Decision: A Case Comment. Yearbook of Private International Law XIII: 493–506. Rosati, Eleonora. 2013. Originality in EU Copyright. Full Harmonization Through Case Law. Cheltenham: Edward Elgar Publishing. ———. 2014a. Brussels I Regulation and Online Copyright Infringement: “Intention to Target” Approach Rejected. Journal of Intellectual Property Law & Practice 1: 18 ff. ———. 2014b. Copyright in the EU: In Search of (In)flexibilities. Journal of Intellectual Property Law & Practice 7: 585 ff. Slane, Andrea. 2008. Tales, Techs, and Territories: Private International Law, Globalization, and the Legal Construction of Borderlessness on the Internet. Law and Contemporary Problems 71: 129–151. Svantesson, Dan Jerker B. 2004. Geo-location Technologies and Other Means of Placing Borders on the “Borderless” Internet. John Marshall Journal of Computer and Information Law 23: 101 ff. ———. 2012a. Private International Law and the Internet. 2nd ed. London: Wolters Kluwer. ———. 2012b. Time for the Law to Take Internet Geolocation Technologies Seriously. Journal of Private International Law 3: 473 ff.

304

O. Feraci

Themelis, Andreas. 2012. The Internet, Jurisdiction and EU Competition Law: The Concept of “Over-territoriality” in Addressing Jurisdictional Implications in the Online World. World Competition 2: 325–354. Wang, Faye Fangfei. 2008. Obstacles and Solutions to Internet Jurisdiction: A Comparative Analysis of the EU and US Laws. Journal of International Commercial Law and Technology 3: 233 ff. ———. 2010. Internet Jurisdiction and Choice of Law. Legal Practices in the EU, EU, US and China. Cambridge: Cambridge University Press. ———. 2013. Jurisdiction and Cloud Computing; Further Challenges to Internet Jurisdiction. European Business Law Review: 589–616.

Further Readings Bogdan, Michael. 2011. Defamation on the Internet, Forum Delicti and the E-Commerce Directive: Some Comments on the ECJ Judgment in the eDate Case. Yearbook of Private International Law XIII: 483–491. Christie, Andrew F. 2017. Private International Law Principles for Ubiquitous Intellectual Property Infringement - A Solution in Search of a Problem? Journal of Private International Law 13: 152–183. Gardella, Anna. 1997. Diffamazione a mezzo stampa e Convenzione di Bruxelles del 27 settembre 1968. Rivista di diritto internazionale privato e processuale 3: 657–680. González, Campos, and Diego Julio. 2000. Diversification, spécialisation, flexibilisation et matérialisation des règles de droit international privé. Recueil des cours 297: 9–426. Hill, Jonathan. 2003. The Exercise of Jurisdiction in Private International Law. In Asserting Jurisdiction. International and European Perspectives, ed. Patrick Capps, Malcolm Evans, and Stratos Konstadinidis. Oxford: Hart Publishing. Hogan, Gerard. 1995. The Brussels Convention, Forum Non Conveniens and the Connecting Factors Problem. European Law Review: 471–493. Hon, W.  Kuan, Julia Hornle, and Christopher Millard. 2012. Data Protection Jurisdiction and Cloud Computing – When Are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing. International Review of Law, Computers and Technology 26: 129 ff. Idot, Laurence. 1995. L’application de la Convention de Bruxelles en matière de diffamation. Des precisions importantes sur l’interprétation de l’article 5.3. Europe: 1–2. Leistner, Matthias. 2014. Europe’s Copyright Law Decade: Recent Case Law of the European Court of Justice and Policy Perspectives. Common Market Law Review 51: 559 ff. Lutzi, Tobias. 2017. Internet Cases in EU Private International Law  - Developing a Coherent Approach. International and Comparative Law Quarterly 66: 687–721. Matulionyte, Rita. 2015. Enforcing Copyright Infringements Online: In Search of Balanced Private International Law Rules. Journal of Intellectual Property, Information Technology and Electronic Commerce Law 6: 132 ff. Muir Watt, Horatia. 2012. Cour de justice de l’Union européenne. (C-509/09 et C-161/10 affaires) 25 octobre 2011. Revue critique de droit international privé: 389–411. Nielsen, Peter Arnt. 2007. Brussels I and Denmark. Praxis des Internationalen Privat-und Verfahrensrechts (IPRax) 26: 506–509. Pironon, Valérie. 2011. Dits et non-dits sur la méthode de la focalisation dans les contentieux – contractuel et délictuel – du commerce électronique. Clunet: 919. Reidenberg, Joel R. 2005. Technology and Internet Jurisdiction. University of Pennsylvania Law Review 153: 1951 ff. Svantesson, Dan Jerker B. 2016. Private International Law and the Internet. Alphen aan den Rijn: Wolters Kluwer.

Enforcing the Right to Be Forgotten Beyond EU Borders Alberto Miglio

Abstract  Determining the reach of the right to be forgotten beyond EU borders requires a two-step test. First, it is necessary to verify whether the situation falls within the territorial scope of the General Data Protection Regulation. Second, where the right is enforced against a search engine, it must be established whether it needs to be implemented globally or only within the EU. Both operations raise significant interpretive issues. While rejecting the widespread claim that the connecting factors adopted in the Regulation imply a jurisdictional overreach, the chapter points to some difficulties in the implementation of the right to be forgotten, critically discussing the alternative approaches which have been proposed.

1  Introduction In discussing the scope of the “right to be forgotten” beyond EU borders, two issues need to be distinguished. The scope of this right under EU law depends on the scope of the General Data Protection Regulation (GDPR)1 where it is enshrined. Therefore, in order to assess when the right applies “beyond EU borders” it is first necessary to define the geographic scope of application of the GDPR. However, issues of geographic scope also emerge in the implementation of the “right to be forgotten”. Those arise only at a separate and later stage, once it has been determined that EU data protection law, including the provision giving data subjects a right “to be forgotten”, applies to a given situation. At this stage, assessing the geographic scope of the right beyond EU borders no longer relates to the

 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 1

A. Miglio (*) University of Turin, Turin, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_15

305

306

A. Miglio

identification of the protective scope of the GDPR, but to the modes of implementation of obligations it places upon the data controller. The Chapter addresses each of these questions in turn, focusing on the most relevant interpretive issues they give rise to. Before that, however, a few preliminary clarifications are needed as to the content of the “right to be forgotten” in EU law.

2  The “Right to Be Forgotten” in the GDPR “Right to be forgotten” may be a fortunate label but is rather ambiguous as a legal concept. In the landmark Google Spain judgment,2 the CJEU ruled that, under the 1995 Data Protection Directive,3 Google was obliged to remove certain personal information concerning the applicant from the results displayed by its search engine. It identified the source of the obligation in the provisions of the Directive which grant the data subject a right to access (Article 10) and a right to erasure of personal data under certain conditions (Article 12). Consequently, the Court did not establish any new “right to be forgotten” in a proper sense,4 but merely empowered data subjects to enforce a right to erasure against search engine operators. Indeed, the data subject does not have a right to obtain the erasure of any personal information about herself she wishes to see removed. A right to erasure only exists insofar as collected data “appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to [the] purposes [of processing] and in the light of the time that has elapsed”.5 In addition, as enforced against a search engine operator to obtain delisting of personal data, the right to erasure only affects the display of search results, not the availability of the original information on the web.6 It also affects name-based queries only, making it impossible to retrieve information based on searches for the data subject’s name, but does not prevent the search engine from showing the relevant URL in connection to queries made according to keywords other than the data subject’s name.  Case C-131/12 Google Spain, EU:C:2014:317.  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 4  See Lynskey (2015), p. 528; Spiecker (2015), p. 1057. 5  Google Spain cit., para. 93. 6  The litigation in the main proceedings in Google Spain is a case in point. The applicant Mr Costeja Gonzales complained about a newspaper article mentioning his name in relation to a realestate auction connected with attachment proceedings for the recovery of social security debt, accessible on the online archive of Spanish newspaper “La Vanguardia”. Eventually, he was able to obtain the removal of links to the contentious article from the list of results Google Search displayed in response to queries based on his name. This means that the article’s URL would no longer appear to users typing “Mario Costeja Gonzales” in the Google search bar. In contrast, the article is still accessible though the online archive of the Spanish newspaper. 2 3

Enforcing the Right to Be Forgotten Beyond EU Borders

307

Although the right to erasure does not empower data subjects to obtain the removal of all personal data they wish to conceal, the label was so successful that, when the EU legislature enacted a comprehensive revision of EU data protection law, it included a provision specifically regulating the “right to be forgotten” (Article 17 GDPR).7 The heading of this provision contains a reference to a “right to be forgotten” between brackets and inverted commas following the words “right to erasure”, suggesting that those expressions are synonymous. Despite including, as usual in EU legislation, a list of official definitions,8 the Regulation does not define the notion of “erasure”. Article 17(1) simply states that the data subject has the right to obtain from the controller the erasure of her personal data where the data are no longer necessary,9 where there has never been10 or there is no longer a legal ground for processing,11 or where EU law or national law otherwise require erasure.12 While the Regulation lists the conditions for the legitimate exercise of the right to erasure more analytically than the Directive did, the equation between erasure and “right to be forgotten” does not seem to have brought any major change. The Regulation, like the Directive, only allows to legitimately demand the erasure of personal data where processing has not been or is no longer lawful. Therefore, data subjects do not have an unconditional right to “be forgotten” under the Regulation any more than they had a similar right under the Directive. The right to be forgotten seems therefore a mere restatement or a specification of the right to erasure.13

3  T  he Scope of Application of the GDPR: What Is Meant by “Reach Beyond EU Borders”? Under the GDPR, the right to be forgotten is one of the many rights a data subject is entitled to. Its application “beyond EU borders” therefore depends on the geographic scope of application of the Regulation as a whole.

 See the heading of Article 17 GDPR. The original Commission proposal envisioned the right to be forgotten as a separate right. Deleted by the European Parliament in the first reading, the reference to the right to be forgotten was finally reintroduced and equated to the right to erasure. 8  Article 4 GDPR. 9  Article 17(1)(a) GDPR covers the case where “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”. 10  According to Article 17(1)(d), the right to erasure applies to data which have been “unlawfully processed”. 11  Article 17(1)(b) (the data subject has withdrawn her consent to the processing and the latter cannot be based on other legal grounds) and Article 17(1)(c) (the data subject has objected to processing, pending the verification whether the controller may rely on “compelling legitimate grounds for the processing” pursuant to Article 21(1) GDPR). 12  Article 17(1)(e) GDPR. 13  See Sartor (2015), p. 71. 7

308

A. Miglio

It should be noted, at the outset, that the scope of application of the Regulation does not coincide with the sum of the territories of the EU Member States. On the one hand, according to Article 355 TFEU, some portions of the territory of the Member States are exempted from the application of EU law.14 On the other hand, and more importantly, EU data protection instruments also apply to EEA States (Iceland, Liechtenstein and Norway). Yet, the decisive question is neither which States are bound by EU data protection law, nor which portions of their territory are excluded from its application, but when EU data protection law applies to data controllers and data processors established in third countries. Determining the territorial scope of application of the Regulation is therefore crucial for businesses established in third countries, which need to bring their activity concerning data processing in line with the EU rules on data protection if they intend to operate on the European market. The answer to this question depends on the connecting factors employed in the Regulation.

3.1  T  he Main Connecting Factor Triggering the Applicability of the GDPR: Establishment of the Controller or Processor in the Union Unlike many pieces of legislation on data protection, the 1995 Data Protection Directive specifically regulated its geographic scope of application. The GDPR has retained this approach, while bringing some changes to the relevant provisions. Under the Directive, the main criterion was based on the establishment of the data controller. According to Article 4(1)(a), if the controller had an establishment in the territory of a Member State, the Directive would apply provided that the processing were “carried out in the context of the activities” of such establishment. The GDPR retains the distinction. When the controller is established in the Union, Article 3(1) GDPR essentially replicates the criterion enshrined in Art. 4(1) (a) of the Directive, providing that the Regulation applies if the processing is carried out in the context of the establishment’s activities. The provision, however, contains three innovations compared to Article 4(1)(a) of the Directive. First, since the Regulation is directly applicable, the reference to the laws of the Member States was dropped. However, the Regulation still allows for some divergences between the laws of the Member States on specific issues, such as, for instance, the age for consent (Article 8(1) GDPR). Therefore, the need to establish which national law applies may still be relevant in some cases.15

 See Ziller (2007) and Kochenov (2012).  See Gömann (2017), p. 575. The Court of Justice was confronted with interpretive issues arising from the need to determine the national law applicable to the data processing in case C-230/14 Weltimmo, EU:C:2015:639 and more recently in case C-191/15 Verein für Konsumenteninformation, EU:C:2016:612. See Svantesson (2016). 14 15

Enforcing the Right to Be Forgotten Beyond EU Borders

309

Second, the new provision specifies that the Regulation applies “regardless of whether the processing takes place in the Union or not”. While this proviso represents an explicit endorsement of the Google Spain ruling, it adds little in terms of substance. Finally, the scope of application of the Regulation reflects the newly introduced distinction between “controllers” and “processors”: according to Article 3(1) GDPR, not only the controller’s establishment, but equally the processor’s establishment in the Union may be relevant to trigger the application of the Regulation. Unlike the other changes, the reference to processors in Article 3(1) GDPR is of considerable importance and gives rise to interpretive issues directly affecting the scope of application of the Regulation. Since the GDPR contains specific rules on processors, the legal consequences of the controller’s choice to engage a processor are unclear. On the one hand, it could be argued that, if the processor has an establishment in the Union but the controller does not, only the provisions applicable to processors should apply.16 On the other hand, both the wording of Article 3(1) GDPR, which does not make any distinction in this regard, and the objective of granting effective protection to the data subjects’ rights could suggest the opposite conclusion, namely that the Regulation applies to the processing in its entirety by virtue of the sole establishment of the processor. Given that the Regulation has retained the basic criterion employed in the Directive, its interpretation should not change and the case law relating to Article 4(1)(a) of the Directive should be relevant in the interpretation of Article 3(1) of the Regulation.17 Driven by the concern of ensuring effective protection of data subjects’ rights, the CJEU interpreted both the notion of “establishment” and the notion of “context of the activities” broadly.18 Concerning the notion of “establishment”, recital 19 of the Directive, which is now replicated in recital 22 of the GDPR, states that it “implies the effective and real exercise of activity through stable arrangements”. Whereas in Google Spain the Court only recalled the recital and noted that it was undisputed that Google had an establishment in Spain,19 in the subsequent Weltimmo case it added that “even a minimal” activity could qualify as “real and effective”.20 As to whether the processing is carried out “in the context” of the establishment’s activities, the Court in Google Spain found that the activities of the search engine operator were “inextricably linked” to those of the Spanish subsidiary

 See Kindt (2016), p. 737.  See Gömann (2017), p. 569. 18  See Google Spain cit., para. 53, where it held that “in the light of the objective of Directive 95/46 of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, those words cannot be interpreted restrictively”. See also Weltimmo, cit., para. 25. 19  Google Spain cit., para. 49. 20  Weltimmo cit., para. 31. See Svantesson (2016), p. 212; Gömann (2017), p. 573. 16 17

310

A. Miglio

p­ romoting and selling advertising space and thereby ensuring the profitability of the search engine.21

3.2  S  ubsidiary Connecting Factors: The Offering of Goods or Services and the Monitoring of Behaviour Where the controller (or the processor) is not established in the Union, the Regulation may still apply by virtue of other connecting factors. Under the 1995 Directive, the data protection regime could still be deemed applicable if the controller “ma[de] use of equipment, automated or otherwise”, situated on the territory of a Member State, provided that the equipment were not merely used for transit purposes.22 This provision gave rise to some interpretive doubts, for instance as regards the qualification of cookies as “equipment”, as suggested by the Article 29 Working Party.23 Nevertheless, its practical relevance was negligible, since the broad interpretation of Art. 4(1)(a) meant that very limited scope was left for this residual criterion. Acknowledging that the “equipment” criterion was outdated and difficult to apply, the Regulation replaced it with a “targeting” test. Under Article 3(2) GDPR, even when they have no establishment in the Union, data controllers or processors are still bound by the Regulation if they either offer goods or services to the data subjects in the Union24 or monitor their behaviour.25 The targeting criterion is likely to have a wider scope of application than the “use of equipment” test under the Directive. In particular, according to recital 24 of the Regulation, monitoring should be interpreted as including the actual and even the potential use of profiling techniques. At the same time, however, Article 3 GDPR also leaves outside the scope of the Regulation data processing operations which are carried out for purposes other than the provision of goods or services or the monitoring of behaviour. For instance, processing carried out for research purposes by controllers or processors not established in the Union would apparently fall outside the scope of the Regulation.26

 Google Spain cit., para. 56.  Article 4(1)(c) of the Directive. 23  Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites. 24  Article 3(2)(a) GDPR. 25  Article 3(2)(b) GDPR. In this case, the Regulation applies provided that the data subject’s behaviour in question “takes place within the Union”. 26  See Kindt (2016), p. 741. 21 22

Enforcing the Right to Be Forgotten Beyond EU Borders

311

4  T  he Connecting Factors Employed by the GDPR in the Light of Public International Law Much of the scholarly debate on the geographic scope of the Regulation has focused on assessing whether the GDPR applies extraterritorially and whether its reach is consistent with the limits that public international law places on the exercise of extraterritorial jurisdiction. It is therefore useful to classify the connecting factors used in the GDPR, in order to assess to what extent they actually depart from a territorial criterion.

4.1  A  Classification of Connecting Factors Employed in the GDPR Under Article 3(1) GDPR, the presence of an establishment in the Union is needed to trigger the applicability of the Regulation. Where the controller or the processor has an establishment in the EU, the interpreter will have to assess the connection between the data processing and the establishment’s activity. By contrast, where the controller or processor has no establishment in the Union, Art. 3(1) does not trigger the application of the Regulation, which may still apply but only if the conditions under Article 3(2) are met. By requiring an establishment in  the Union, the Regulation determines its geographic scope according to a territorial criterion. The actual territorial nature of the connecting factor, however, has been contested. Some authors have noted that Art. 3(1) of the Regulation only establishes a “virtual” connection,27 since the very broad reading of the notion of “context of the activities” given by the CJEU is likely to lead to the application of EU data protection law every time the controller or the processor has an establishment in the Union.28 Along similar lines, it has been argued that an extensive interpretation of the geographic scope of application of data protection law may be rooted in the effects doctrine rather than in a territorial approach.29 Others have claimed that the Court adopted a “targeting” test in interpreting Art. 4(1)(a) of the Data Protection Directive, looking at whether the data controller was directing its activity towards the data subject’s jurisdiction,30 a view that the Weltimmo judgment of the CJEU seems to support.31 Whether or not targeting is a relevant factor in determining where the data processing is carried out in the context of the establishment’s activity, it certainly is used as a connecting factor by the new Article 3(2) of the Regulation. Both Article  See Moerel (2011), p. 29.  See Gömann (2017), p. 574. 29  See Van Alsenoy and Koekkoek (2015), p. 109; Svantesson (2014), p. 85. 30  See Kindt (2016), p. 735; Sancho-Villa (2015), p. 377. 31  Weltimmo cit., para. 41. 27 28

312

A. Miglio

3(2)(a) (offering of goods or services) and Article 3(2)(b) (behavioural monitoring) require activity directed towards the data subjects, either by offering them a commercial transaction or by tracking their online activity. Admittedly, the degree of active involvement of the controller or processor is not entirely clear. Whereas recital 23, which relates to the offering of goods or services, lists several criteria based on the CJEU’s judgment in Pammer32 and seems to require some degree of conscious targeting, the requirements are looser in regard to behavioural monitoring.33 Despite this uncertainty, and although Article 3(2) is subsidiary to Article 3(1) and only intended to apply where the establishment criterion is not met, it signals a partial shift in paradigm compared to the 1995 Data Protection Directive.34 Whereas the starting point of the test under Article 3(1) is the business structure of the data controller, the focal point of Article 3(2) is the location of the data subject. This provision clearly responds to the need of safeguarding the rights of the data subject where neither the controller nor the processor has an establishment in the Union. As such, it seems more in line with the protective principle than with a straightforward territoriality approach or with the effects doctrine.35 This aspect is new and was absent in the Directive. Whereas the latter was based solely on territorial—albeit flexible—criteria, the GDPR follows a mixed approach, combining a territorial and a protective logic.36

4.2  T  he Reach of the GDPR and International Law Limits to Extraterritoriality The requirement that territorial connections of some sort are present under both Article 3(1) and Article 3(2) may cast doubts on the widespread claim that the Regulation applies extraterritorially.37 For sure, this uncertainty is neither a novelty nor a peculiarity of data protection law. It has traditionally been difficult to assess whether a given piece of legislation applies extraterritorially, since the very notion of extraterritoriality is rather vague and its use is not consistent.38  Joined cases C-585/08 and C-144/09 Pammer [2010] ECR 2010 I-12527.  See recital 24: “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”. 34  See De Hert and Czerniawski (2016), p. 238. 35  Svantesson (2014), p. 71, notes a similarity with the passive personality principle. 36  See Gömann (2017), pp. 582–583. 37  For the view that the EU data protection regime applies extraterritorially see, e.g., Van Alsenoy (2017), p. 79; Kuner (2015a), p. 239; Svantesson (2014) and Moerel (2011). 38  See Ryngaert (2015), p. 7. 32 33

Enforcing the Right to Be Forgotten Beyond EU Borders

313

The rise of the Internet has further exacerbated confusion. On the one hand, the global nature of the web makes most online activities intrinsically transnational, thereby potentially justifying jurisdictional claims by multiple states. On the other hand, establishing where activities or data are physically located has often become an impossible task in a world of information spread out in the cloud,39 and has helped legitimise the quest for jurisdictional criteria beyond mere territoriality. In order to conceptualise the reach of EU data protection law “beyond EU borders”, one might want to distinguish between extraterritoriality and territorial extension.40 According to the author proposing the distinction, the notion of territorial extension could capture the phenomenon of EU law regulating conduct that takes place in third countries, but still bears a connection with the EU territory. Whereas in extraterritorial regulation jurisdiction is triggered by something other than a territorial link, territorial extension refers to the application of a measure triggered by a territorial connection but in the application of which the regulator is required, as a matter of law, to take into account conduct or circumstances abroad. Since none of the connecting factors retained in Article 3 GDPR does away with territorial links completely, the geographic scope of the Regulation could be seen as representing a case of territorial extension rather than pure extraterritoriality. Some scholars, however, have questioned the correctness of this distinction41 or have disputed its relevance in assessing the territorial application of EU data protection law, claiming that the latter represents a clear case of extraterritorial reach.42 Ultimately, the question of whether the Regulation actually applies extraterritorially is probably of little relevance. It is arguable that much of the emphasis on extraterritoriality in the current debate on the scope of EU data protection law stems from the suspicion extraterritoriality has long been associated with. Although the traditional scepticism towards extraterritorial jurisdiction, such as epitomised in Mann’s 1964 course at the Hague Academy of International Law,43 has given way to less critical assessments in recent scholarship,44 the claim that a measure has extraterritorial reach usually implies the suspicion that it could unduly interfere with the jurisdiction of other states and breach international law.45 Even assuming that Article 3 of the GDPR is intended to give EU data protection law extraterritorial reach, the criteria chosen by the legislature do not appear as such

 See Article 29 Working Party, Opinion 2/2010 on applicable law, p. 6. See also Colonna (2014), p. 208. 40  See Scott (2014a), p. 94 s. 41  See Kuner (2015a), p. 239. 42  See Brkan (2016), p. 833. 43  See Mann (1964), pp. 30, 35, 104–108. 44  See, e.g., Ryngaert (2015). 45  In the context of EU data protection law, these concerns are discussed, e.g., by Kuner (2015a), who argues for the need to articulate clear limits against the risk of overreach; see also Van Alsenoy (2017), pp. 94–95. 39

314

A. Miglio

inconsistent with public international law and the limits it imposes on the unilateral exercise of prescriptive jurisdiction, as some have argued.46 Indeed, public international law does not prohibit the exercise of extraterritorial jurisdiction, provided that it is premised on the existence of sufficient connections and subject to other flexible limits.47 The Regulation only foresees a limited expansion of the scope of EU data protection law. On the one hand, the main jurisdictional criterion is still based on a territorial connection, albeit a loose one. On the other hand, even the requirement of targeting enshrined in Article 3(2) of the GDPR does not entail an uncontrolled expansion of jurisdiction but rests on significant connecting factors.48 In addition, from a practical point of view, challenges to the reach of the Regulation based on international law arguments are unlikely to prove successful before the CJEU. Not only has the Court openly adopted an expansive interpretation of the geographic scope of EU data protection law with a view to ensuring the effectiveness of fundamental rights protection. In the face of the increasing reliance by the legislature on extraterritorial legislation,49 the CJEU has also been unwilling to set strict territorial limits to the geographic scope of EU law, relying on the principle of effectiveness to uphold its application beyond EU borders.50 This trend is discernible not only in areas, such as competition law, where extraterritoriality has longer been accepted,51 but also in different policy areas and in cases where the extraterritorial reach of EU measures has been fiercely contested. The Air Transport Association of America judgment,52 where the Court upheld the validity of a directive establishing a greenhouse gas emissions trading scheme for the aviation sector, is a case in point. While acknowledging that international law, including the customary rules on extraterritoriality and its limits,53 provides a benchmark against which to test the validity of EU secondary law, the Court took advantage of the flexibility of such limits where a more rigorous stance might have curtailed the effectiveness of EU measures.54  This claim has been brought as a defence by Google, but also some scholars point to possible inconsistencies of the reach of EU data protection law with international law limits to extraterritoriality: see, e.g., Kropf (2014), p. 507; Tene and Wolf (2013). For a more nuanced approach, see Kuner (2015a), pp. 242–243; Van Alsenoy (2017), pp. 94–95. 47  See Lowe (2006), pp. 340–341. 48  See de Hert and Czerniawski (2016), p. 238. The authors note, however, that the application of the targeting test may be less foreseeable in the case of offering of goods or services than in the case of behavioural monitoring, since it is not always easy to determine when globally acting businesses are actually “targeting” EU-based consumers (p. 239). 49  See Scott (2014b). 50  See Moreno-Lax and Costello (2014), p. 1667. 51  See Wagner-von Papp (2012). 52  Case C-366/10 Air Transport Association of America, EU:C:2011:864. 53  Ibid., para. 107. 54  Relying on the Racke judgment, the Court found that the less precise nature of customary rules compared to international agreements justified a lenient standard of review: see Air Transport Association of America cit., para. 110. 46

Enforcing the Right to Be Forgotten Beyond EU Borders

315

If customary international law is raised as a defence in proceedings relating to the determination of the geographic scope of EU data protection law, the Court should not be expected to take a different view. This conclusion does not mean, however, that comity considerations and the principle of proportionality may not affect the interpretation and the ­implementation of those rules. On the contrary, as will be shown in the following paragraphs, such concerns may play a considerable role in drawing the actual territorial boundaries of the “right to be forgotten”.

5  T  he Implementation of the “Right to Be Forgotten”: Determining the Territorial Scope of Delisting The purpose of the rules analysed thus far is to determine the geographic scope of application of the Regulation as a whole. The presence of a connecting factor used in Article 3 GDPR triggers the application of the right to erasure granted by Article 17 like any other right enshrined in the Regulation. However, the actual reach of the “right to be forgotten” also depends on its implementation. Although the material scope of the right to erasure under Article 17 GDPR is much broader, in practice the right to be forgotten for the most part equates to a “right to be delisted”55 by search engines. There is a straightforward justification for this equation: whereas in principle any processing of personal data may affect a data subject under Articles 7 and 8 of the EU Charter of Fundamental Rights, it is chiefly the ability by anyone to retrieve the data by a simple name-based web search that adversely impacts on the data subject’s rights. It is therefore not surprising that the application of the right to be forgotten has so far been essentially limited to forcing search engine providers (in particular, Google and, to a lesser extent, Bing) to delist personal data from search results they display. The actual geographic scope of delisting, however, may vary.

5.1  O  verview of the Alternatives: Local Implementation, Global Implementation and Geographic Filtering Once it has been established that a request for delisting of personal data should be granted, there are three possible ways for a search engine operator to implement it. The first option consists of applying the delisting only to single national domains of the search engine website: this may correspond to the Member State concerned or to all EU Member States. In the case of Google, if a request for delisting is made, say, from Belgium, this means that Google would delist the data for google.be and 55

 See Peguera (2016), p. 512; Van Alsenoy and Koekkoek (2015).

316

A. Miglio

possibly also for other EU domains such as google.fr, google.de, google.it etc. By contrast, users would still be able to access the original information by typing the same query on google.com or any non-European country domain of the Google search engine. Not surprisingly, this has been the solution preferred and originally implemented by Google when dealing with delisting requests in the aftermath of the Google Spain ruling. It has also been endorsed by the Advisory Council to Google on the Right to be Forgotten.56 In order to justify its choice, Google provided statistical data showing that more than 95% of all queries originating in Europe are made through local versions of the search engine and that very few EU-based users resort to google.com for their searches. The problem with those data, however, is that they are aggregated data relating to all Google searches, not only name-based queries. Users may very well be more likely to switch to google.com for personal name searches than for other queries. In any event, even if name-based searches showed the same statistical pattern, limiting de-referencing to some national domains of the search engine would be open to easy circumvention.57 Most Internet users are aware that it suffices a click at the bottom of the page to switch from, say, google.be to google.com. In addition, when a request for delisting has been granted a notice at the bottom of the page informs users that “some results may have been removed under data protection law in Europe”, possibly prompting curious surfers to look for the missing information on other versions of the search engine. In the light of these circumstances, delisting search results only on some national domain(s) of Google Search without any additional measure can hardly be considered an adequate safeguard for the right to data protection. Alternatively to domain-based de-referencing, the search engine operator could be required to de-index search results globally, removing the relevant personal data from all versions of its engine and making them effectively impossible to access from anywhere in the world. Proponents of this approach include notably the French data protection authority (CNIL) and the Article 29 Working Party. They argue that global delisting is necessary to ensure effective protection of the data subject’s right to privacy. In its 2014 Guidelines on the implementation of the Google Spain judgment, the Article 29 Working Party emphasised that limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains does not satisfactorily guarantee the rights of data subjects and therefore does not amount to a correct implementation of the CJEU’s ruling. It added that in order to provide effective and complete protection of the data subject’s rights, delisting would have

 See Advisory Council to Google on the Right to be Forgotten, Final Report, 6 February 2015, p. 20. 57  See Bougiakiotis (2016), p. 325. 56

Enforcing the Right to Be Forgotten Beyond EU Borders

317

to be “effective on all relevant domains, including .com”.58 While this statement leaves open two important questions—namely what is needed to make delisting effective and whether third country national domains also qualify as “relevant domains” in addition to “.com”59—the dominant view is that the Working Party advocates global delisting.60 The French data protection authority in particular has been a vocal advocate for this approach61 and has challenged Google’s policy on several occasions.62 Global delisting, however, is often criticised as implying a disproportionate expansion of the EU’s jurisdiction and possibly a breach of international law. In addition, many view it as a highly unpractical solution that could trigger an international clash.63 Finally, a third option would be “zoning” by geographic filtering.64 According to this model, while delisting would not affect non-European domains of the search engine, surfers accessing the Internet from the EU would be prevented from viewing the filtered content whatever version of the engine they are using. Despite scholarly suggestions that this approach could represent a viable option for dealing with delisting,65 surprisingly it was not initially considered by the major actors involved in the implementation of the Google Spain ruling, namely Google and national data protection authorities. On the one hand, Google at first only deleted search results on the country domains corresponding to the EU Member States, on the implicit assumption that geographic filtering was not necessary to ensure effective protection of the data subjects’ rights. On the other hand, the Article 29 Working Party did not even discuss whether geographic filtering could constitute an adequate remedy and insisted on delisting on all relevant domains without specifying how it should be implemented.66 Eventually, following indications by several national DPAs, in March 2016 Google modified its approach to delisting. In addition to removing search results on

 Article 29 Data Protection Working Party, Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12, p. 3. 59  See Svantesson (2015), p. 120. 60  Bougiakiotis (2016), p. 330; Kuner (2015b), p. 160. 61  In an article published on the French newspaper Le Monde, the president of the CNIL and then chair of the Article 29 Working Party presented several arguments in favour of worldwide delisting: see I. Falque-Pierrotin, “Pour un droit au déréférencement mondial”, Le Monde, 29 December 2016. 62  See Tambou (2017), p. 160. 63  De Hert and Papakonstantinou (2015), p. 637. 64  See Lessig and Resnick (1999), p. 385. 65  Lynskey (2015), pp. 531–532. 66  Article 29 Data Protection Working Party, Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12, adopted on 26 November 2014, 14/EN WP 225, p. 3. 58

318

A. Miglio

all European versions of the search engine, it resorted to geographic filtering by restricting access to the delisted URL on all domains, including google.com, “when accessed from the country of the person requesting the removal”.67 Geographic filtering has thus become Google’s practice since.

5.2  D  elisting Before the CJEU: Case C-507/17 Google v. CNIL However, the new approach adopted by Google in dealing with requests and the abandonment of a selection criterion based solely on country domains has not put an end to disputes over the territorial scope of delisting. Only a few days after Google announced that it would block access to search results based on geolocation, the CNIL adopted a decision sanctioning it for failure to comply with its delisting obligations.68 The CNIL rejected the approach followed by the search engine operator, pointing at two major shortcomings. First, geographic filtering does not prevent users located in third countries, including individuals having personal or business relationships with the data subject, from viewing the contentious search results. Second, blocking based on surfers location can be circumvented by changing the location of an IP address through a proxy server. Therefore, according to the CNIL, geographic filtering does not sufficiently protect the data subject’s right to privacy. Google challenged the CNIL decision before the Council of State, which after hearing the parties resolved to stay the proceedings and request a preliminary ruling from the CJEU.69 The three questions submitted by the referring court all deal with the territorial scope of the delisting obligation and essentially reflect the options outlined in the previous paragraph. The first question poses the alternative between global and geographically selective delisting. In other words, the Council of State asks whether the Directive obliges a search engine provider to delist search results on every national domain of the engine, in order to prevent access to the relevant results from any country in the world. Only in the case of negative answer to the first question, the second and the third questions become relevant. With the second question, the referring court requests clarification as to whether delisting should only target the search engine’s domain  P. Fleischer, “Adapting our approach to the European right to be forgotten”, https://www.blog. google/topics/google-europe/adapting-our-approach-to-european-rig/. 68  CNIL, decision of 10 March 2017. See “Droit au déréférencement: la formation restreinte de la CNIL prononce une sanction de 100.000 € à l’encontre de Google”, https://www.cnil.fr/fr/ droit-au-dereferencement-la-formation-restreinte-de-la-cnil-prononce-une-sanction-de100000-eu. 69  Case C-507/17 Google Inc. v Commission nationale de l’informatique et des libertés (CNIL), request for a preliminary ruling from the Conseil d’État (France) lodged on 21 August 2017. 67

Enforcing the Right to Be Forgotten Beyond EU Borders

319

name corresponding to the country the research is assumed to have been launched from or whether it should extend to name extensions corresponding to all EU Member States (e.g. google.be, google.nl, google.fr., etc.). Finally, the third question deals with geographic filtering. If the Directive does not impose global delisting, does it require from search engine operators, in addition to the removal of search results from the European domains, filtering based on the location of hardware in order to prevent access to the relevant content from users based in the EU, whichever version of the search engine they use?

5.3  The Problem with Geographic Filtering The current discussion on the implementation of de-referencing is reminiscent of the debate that arose in the early 2000s, in the wake of the famous Yahoo! case, where a French court ordered a US-based Internet service provider to enforce restrictions on access to web content that infringed the French law against Nazi apology.70 In Yahoo!, geographic filtering ultimately offered the tool to reconcile different policy choices, by enforcing the restrictions imposed by French law against users accessing the web from France while leaving the provider free to show the contentious content in different jurisdictions.71 Having in mind this precedent, one is tempted to conclude that geographic filtering also represents the optimal solution for the implementation of the right to delisting. Advocate General Szpunar seems to share this view in his conclusions in Google v. CNIL, where he suggests anchoring delisting to a territorial criterion while pleading for geographic filtering.72 If in Yahoo! geolocation and filtering allowed for the coexistence of different regulatory regimes on a territorial basis, preserving the effectiveness of local laws while avoiding unnecessary overreach, why should the same approach not work for delisting of personal data? There is, in fact, a fundamental difference undermining the analogy. Whereas geographic filtering can successfully resolve policy conflicts, it may fall short of offering effective protection to the data subject’s fundamental rights. Since the entry into force of the Lisbon Treaty, which gave the EU Charter of Fundamental Rights legally binding value as EU primary law, the CJEU has placed great emphasis on the effectiveness of the right to personal data, which Article 8 of the Charter recognises as an autonomous right, and of the right to privacy.73 Indeed, the Court explicitly  Tribunal de Grande Instance de Paris, order of 22 May 2000, UEJF and Licra v. Yahoo! Inc. and Yahoo! France. For an account of the case, see Goldsmith and Wu (2006), p. 1. 71  See Muir Watt (2002–2003) and Reidenberg (2005). 72  See Case C-507/17 Google Inc. v Commission nationale de l’informatique et des libertés (CNIL), Opinion of Advocate General Szpunar, EU:C:2019:15. 73  See, e.g., Joined Cases C-92/09 and C-93/09 Schecke, EU:C:2010:662; Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, EU:C:2014:238; Case C-362/14, Schrems, EU:C:2015:650; Joined Cases C-203/15 and C-698/15, Tele2 Sverige, EU:C:2016:970. 70

320

A. Miglio

indicated in Google Spain, and reiterated in Weltimmo, that this very concern was the decisive reason for construing the scope of application of the Data Protection Directive broadly. With regard to delisting, the crucial question is whether filtering, despite its intrinsic geographic limitation and the risk of circumvention through a proxy, offers sufficient safeguards for the data subject’s privacy. Although the Court will likely carry out a more complex assessment and also bring other factors into play, its insistence on effectiveness suggests that this may not be the case. Whatever answer the CJEU gives, however, the Yahoo! precedent seems of very limited use to provide a satisfactory solution, the reason being that data protection issues raise concerns of a different nature than those at stake in Yahoo! and similar cases. In Yahoo!, geographic filtering was instrumental in permitting the coexistence within the cyberspace of conflicting public policy choices: the prohibition of Nazi apology under French law and the right of free speech in the US. The conceptual framing of delisting in terms of fundamental rights protection and the CJEU’s insistence on the data subject’s right to privacy at the expense of potentially competing rights, which it controversially demoted to mere “interests” in Google Spain,74 offer a very different setting.

5.4  Searching for a Nuanced Approach The abovementioned difficulties suggest the need for a more flexible approach. In the case referred to the CJEU, both parties, the referring court and the Advocate General assume that one of the three approaches outlined above—territorially selective delisting based on national domains, territorially selective delisting based on geographic filtering or global delisting—must apply to all instances.75 From the viewpoint of search engine operators, the quest for criteria applicable to the generality of cases is perfectly understandable. As any other data controllers under a duty to comply with EU data protection law, they have a strong interest in implementing standard, ideally even automated or semi-automated procedures that would reduce costs. From the perspective of national data protection authorities (DPAs), the concern for the maximisation of fundamental rights protection is an equally powerful incentive to advocate global delisting. Such a one-size-fits-all approach, however, might not be the best way of dealing with requests for de-indexing of web search results. In this respect, the enforcement of a right to data privacy significantly differs from a Yahoo! type of situation. In the case of a state policy forbidding, as it happened in the Yahoo! case, the sale of items  Google Spain cit., para. 81. For a critique see, ex aliis, Frantziou (2014), p. 769.  The Advocate General hinted at possible exceptions (para. 62), but then failed to provide any guidance on the point. Ironically, despite relying on the need to balance competing rights as the “key argument” for restricting the geographic scope of delisting, the Advocate General appears to assume that outside the EU freedom of expression and the right of access to information always outweigh the data subject’s right to privacy. For an analysis of this contradiction see Miglio (2019).

74 75

Enforcing the Right to Be Forgotten Beyond EU Borders

321

considered illegal under the law of the forum, the prohibition is meant to apply without regard to competing interests and its enforcement usually does not require a great deal of balancing. In addition, once geographic filtering is in place, it does not frustrate the purpose of the forum policy that people engage in the forbidden activity in another jurisdiction. By contrast, when it comes to implementing a right to erasure of personal data published online, the picture is much more complex. As the CJEU recognised in Google Spain, processing requests for delisting requires a “fair balance” to be struck between the data subject’s fundamental rights to privacy and data protection under Articles 7 and 8 of the EU Charter of Fundamental Rights, on the one hand, and the interest of users in having access to information, on the other.76 Striking a “fair balance” necessarily requires a case-by-case assessment, where the relative weight of privacy and competing rights or interests may not always be the same.77 In practice, the outcome of the balancing test could depend on several variables, such as the nature of the data (sensitive/non sensitive), whether the information published is false or defamatory, the status and personal condition of the data subject (minors might deserve enhanced protection), whether the data were processed illegally, and so on. It is true that those concerns are already addressed at a different stage, namely when a decision has to be taken whether or not to grant a request for delisting in the first place. Nevertheless, they could also have a bearing on the determination of the appropriate geographic scope of delisting. In certain cases public interest in the availability of information may be strong or even stronger in a third country than within the EU.78 This problem can be significant in the light of the relatively ill-defined protective scope of the EU data protection rules. Although the Article 29 Working Party has stated that DPAs will focus on claims presenting “a clear link between the data subject and the EU, for instance where the data subject is a citizen or resident of an EU Member State”,79 the application of the GDPR is not dependent on the nationality or residence of the data subject.80 In addition, only under Article 3(2) GDPR is the physical location of the data subject “in the Union” relevant, whereas this condition is not required when the controller or processor is established in the Union. As a consequence, at least in theory, EU data protection law “could apply to requests for suppression from individuals anywhere in the world”.81 Furthermore, it may well be interference by physical or legal persons located in third countries that threatens the data subject’s privacy. In those cases, geographic filtering can hardly offer an effective remedy. Although not related to personal data,  Case C-131/12 Google Spain, EU:C:2014:317, para. 81.  Cf. de Hert and Papakonstantinou (2015), p. 634. 78  See Van Alsenoy and Koekkoek (2015), p. 113. 79  Article 29 Data Protection Working Party, Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12, p. 3. 80  See recital 2 of the GDPR. 81  Kuner (2015c), p. 29. See. also Svantesson (2015), p. 130. 76 77

322

A. Miglio

a judgment rendered by the Supreme Court of Canada in 2017 is a case in point.82 A Canadian company (Equustek) sued a former distributor, which had started to re-­ label the product and sell it as its own, for breach of intellectual property rights. It won the case, but the infringer relocated its premises to an unknown place and continued to sell its products online. Based on a court order prohibiting the infringer from carrying on its business on the Internet, Google de-indexed its web pages, but limited the delisting to searches conducted through google.ca. Equustek then brought court proceedings seeking an injunction requiring Google to delist the infringer’s websites from all its search results worldwide. Hearing the case on appeal from Google which had lost before the first instance court, the Supreme Court of Canada delivered a judgment upholding Equustek’s right to obtain a global injunction. It noted that the injunction against Google could only attain its purpose if it applied where Google operates, namely globally, and that delisting limited to certain national domains would not prevent harm to the petitioner. Aside from concerns that relate specifically to IP rights—notably in the light of their traditionally territorial character—the judgment illustrates some of the challenges that territorially selective enforcement poses to the effectiveness of rights in the online environment. It is not difficult to imagine cases—as a way of example, one might think of revenge porn of cyberstalking of minors—where the data subject might suffer serious harm failing the de-indexing of search results on a worldwide basis. In conclusion, none of the possible approaches to the implementation of delisting appears suitable in all and every cases. While a selection based on national domains is obviously ineffective and easy to circumvent, global delisting risks being disproportionate and triggering unnecessary jurisdictional conflicts. The “third way” offered by geographic filtering, although it generates no interference with the jurisdiction of third countries, may in certain cases be insufficient to effectively protect the rights of the data subject. In the light of such difficulties, some authors have argued that the territorial scope of delisting under EU data protection law should not necessarily be the same in all circumstances and could vary depending on the nature of data or a set of substantive factors such as the state interests involved, the likelihood of adverse impact on the data subject in case of territorially selective delisting, the degree of normative convergence between the States involved and the existence of connections with the territory of the forum.83 In order to reduce the complexity of a balancing test based on such a variety of substantive factors, other scholars, while still rejecting the assumption that one mode of implementation would work in every case, have suggested adopting geographic filtering as the default approach, while assessing the need for global implementation on a case-by-case basis.84

 Supreme Court of Canada, judgment of 28 June 2017, Google Inc. v. Equustek Solutions Inc., 2017 SCC 34. 83  Van Alsenoy and Koekkoek (2015), pp. 116–119. 84  Bougiakiotis (2016), p. 330. 82

Enforcing the Right to Be Forgotten Beyond EU Borders

323

5.5  The Inevitable Shortcomings of Flexibility Attempts at elaborating a nuanced approach to the implementation of the right to delisting are certainly meritorious and would arguably permit a more careful balancing of the rights and interests and stake, in addition to reducing the risk of jurisdictional clashes. However, they also raise two problems that should not be neglected. The first is the need to find a legal basis for any test aimed at determining the scope of delisting on a case-by-case basis. Unfortunately, the GDPR is silent in this respect. It neither provides any guidance as to the scope of delisting nor suggests that delisting should have a different scope depending on the kind of information or the interests involved. The absence of express guidance in the legislative text could certainly be overcome through judicial interpretation, but this would take time and not necessarily provide legal certainty. In the meantime, practices developed by data controllers required to enforce requests for delisting and the supervision by national DPAs could help devise criteria for determining the territorial scope of each request for delisting. Although so far it has provided little clarification—apart from a vague plea for global delisting—, the Article 29 Working Party could play an important role in this respect. The second problem would be inherent to the rejection of a one-size-fits-all approach and to the search for more flexible solutions. Inevitably, making the scope of delisting dependent on a balancing test would add one further level of complexity to a normative framework that is already highly complex and burdensome to the point of being often perceived as dysfunctional.85 Seen from this perspective, the debate on the territorial scope of delisting highlights a dilemma that is not limited to the implementation of the right to delisting but arguably underlies the (EU) regulation of online activities more generally.86 On the one hand, calling for unrestrained global reach might on paper offer better protection of individual rights and support the EU’s ambition to act as a global trendsetter in the field, notably by stimulating spontaneous convergence towards its stricter regulatory standard. Inherent risks of this approach would be its likely limited effectiveness outside the EU borders and adverse effects on transatlantic relations.87 On the other hand, any alternative approach that could better do justice to the complexities of individual cases would also make it harder for online operators and data subjects alike to cope with the intricacies of EU data protection law, thereby increasing barriers to entry in online markets88 and possibly widening the gap between legal rules on paper and their actual implementation.  Svantesson (2014), p. 67. See also Koops (2014) and Svantesson (2013).  It is significant that a similar question has recently arisen in the context of a reference for preliminary ruling from the Austrian Supreme Court concerning the worldwide erasure of hate speech contents published on Facebook: Case C-18/18, Glawischnig-Piesczek, pending. 87  See Svantesson (2014), pp. 94–95. 88  See Bougiakiotis (2016), p. 319; Stute (2015), p. 676. 85 86

324

A. Miglio

6  Conclusive Remarks One of the main arguments in favour of extraterritorial application of laws rests on the assumption that it can promote uniformity across different jurisdictions. In her article on the “Brussels effect”, Professor Bradford provided a convincing account of the EU’s ability to act as a de facto global standard-setter through unilateral regulation.89 By requiring the respect of high safety, environmental or other standards from market operators intending to place their goods and services on its internal market, the EU pushes global businesses established in third countries to spontaneously adapt to higher regulatory standards than those existing in their jurisdictions. In turn, this is a powerful drive towards regulatory convergence. This very rationale has long been prominent in the external projection of EU policies in general and has been consciously pursued in the framing of the scope of EU data protection legislation in particular. The underlying assumption is that the application of EU data protection law beyond the Union borders not only better protects EU citizens and residents, but also creates a set of strong incentives: for global businesses, to adapt their activity worldwide to EU regulatory standards; for third countries, to follow suit and align their regulatory regimes to EU legislation. Comparative legal studies90 and growing sensitivity to data protection across the Atlantic suggest that regulatory divergences between the EU and the US, which have been the focus of extensive literature,91 may not be irreconcilable. Nevertheless, regulatory convergence is not the only possible outcome of the expansion of the territorial reach of EU law. Depending on the strength and effectiveness of the “Brussels effect”, reaching “beyond EU borders” might also consolidate divergences and reinforce a trend towards geographic fragmentation of the Internet that has been ongoing for almost two decades under the pressure of sovereign regulatory power.92 Interestingly, although both global and territorially selective delisting might contribute to increase fragmentation, they point to two very different models of fragmentation. In the territorially selective model, geographic filtering allows global businesses to offer online services across a number of jurisdictions and permits the coexistence of a plurality of divergent local laws each in its own territorial sphere. By contrast, if regulatory divergences remain and different jurisdictions advance claims for the global application of conflicting local laws, businesses may prove unable to comply with all regulatory regimes and the threat of sanctions may ultimately undermine their ability to offer their services across multiple jurisdictions.

 Bradford (2012).  Bennett (2012). 91  See, in particular, Svantesson (2014). 92  Schultz (2008), p. 799. 89 90

Enforcing the Right to Be Forgotten Beyond EU Borders

325

References Bennett, Steven C. 2012. The “Right to Be Forgotten”: Reconciling EU and US Perspectives. Berkeley Journal of International Law 30: 161–194. Bougiakiotis, Emmanouil. 2016. The Enforcement of the Google Spain Ruling. International Journal of Law and Information Technology 24: 311–342. Bradford, Anu. 2012. The Brussels Effect. The Northwestern University Law Review 107: 1–68. Brkan, Maja. 2016. The Unstoppable Expansion of the EU Fundamental Right to Data Protection. Little Shop of Horrors? Maastricht Journal of European and Comparative Law 23: 812–841. Colonna, Liane. 2014. Article 4 of the EU Data Protection Directive and the Irrelevance of the EU-US Safe Harbour Program? International Data Privacy Law 4: 203–221. de Hert, Paul, and Michal Czerniawski. 2016. Expanding the European Data Protection Scope Beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Context. International Data Privacy Law 6: 230–243. de Hert, Paul, and Vangelis Papakonstantinou. 2015. Google Spain. Addressing Critiques and Misunderstandings One Year Later. Maastricht Journal of European and Comparative Law 22: 624–638. Frantziou, Eleni. 2014. Further Developments in the Right to be Forgotten: The European Court of Justice’s Judgment in Case C-131/12, Google Spain, SL, Google Inc v Agencia Espanola de Proteccion de Datos. Human Rights Law Review 14: 761–777. Goldsmith, Jack, and Tim Wu. 2006. Who Controls the Internet? Illusions of a Borderless World. Oxford: Oxford University Press. Gömann, Merlin. 2017. The New Territorial Scope of EU Data Protection Law: Deconstructing a Revolutionary Achievement. Common Market Law Review 54: 567–590. Kindt, Els. 2016. Why Research May No Longer Be the Same: About the Territorial Scope of the New Data Protection Regulation. Computer Law and Security Review 32: 729–748. Kochenov, Dimitry. 2012. The Application of EU Law in the EU’s Over-seas Regions, Countries, and Territories After the Entry into Force of the Treaty of Lisbon. Michigan State Journal of International Law 20: 669–743. Koops, Bert-Jaap. 2014. The Trouble with European Data Protection Law. International Data Privacy Law 4: 250–261. Kropf, John W. 2014. Google Spain SL v. Agencia Española de Protección de Datos (AEPD). Case C-131/12. American Journal of Comparative Law 108: 502–509. Kuner, Christopher. 2015a. Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law. International Data Privacy Law 5: 235–245. ———. 2015b. Google Spain in the EU and International Context. Maastricht Journal of European and Comparative Law 22: 158–164. ———. 2015c. The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines: Current Issues and Future Challenges. In Protecting Privacy in Private International and Procedural Law and by Data Protection, ed. Burkhard Hess and Cristina M. Mariottini, 19–55. Baden-Baden: Nomos. Lessig, Lawrence, and Paul Resnick. 1999. Zoning Speech on the Internet: A Legal and Technical Model. Michigan Law Review 78: 395–431. Lowe, Vaughan. 2006. Jurisdiction. In International Law, ed. Malcolm Evans, 335–360. Oxford: Oxford University Press. Lynskey, Orla. 2015. Control Over Personal Data in a Digital Age: Google Spain v AEPD and Mario Costeja Gonzalez. Modern Law Review 78: 522–534. Mann, Frederick Alexander. 1964. The Doctrine of Jurisdiction in International Law. Collected Courses of the Hague Academy of International Law 111: 1–163. Miglio, Alberto. 2019. Setting Borders to Forgetfulness: AG Suggests Limiting the Scope of the Search Engine Operators’ Obligation to Dereference Personal Data. European Data Protection Law Review 5 (1). forthcoming.

326

A. Miglio

Moerel, Lokke. 2011. The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to Processing of Personal Data of EU Citizens by Websites Worldwide. International Data Privacy Law 1: 28–46. Moreno-Lax, Violeta, and Cathryn Costello. 2014. The Extraterritorial Application of the Charter: From Territoriality to Facticity. In The EU Charter of Fundamental Rights. A Commentary, eds. Steve Peers, Tamara Hervey, Jeff Kenner, and Angela Ward. Oxford: Hart. Muir Watt, Horatia. 2002–2003. Yahoo! Cyber-Collision of Cultures: Who Regulates? Michigan Journal of International Law 24: 673–696. Peguera, Miguel. 2016. The Shaky Ground of the Right to Be Delisted. Vanderbilt Journal of Entertainment & Technology Law 18: 507–561. Reidenberg, Joel R. 2005. Technology and Internet Jurisdiction. University of Pennsylvania Law Review 153: 1951–2001. Ryngaert, Cedric. 2015. Jurisdiction in International Law. Oxford: Oxford University Press. Sancho-Villa, Diana. 2015. Developing Search Engine Law: It Is Not Just About the Right to Be Forgotten. Legal Issues of Economic Integration 42: 357–382. Sartor, Giovanni. 2015. The Right to Be Forgotten in the Draft Data Protection Regulation. International Data Privacy Law 5: 64–72. Schultz, Thomas. 2008. Carving up’ the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface. European Journal of International Law 19: 799–839. Scott, Joanne. 2014a. Extraterritoriality and Territorial Extension in EU Law. American Journal of Comparative Law 62: 87–126. ———. 2014b. The New EU Extraterritoriality. Common Market Law Review 51: 1343–1380. Spiecker, Indra. 2015. A New Framework for Information Markets: Google Spain. Common Market Law Review 52: 1033–1057. Stute, David J. 2015. Privacy Almighty – The CJEU’s Judgment in Google Spain SL v. AEPD. Michigan Journal of International Law 36: 649–680. Svantesson, Dan Jerker B. 2013. A “Layered Approach” to the Extraterritoriality of Data Privacy Laws. International Data Privacy Law 3: 278–286. ———. 2014. The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Business. Stanford Journal of International Law 50: 53–102. ———. 2015. Limitless Borderless Forgetfulness? Limiting the Geographical Reach of the ‘Right to be Forgotten’. Oslo Law Review 2: 116–138. ———. 2016. Article 4(1)(a) ‘Establishment of the Controller’ in EU Data Privacy Law – Time to Rein in this Expanding Concept? International Data Privacy Law 6: 210–221. Tambou, Olivia. 2017. Le droit à l’oubli numérique. De l’Europe au Japon. Revue de l’Union européenne 606: 153–165. Tene, Omer, and Christopher Wolf. 2013. White Paper on Overextended Jurisdiction and Applicable Law Under the EU General Data Protection Regulation. Future of Privacy Forum. Van Alsenoy, Brendan. 2017. Reconciling the (Extra)territorial Reach of the GDPR with International Law. In Data Protection and Privacy Under Pressure, ed. Gert Vermeulen and Eva Lievens, 77–100. Antwerp/Apeldoord/Portland: Maklu. Van Alsenoy, Brendan, and Marieke Koekkoek. 2015. Internet and Jurisdiction After Google Spain: The Extraterritorial Reach of the ‘Right to Be Delisted’. International Data Privacy Law 5: 105–120. Wagner-von Papp, Florian. 2012. Competition Law, Extraterritoriality and Bilateral Agreements. In Research Handbook on International Competition Law, ed. Ariel Erzachi, 21–59. Cheltenham: Edward Elgar. Ziller, Jacques. 2007. The European Union and the Territorial Scope of European Territories. Victoria University of Wellington Law Review 38: 51–64.

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts Luca Gervasoni

Abstract  In recent years much research has been dedicated to targeted killing, an issue often considered in relation to the deployment of new technologies such as unmanned aerial vehicles. Quite surprisingly, however, not much attention has been devoted to access to justice for victims of drone strikes. This matter is rapidly gaining momentum as a considerable number of cases have been brought to court by victims of killing by drone in these last years, and many more such cases should be expected to ensue in the near future. Against this background, this article will show that the great majority of domestic suits related to targeted killing have been dismissed on procedural grounds before ever reaching an adjudication on their merits, mainly as a result of domestic courts’ reliance on non-justiciability theories (or avoidance doctrines). The article will thus unveil that, due to the particular nature and features of drone strikes, the application of avoidance doctrines to cases ensuing from unlawful killing by unmanned aerial vehicles has the effect of leaving victims’ demands for justice absolutely frustrated, thus effectively placing them outside the protection of the law. So that application of traditional theories on justiciability to new lethal practices ensuing from previously unforeseeable technical evolutions makes it possible for States to “kill in large numbers and to the sound of trumpets”, while segregating victims to “die in the silence of courts”. Being this the case, the article will look into the specificity of drone strikes from an opposite angle, trying to turn the peculiarities of this weapon platform into a chance to pursue accountability and reparation throughout multiple proceedings in alternative jurisdictions.

L. Gervasoni (*) University of Milano-Bicocca, Milan, Italy © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_16

327

328

L. Gervasoni

1  Introduction It is well-known that leaving abuses unpunished invites repetition,1 especially when impunity for the gravest of conducts is widespread and granted both de jure and de facto. The practice of targeted killing2 seems to be a showcase for this assessment: on 29 January 2017, at around 2:30 a.m., a United States commando raid, preceded by drone strikes, stormed the village of Yakla, in Yemen.3 Among the victims of the strike was 8-years-old Nawar al-Aulaqui, sister of Abdulrahman Aulaqui—killed in a US led drone strike on 14 October 2011 when he was only 16 years old4—and daughter of Anwar al-Aulaqui—also killed in a drone strike carried out in the morning of 30 September 2011.5 Aside from the tragedy inherent to the reported deaths and to the fact that two generations of a family have been literally vanquished by three subsequent drone strikes in regions far removed from well-recognized theatres of hostilities, what is particularly salient in this chain of killings is that two lawsuits had respectively sought to prevent the very beginning of this sequence and to assert accountability following the perpetration of the first of these killings. Indeed, on 30 August 2010, Nasser Al-Aulaqi, Anwar Al-Aulaqi’s father, brought a lawsuit challenging the government’s decision to target his son for killing.6 On 18 July 2012, after Anwar Al-Aulaqi had actually been deprived of his life and the second of these drone strike had killed Abdulrahman Al-Aulaqi, the victims’ relatives again filed a lawsuit before US courts, this time seeking for redress.7 In both these instances the US judiciary avoided to take a stance upon the merits of the complaints considering the matter as non-justiciable and thus impeding any form of reparation. Whereas in recent years drone strikes and targeted killing have been the subject of considerable attention, the same cannot be said about the right of access to justice for those who have fallen victims of such practices. While the underlying assumption of this Chapter is that targeted killing may be either lawful or unlawful

 Committee of Ministers of the Council of Europe, Guidelines on Eradicating Impunity, 30 March 2011, Preamble; Roht-Arriaza (1995), p. 142. 2  In general, on targeted killing see Melzer (2008); Philip Alston, Report of the Special Rapporteur on Extrajudicial, Summary or Arbitrary Executions—Study on Targeted Killings (hereinafter “Alston Report”), UN Doc. A/HRC/14/24/Add.6, 28 May 2010; and Gervasoni (2016). 3  Ghobari and Stewart (2017). According to unofficial investigations, civilian deaths included ten children in addition to an 80 year-old tribal leader, a villager who had already survived a drone strike on his wedding day back in 2013 and a pregnant woman, together with her new-born child. To this end see Reprieve, Game Changer, available at: https://www.reprieve.org.uk/wp-content/ uploads/2017/10/2017_10_31_PRIV-Yemen-Report-UK-Version-FINAL-FOR-USE.pdf. 4  Greenwald (2011). 5  Griffin (2011) and Rushe and McGreal (2011). 6  Al-Aulaqi v. Obama, 727 F. Supp. 2d 1, Dist. Court, Dist. of Columbia 2010. 7  Al-Aulaqi and Others v. Panetta and Others, Complaint, 18 July 2012. 1

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

329

d­ epending on a series of factors,8 its scope is to focus on access to justice and reparation for persons who have already been so selected and/or so deprived of their lives. This Chapter will thus show that the great majority of domestic lawsuits related to targeted killing have been dismissed on procedural grounds before ever reaching an adjudication on their merits, mainly as a result of domestic courts’ reliance on non-justiciability doctrines. After providing a brief overview of these procedural-­ related hindrances to redress and accountability, the analysis will turn to international law, arguing that the duty to grant victims of gross human rights violations full reparation is hardly reconcilable with non-justiciability theories, whose application may give rise to a separate and additional violation of victims’ fundamental rights. In so doing, the Chapter will show that the main problem hindering an effective application of international law standards in terms of access to justice and effective remedies lies within the very rationale often placed at the foundation of avoidance doctrines: when anchoring these theories to constitutional principles of separation of powers, indeed, domestic courts actually create a contrast—which would seem prima facie irreconcilable—between constitutionalism and international obligations. Hence, the need to explore alternative solutions, with a view of going beyond the formal condemnation of denial of justice and overcoming its effects all together through the identification of alternative pathways to justice, which may prove to be effective for the enhancement of victims’ rights.

2  Avoidance Doctrines Aside from the peculiarities characterizing any of their specific variations, “avoidance doctrines” may be described in general as judicially-made doctrines “allowing courts to refrain from exercising their established jurisdiction”, thus shielding certain actions of the executive from the scrutiny of the judicial apparatus.9 By reference to avoidance doctrines, courts have argued in the past that any determination in the realm of military affairs is not susceptible of intelligent judicial appraisal due to the nature of the information they are based on.10 In turn, this approach implies that, in highly sensitive areas falling within the realm of “external affairs”, an absolute deference is made to the executive’s will and discretion.11

 To this end see Gervasoni (2016).  Weill (2014), p. 69. 10  Korematsu v. U.S., 65 S. Ct. 193, 245, 1944, Justice Jackson’s Opinion. 11  Benvenisti (1993), p. 161. 8 9

330

L. Gervasoni

2.1  Origin and Peculiarities of Non-justiciability Theories As it appears, avoidance doctrines lead to a redefinition of the very area of what is and what is not for judges to know and decide upon. Henceforth, by framing, accepting or rejecting them, “courts design their own role in applying” the law.12 Whereas the contours of these doctrines remain “murky and unsettled”,13 non-­ justiciability theories share some common traits.14 The act of state doctrine is a justiciability principle according to which the judiciary would be prevented from conducting inquiries into third States’ actions.15 Thus, the Foreign Act of State Doctrine, in the UK, postulates that determinations potentially damaging the public interest in the fields of international relations due to the connection of their underlying questions with third States’ conducts are non-justiciable.16 Correspondingly, according to the Crown Act of State Doctrine, the judiciary of the UK shall then refrain from adjudicating on claims in tort brought against the Crown itself due to activities that may be attributed to the State acting jure imperii.17 Similarly, in the US the political question18 doctrine requires courts to refrain from any interference with “issues of political delicacy in the field of foreign affairs”19 as well as with third countries’ determinations.20 The comparison between two studies on the impact of avoidance doctrines on judicial review of fundamental rights violations conducted on the span of some 15 years21 points to the conclusion that national courts have shifted from a widespread application of non-justiciability clauses to a partial abandonment of such an approach.22 However in cases of targeted killing this evolution does not emerge as  Weill (2014), p. 69.  Bancoult v. McNamara, 726 F.2d 774, 803 n. 8, D.C. Cir. 1984. Accordingly, in relation to the UK doctrines of Crown act of State and Foreign act of State see Scott (2015), p. 1. 14  Significantly, even though throughout this Chapter reference is primarily made to systems of common law, the judiciary of civil law countries are no stranger to similar applications. To this end see, by way of example, the Markovic case before the Italian Court of Cassation (Cass. Civ. SS. UU. 5 June 2002, No. 8157). 15  Weill (2014), pp. 70–71. 16  Campaign for Nuclear Disarmament v. Prime Minister of the United Kingdom [2002] EWHC 2777. In higher detail on the relationship between the Crown act of State and Foreign act of State doctrines see Mohammed v. Secretary of State for Defence [2015] EWCA Civ 843, [375]. On the Foreign act of State doctrine in particular see Nicholson (2015). 17  Mann (1986), p. 187; Hartley and Griffith (1981), pp. 312–316. For an analysis of the doctrine and its evolutions following the most recent UK judgments in the joined appeals in Serdar Mohammed v. Ministry of Defence and Rahmatullah v. Ministry of Defence see Scott (2015), arguing that “both the non-reviewability of the prerogative generally and the specific immunity of the Crown in its own courts have been significantly eroded”. 18  On this matter see extensively Amoroso (2015, 2011). 19  Henkin (1976), p. 597. 20  Underhill v. Hernandez, 168 U.S. 250 (1897), 252. 21  Benvenisti (1993) and Benvenisti and Downs (2009). 22  Benvenisti and Downs (2009), p. 60. 12 13

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

331

of yet. Indeed, the most recent decisions on targeted killing cases in US jurisprudence closely resemble judgments dating back to almost 30 years.23

2.2  Avoidance Doctrines Applied to Targeted Killing Cases The already recalled Al-Aulaqi proceedings—the first targeted killing related complaint ever brought before the US judiciary—was dismissed by reason of lack of standing and political question doctrine.24 After stating that the events of the case had taken place in the context of an ongoing armed conflict25 and that, in theory, extrajudicial killings would be a legitimate basis for a claim in torts, the District Court for the District of Columbia stressed the (allegedly) extraordinary nature of the suit; it then underlined that the executive had not waived sovereign immunity and applied the political question doctrine tracing its rationale all the way back to the constitutional principle of separation of powers. In particular, the Court maintained that national security, military matters and foreign relations are “quintessential sources of political questions”, concluding that, “[i]f the political question doctrine means anything in the arena of national security and foreign relations, it means the courts cannot assess the merits of the President’s decision to launch an attack on a foreign target” since this “would be anathema to […] separation of powers” principles.26 Surprisingly enough, the Court thus concluded that where a judicial decision would matter the most—i.e., in a literal “life-or-death” situation—then the judiciary has no powers whatsoever. Perhaps even more astonishingly, while recognizing “the somewhat unsettling nature of its conclusion” the Court maintained that “there are circumstances in which the Executive’s unilateral decision to kill a US citizen overseas is ‘constitutionally committed to the political branches’ and judicially unreviewable”,27 thus averring that the decision whether or not to deprive a person of his life is political in nature.28 If the recalled judgment excluded any possibility of judicial review over governmental policies for preventative purposes, the following decision of the District Court for the District of Columbia made clear that the judiciary is also barred from conducting post-hoc assessments of the lawfulness of a targeted killing, as this  See respectively Saltany v. Reagan, 886 F.2d 438, DC dr. 1989, and Industrie Panificadora, SA. et  al. v. United States, 763 F.  Supp. 1154, DDC, 1991, 4T4 957 F.2d 886, DC Or. 1992, Cert denied, 113 S.CL 304; Panama SA. v. United States, 967 F.2d 965, 4th Or. 1992, Cert denied, 113 US 411. Coming to a similar conclusion on the broader issue of access to justice for victims of counterterrorism measures in general see Brown (2011), p. 248. 24  Al-Aulaqi v. Obama, 727 F. Supp. 2d 1, Dist. Court, Dist. of Columbia 2010. 25  Hamdan v. Rumsfeld, 548 U.S. 557, 2006. 26  Al-Aulaqi v. Obama cit., pp. 65–66 and 70–72. 27  Ibid., p. 78. 28  For a thorough analysis of this judgment see Heller (2011). 23

332

L. Gervasoni

question too would fall within the realm of non-justiciable matters.29 Nominally avoiding to apply the political question doctrine since the power granted to the executive by the Constitution does not provide it with carte blanche to do whatever it deems appropriate, the Court nevertheless averred that: US law does not provide any available remedy for such a claim since a number of special factors hinder its justiciability – including separation of powers, national security, and the risk of interfering with military decisions – [and] preclude the extension of [claims in tort against individual federal officials] to such cases.30

Notably, the Court’s reasoning thus runs counter to the rationale underlying its own judgment in the Al-Aulaqi v. Obama case, pursuant to which the political question doctrine barred any possible consideration of the lawsuit in its merits because, as the Court itself had clarified, the role of the judiciary is to conduct post hoc determinations. Jointly read, these two judgments leave no judicial venue whatsoever to either prevent an extrajudicial killing to take place ex ante (Al-Aulaqi v. Obama case) or to seek for a remedy post facto (Al-Aulaqi and others v. Panetta and Others case) whenever the executive alleges that the killing is an act of war. This impression finds full confirmation in yet another decision of the US District Court for the District of Columbia on a drone strike case: the lawsuit lodged by Faisal Bin Ali Jaber seeking a declaration of unlawfulness of targeted killing policies and reparation for the killing of his nephew and his brother in law has indeed been dismissed on grounds of the political question doctrine. Moving along the lines of its previous Al-Aulaqi case-law, the Court averred that the use of military force abroad squarely falls within the exclusive powers of the executive,31 thus in fact unveiling a far-reaching withdrawal of the judiciary from any assessment over possible abuses perpetrated by the executive branch, and even clarifying that: to the extent that these hypothetical war crimes do result from a deliberate policy decision of the [e]xecutive, the courts’ inability to review that decision underlies our entire constitutional system.32

The English judiciary has come to dismiss drone-related complaints on similar grounds. In the case of Noor Khan v. Secretary of State—concerning the clarification of the UK’s involvement in US led drone strikes and the ensuing demand for injunctive relief against the Secretary of State’s decision to cooperate with the US, as such a cooperation would make the UK ancillary to murder—both the High Court of Justice and the Court of Appeals dismissed the case declaring the matter non-justiciable pursuant to the foreign act of state doctrine.33 Both Courts, in particular, argued that holding a defendant responsible for murder due to his i­ nvolvement  Al-Aulaqi v. Panetta, 35 F. Supp. 3d 56, Dist. Court, Dist. of Columbia, 2014.  Ibid., pp. 28–32. 31  Ali Jaber v. United States, 155 F. Supp. 3d 70, 73, D.D.C., 2016. 32  Ibid. For a commentary of this decision see Wittes (2011). 33  High Court of Justice, Noor Khan v. Secretary of State [2012] EWHC 3728 (Admin) and Court of Appeal, Noor Khan v. Secretary of State [2014] EWCA Civ 24. 29 30

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

333

in a third State’s conduct would “involve, and would be regarded ‘around the world’ […] as ‘an exorbitant arrogation of adjudicative power’ in relation to the legality and acceptability of the acts of another sovereign power”.34 Thus they stressed that answering an hypothetical question on whether a UK national who kills a person in a drone strike in a third country’s territory is guilty of murder would be in reality tantamount to make an assessment of the principal actor-State’s conducts which “would inevitably be understood […] by the US as a condemnation of the US”.35

3  Access to Justice and Reparation in International Law Under international law, victims of human rights violations and breaches of International Humanitarian Law (IHL) shall “have their right to access to justice and redress mechanisms fully respected”.36 Correspondingly, States are bound to grant them an “effective remedy” against violations.37 Indeed, the very function of Article 8 of the Universal Declaration of Human Rights (UDHR) is to ensure that every potential abuse be justiciable at the domestic level.38 This obligation, its spirit and function, is now also endorsed in several international instruments of a binding nature.39 The right at hand is moreover reinforced by the joint operability of the general obligation to ensure respect to fundamental rights, as well as conventional clauses endorsing substantive human rights which, read together, impose on States a duty to investigate alleged breaches, to provide victims of human rights and IHL violations with equal and effective access to justice and to grant them effective remedies, including full reparation.40 Henceforth, the obligation to grant an effective remedy entails, on the one hand, a duty to grant

 High Court of Justice, Noor Khan v. Secretary of State cit., paras. 53–55.  Court of Appeal, Noor Khan v. Secretary of State cit., paras. 36–38. 36  UN Basic Principles and Guidelines on the Right to a Remedy and Reparation for Victims of Gross Violations of International Human Rights Law and Serious Violations of International Humanitarian Law, UN Doc. UN Doc. A/RES/60/147, adopted by the UN General Assembly with Resolution 60/147 of 16 December 2005, Preamble. 37  See, ex multis, Amnesty International, The UN Human Rights Committee’s Proposed General Comment on the Right to Life—Preliminary Observations, 2005, p. 10. 38  See accordingly Verdoot (1963), pp. 116–119. 39  Article 2, para. 3 of the International Covenant on Civil and Political Rights. On the scope of application of Article 2, para. 3 see in particular Human Rights Committee, General Comment No 31, 29 March 2004, UN Doc CCPR/C/21/Rev.1/Add.13, para. 16. At a regional level, Article 13 of the European Convention on Human Rights, Article 25 of the American Convention on Human Rights and Article 27 of the Protocol to the African Charter for the Establishment of the African Court on Human and Peoples’ Rights. 40  UN Basic Principles on the Right to a Remedy and Reparation cit., Principle 3 (b), (c) and (d). On reparation see Principle 18. 34 35

334

L. Gervasoni

access to justice and, on the other, a parallel (and additional) duty to grant reparation to those individuals whose fundamental rights have been violated.41 With specific reference to right to life violations, human rights monitoring bodies have clarified time and again that States are bound to provide victims with “full reparation”, which involves “restitution, rehabilitation and measures of satisfaction […] as well as bringing to justice the perpetrators of human rights violations”.42 A breach of this obligation is in and by itself sufficient to give rise to an additional and autonomous violation of the fundamental rights violated in the first place.43 As a matter of fact, the right to an effective remedy has acquired such a crucial importance to be considered “one of the basic pillars […] of the rule of law (État de Droit, Estado de Derecho) itself in a democratic society”.44 Quae cum ita sint, the right to an effective remedy has attained customary law status.45 The case law of human rights courts and bodies is moreover replete of references to investigation and prosecution as remedies for gross human rights violations which confirm this stance.46 Mirrored as it is in a plurality of binding as well as  Ibid., Principle 3 (b), (c) and (d) and Principle 11. In international jurisprudence see confirmation of this standing, inter alia, in Gülec v. Turkey (App No. 21593/93), ECtHR, judgment of 27 July 1998; Kurt v. Turkey (App No. 24276/94), ECtHR, judgment of 25 May 1998); Velásquez Rodriguez v Honduras (Series C No. 4), IACtHR, judgment of 29 July 1988; Paniagua Morales v. Guatemala (Series C No. 37), IACtHR, judgment of 8 March 1998; Blake v. Guatemala (Series C No. 36), IACtHR, judgment of 24 January 1998. 42  Human Rights Committee, General Comment No 31 cit., para. 16. By the same token see, inter alia, Velasquez Rodrıguez v. Honduras case cit., paras. 166–167 and Velasquez Rodrıguez v. Honduras IACtHR, judgment (reparations) of 21 July 1989, para. 26. Insofar as the ECtHR is concerned, Aksoy v. Turkey (App no 21987/93), ECtHR, judgment of 18 December 1996, para. 98, stating that the notion of an effective remedy entails in addition to compensation a thorough investigation capable of leading to the identification and punishment of those responsible and requires the involvement of those whose rights have been violated in the investigatory proceedings. As for the African system, see inter alia, African Commission on Human and Peoples Rights, Resolution on the Human Rights Situation in Tunisia, March 1992. In higher detail on the right to reparation see Nowak (2000), pp. 203–204; Shelton (2005), pp. 195, 197, 200. 43   UN Doc. CCPR/C/31/Rev.1/Add.13, para. 8. In higher detail see Clapham (2006), pp. 328–332. 44  Case of Castillo Paéz v. Peru (Series C No. 34), IACtHR, judgment of 3 November 1997, para. 82. See to the same end Loayza Tamayo v. Peru (Series C No. 42), IACtHR, judgment (reparations) of 27 November 1998, para. 169; and Blake v. Guatemala case cit., para. 63. Accordingly Shelton (2005), p. 140. It has been noted that, significantly, the case law of the ECtHR and the IACtHR on the right to an effective remedy is converging in this regard. To this end see Trindade (2011), p. 59. 45  Shelton (2005), p. 238. 46  To this end see, ex multis, Human Rights Committee, Sathasivam v. Sri Lanka, Views of 8 July 2008, para. 6.4; Branko Tomašić and Others v. Croatia (App. No. 46598/06), ECtHR judgment of 15 January 2009, para. 62; Myrna Mack-Chang v. Guatemala, (Series C No. 101) IACtHR, judgment of 25 November 2003, paras. 156-157; Montero-Aranguren et al. (Detention Center of Catia) v. Venezuela, (Series C No. 150) IACtHR, judgment of 5 July 2006, para. 66. On this topic see in higher detail Gervasoni (2017). As to the extensive jurisprudence elaborated by the ECtHR in relation to the right to an effective remedy and the ensuing right to reparation see in detail European Commission for Democracy through Law (Venice Commission), Report on the Democratic Oversight of the Security Services, 11 June 2007 available at http://www.venice.coe.int/docs/2007/ CDL-AD(2007)016-e.asp. 41

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

335

n­ on-­binding instruments, and reflected in customary international law,47 that of accountability has become a very foundational principle of human rights law itself, so that, as for the right to an effective remedy in general, also “a failure to investigate and, where applicable, punish those responsible for violations of the right to life in itself constitutes a violation of that right”.48 Notably, the right to an effective remedy also applies in times of emergency. In this regard the Human Rights Committee (HRC) has clarified that Article 2(3) of the International Covenant on Civil and Political Rights (ICCPR) “constitutes a treaty obligation inherent in the Covenant as a whole”, therefore concluding that under any circumstance “the State party must […] provide a remedy that is effective” and insisting that “it is inherent in the protection of rights explicitly recognized as non-­ derogable in [A]rticle 4, paragraph 2, that they must be secured by procedural guarantees, including often, judicial guarantees”.49 In fact, on the basis of similar considerations, it has been suggested that the right to an effective remedy has now obtained the status of a jus cogens norm—at least when the remedy is sought in pursuance of non-derogable fundamental rights.50 A similar conclusion may be reached with regard to IHL. According to Article 3 of the 1907 Hague Convention IV,51 States are responsible for acts performed by their armed forces and are under an obligation to pay compensation to those affected by the violations of the laws and customs of war they perpetrate.52

 Human Rights Committee, General Comment No. 6, 30 April 1982, U.N.  Doc. HRI\GEN\1\ Rev.1; see also, ex multis, Kaya v. Turkey (App. No. 22535/1993), ECtHR, judgment of 10 October 2000; McCann and Others v. The United Kingdom (App. No. 18984/91), ECtHR, judgment of 27 September 1995, para. 140; 1985 Declaration of Basic Principles of Justice for Victims of Crime and Abuse of Power, UN Doc. A/RES/40/34; 1997 Revised Final Report on the Question of the Impunity of Perpetrators of Human Rights Violations (Joint Principles), UN Doc. E/CN.4/ Sub.2/1997/20/Rev.1; 2005 Updated Principles on Action to Combat Impunity, UN Doc. E/ CN.4/2005/102/Add.1. See, accordingly, Alston (2011), p. 313. 48  Christof Heyns, Report of the Special Rapporteur on Extrajudicial, Summary or Arbitrary Executions—Armed Drones and the Right to Life, UN Doc. A/68/382, 13 September 2013, para. 95. In higher detail on this matter see Gervasoni (2017). 49  HRC, General Comment No. 29 (2001), UN Doc. CCPR/C/21/Rev.1/Add.13, paras. 14–15. 50  See the separate opinions of judge Cancado Trindade in: The case of Pueblo Bello Massacre (Series C No. 14), IACtHR judgment of 31 January 2006, para. 64; Cases of Massacres of Ituango v. Colombia (Series C No. 148), IACtHR, judgment of 1 July 2006, para. 47; La Cantuta v. Peru (Series C No. 162), IACtHR Judgment of 29 November 2006, paras. 49–62. 51  Article 3 Hague Convention respecting the Laws and Custom of War on Land (adopted on 18 October 1907, entered into force on 26 January 1910). 52  It is worth noticing that the travaux preparatoires of the 1907 Hague Convention IV show that Article 3 was never meant to be restricted to inter-state relationships. On direct individual entitlement to reparation see ICJ, Advisory Opinion Concerning Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, 9 July 2004, I.C.J. Reports 2004, p. 136, paras 145, 152–3 and ICJ, Armed Activities on the Territory of the Congo Case (Democratic Republic of the Congo v. Uganda), ICJ Report 2005, p. 82, para. 259. By the same token, Zegveld (2003), pp. 497– 526; Kalshoven (1991), pp. 827, 830; Mazzeschi (2003), pp. 339–347. 47

336

L. Gervasoni

The same wording characterizes Article 91 of Additional Protocol (AP) I.53 Even though AP II—governing certain hostilities not of an international character—does not feature any provision corresponding to Article 91 AP I, victims’ entitlement to compensation should be ensured by the circumstance that conventional provisions related to reparation have now attained customary status and should therefore be deemed applicable to the whole of IHL.54 Moreover, being AP II internal armed conflicts a sub-species of the more general non-international armed conflicts defined under Article 3 common to the 1949 Geneva Conventions,55 it may be concluded that what applies to internal armed conflicts pursuant to Article 3 also applies to conflicts that would fall within the scope of application of AP II. Since States perpetrating violations of the laws of war are generally also committing violations of their own legal order, victims should in addition be able to sue the responsible State within its own legal system.56 In line with these considerations, the International Committee of the Red Cross (ICRC) has found that States bear a duty of reparation in both international and non international armed conflicts.57 In addition, IHL itself provides for a duty to investigate at the very least alleged grave breaches—thereby including willful killing—and sanction those individually responsible for them58; an obligation which would be “illusory” if a State responsible for a targeted killing were to avoid doing so.59 Indeed, also those authors who support a restrictive reading of Article 91 AP I actually stress that some grave violations of IHL are coextensive with gross human rights law violations, in which case the right to a remedy would anyway find application pursuant to the latter regime.60 Accordingly, the UN Basic Principles on Reparation indistinctively refer to gross human rights violations and serious viola-

 Article 91 Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I) of 8 June 1977. 54  Kalshoven and Zegveld (2011), p. 147. By the same token see also Bassiouni (2006), p. 217; Bassiouni (2002); Sassoli (1988). 55  Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field (hereinafter Geneva Convention I); Convention (II) for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea (hereinafter Geneva Convention II); Convention (III) relative to the Treatment of Prisoners of War (hereinafter Geneva Convention III); Convention (IV) relative to the Protection of Civilian Persons in Time of War (hereinafter Geneva Convention IV), adopted on 12 August 1949, entered into force on 21 October 1950. 56  Ronzitti (2007). 57  Henckaerts and Doswald-Beck (2005), Rule 150. Affirmative, Report of the International Commission of Inquiry on Darfur to the United Nations Secretary- General, 25 January 2005. 58  AP I, Articles 11, 85 and 87, para. 3; Geneva Conventions I–IV, Articles 1, 50, 51, 130, and 147. By the same token, Henckaerts and Doswald-Beck (2005), Rule 158. To this end see also Gervasoni (2017). 59  Alston (2011), p. 311. 60  To this end see in higher detail Provost (2002), pp. 47–56; Tomuschat (2002a), pp. 178–179. 53

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

337

tions of IHL. In so doing, they endorse, and at the same time reinforce, the ­“normative connection” between the two legal regimes61 reflecting their common rationale. Also the practice of UN Special Procedures confirms the existence of a normative connection between the two regimes, endorsing the view that “the State’s duty to investigate and prosecute human rights abuses also applies in the context of armed conflict and occupation”62 and further stressing that “[t]he legal obligation to effectively punish violations is as vital to the rule of law in war as in peace”.63 A case in point is the renowned judgment on targeted killing delivered by the Israeli Supreme Court in 2006.64 The Court first of all discarded in very clear terms the idea that avoidance doctrines could prevent an adjudication on the merits of the questions before it65 because determining otherwise would prevent the examination of a practice that might jeopardize “the most basic right of a human being – the right to life”.66 Resorting to an integrated approach to human rights and humanitarian law, then, the Court came to the conclusion that each and any targeted killing shall be the subject of an independent investigation, insisting that targeting operations must take place within the limits of the law,67 thus stressing the importance of judicial scrutiny over “the power” of the executive. All of the above supports the conclusion that “reparations are a legally inseparable corollary to human rights violations”68 and grave breaches of IHL. Since reparation may only be awarded if access to justice is granted, it follows that the latter is a necessary prerequisite of the former. So that practices hindering or impeding at all justiciability in this area are to be considered incompatible with international law and, as a consequence, should be deemed devoid of any juridical effect.69

 Evans (2012), pp. 37–38.  Alston Report cit., para. 93. For a similar conclusion see also Ben Emmerson, Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism (hereinafter Emmerson Report), UN Doc. A/HRC/25/59, 10 March 2014, para. 32. 63  Alston Report cit., para. 52. 64  Supreme Court of Israel, The Public Committee Against Torture in Israel v. Israel, Judgment of 13 December 2006. 65  Notably, in a previous judgment concerning the legitimacy of a policy of targeted killing the Supreme Court of Israel itself had declared the matter non-justiciable arguing that “The choice of means of warfare, used by the Respondents to pre-empt [sic] murderous terrorist attacks, is not the kind of issue the Court would see fit to intervene in”. To this end see Supreme Court of Israel, Barakeh v. Prime Minister and Minister of Defence, judgment of 29 January 2002. For a thorough commentary to the judgment see Ben-Naftali and Michaeli (2003), p. 369. 66  Supreme Court of Israel, The Public Committee Against Torture in Israel v. Israel cit., para. 54. 67  Ibid., paras. 18–22. The Court made clear, in particular, that when there is a gap in IHL such a lacuna should be filled by reference to human rights law. 68  Evans (2012), pp. 42–43. 69  Trindade (2011), p. 195. See accordingly Barrios Altos v. Peru, IACtHR, judgment of 14 March 2001, and Almonacid Arellano v. Chile, IACtHR, judgment of 26 September 2006.

61 62

338

L. Gervasoni

4  Countering Avoidance Doctrines’ Rationale If access to court and reparation are recognized as constitutional rights in most democratic States70 as well as fundamental rights protected as such by international law, and if it is so clear that under the latter the right of access to court cannot be derogated from, then how is it even possible to envisage the operability of avoidance doctrines in this area?.71 The reasoning of the previously recalled decisions on drone strikes suits are characterized by a series of arguments which tend to justify the alleged non-­ justiciability of the matter by reference to the intricacies of any assessment over the lawfulness of typical “battlefield determinations”, often adopted and implemented on third States’ territory and concerning the conduct of State officials involved in acts of hostilities and therefore often assumed to enjoy combat immunity for their actions. Whereas the rationale leading to this outcome may vary, in each and any of the recalled cases courts have denied judicial review of conducts that had either potentially jeopardized or actually deprived persons of their lives, considering the political ramifications of the acts called into question somewhat prevalent over their legal nature.

4.1  C  ontextual Discomfort, Territorial Jurisdiction and Combat Immunity This line of considerations seems however unpersuasive. Assuming that a judge is particularly ill-suited to assess the legality of battlefield determinations is tantamount to offer the military a carte blanche which would imply an absolute derogation from the right to an effective remedy in times of war, even when the most heinous crimes of war are committed. Such an interpretation is thus in stark contrast with the international law principles and obligations recalled before. Also the geographical location of the strikes seems to be irrelevant insofar as justiciability is concerned, especially if one considers the peculiarities of armed drones: the very nature of this weapon platform ensures the existence of recordings of the operations, of the operators and of the chain of command of every single strike since all this information rests with the very State that performs such an  Weill (2014), p. 69.  It is significant to point out, in this regard, that also States where avoidance doctrines have developed and thrived remain of the opinion that all States are under the obligation “to conduct exhaustive and impartial investigation into all suspected cases of extrajudicial, summary or arbitrary executions, to identify and bring to justice those responsible, […] and to adopt all necessary measures, including legal and judicial measures, to put an end to impunity and to prevent the further occurrence of such execution”. See, to this end, Alston (2011), p. 314, referring to the US practice of calling upon other States to conduct investigations and prosecutions into right to life violations. 70 71

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

339

o­ peration.72 Thus, from an international law perspective, the fact that a certain strike has been performed on a third State territory would be irrelevant for an assessment of justiciability before the targeting State’s judiciary, as this latter would have the capacity, and therefore the function, and therefore the jurisdiction to conduct a prompt and thorough investigation73 and, similarly, to grant access to remedies and reparation to victims of unlawful strikes. Another peculiar feature that is often considered to hamper justiciability of complaints lodged by victims of drone strikes relates to status determination under IHL for both those targeting and those who are targeted. It is indeed well known that under the laws of war combatants are entitled to directly take part to hostilities and they therefore enjoy a qualified immunity from prosecution if they comply with the rules and principles of IHL.74 Insofar as drone strikes are concerned, this issue has acquired particular relevance when the German Attorney General has decided to decline prosecution for a drone strike that had killed a German citizen in Pakistan in 2010 as he found that CIA employees, while de jure civilians, could functionally fall within the definition of combatants and their actions would therefore be covered by combatant immunity.75 Contrary to this view, the UN Special Rapporteur on Extra-judicial Killings (SR on EJK) had however already indicated that the personnel of intelligence agencies do not enjoy the same immunity that international law grants to members of the armed forces and, as a consequence, CIA personnel taking part in drone strikes should be prosecuted pursuant to applicable national laws for the crime of murder whenever they engage in lethal drone strikes.76 Given the highly contentious nature of the matter at hand, it would seem appropriate to leave these determinations to the judiciary rather than to the prosecution alone. It should also be stressed that, in case of grave breaches of IHL, as is the willful killing of a civilian, combat immunity does not shield either civilians or combatants77 and, since the qualification of a victim should be reached at the merits phase, status determination should be ascertained in a court of law, rather than being used as a procedural tool hindering justiciability.

 Accordingly Emmerson Report cit., paras. 33–36.  On a functional approach to the obligation to investigate see in higher detail Gervasoni (2017). 74  AP I, Article 43, para.2. 75  Claus Kreß, Aerial Drone Deployment on 4 October 2010 in Mir Ali/Pakistan, (Case No. 3 BJs 7/12-4) Decision to Terminate Proceedings, Germany, Federal Prosecutor General, 23 July 2013, 157 ILR 122, at 758. For a comment on this decision see Daskal (2015). 76  Alston Report cit., para. 71. For a detailed discussion of the different approaches of the German Federal Prosecutor General and that of the UN Special Rapporteur on EJK, leaning towards the latter’s assessment, see Heinsch and Poulopoulou (2017), pp. 77–78. Accordingly see also Vogel (2011), pp. 134–135. 77  To this end see IMT Charter, Article 7 and Control Council Law No. 10, Art. II(4)(a); Statute of the International Criminal Tribunal for the Former Yugoslavia, Article 7(2); Statute of the International Criminal Tribunal for Rwanda, Article 6(2); Statute of the International Criminal Court, Article 27. In national proceedings see Eichmann, 36 ILR at 308-311 (Isr. S. Ct.); Pinochet [1999] 2 All E.R. at 111–115. 72 73

340

L. Gervasoni

4.2  I nternal Versus External Perspective (or Constitutionalism Versus International Law) A more sophisticated argument suggests that there is no direct contrast between avoidance doctrines and the right of access to justice and reparation because the former, rather than impeding access to court, merely defines the area of what can become a matter of contention before a judge. According to those who support this conclusion, a deficit in accountability is both unavoidable and required by reason of judiciary deference to the executive, at the very least in (non-better-defined) “emergency situations”.78 Such a “decisionist” characterization of law, viewed as an integration of decisions and norms,79 envisages the existence of grey areas where the executive enjoys a widespread discretion to trace the divide between the area of legality and that of politics, re-framing by reference to its own practice the scope of application of legal norms.80 The decisionist theory thus places this branch over and above legal prescriptivism and makes it immune from any accountability, on the one hand, while providing it with the ability to single-handedly shape the legal system, on the other.81 Under this representation, avoidance doctrines define justiciability proper, i.e. they identify what falls within the purview of the judiciary itself. Decisions mirroring this rationale fall within a well-traced line of rulings justifying the validity of non-justiciability by reference to “its capacity to reflect the proper distribution of functions between the judicial and the political branches of the Government on matters bearing upon foreign affairs”.82 As is apparent by the very wording of this argument, the motivation provided by courts when dismissing nowadays claims brought by victims of drone strikes closely resembles past phenomenology of avoidance doctrines. Accordingly, the validity of avoidance doctrines would be harnessed to that “cornerstone of modern constitutionalism”83 that is separation of powers. Under this light, domestic courts have often taken the stance that decisions in areas of foreign policy and control of the armed forces maintain a primarily political nature84 allegedly falling outside “the legal forms and jurisdiction typifying the abilities of a judge”.85 In terms of effectiveness of international law—which, in the case at hand, directly translates into the effective safeguard of victims’ rights—, this is probably the most  See to this end Wittes (2009), p. 112; Vermeule (2009), pp. 1132 and 1097.  Demiray (2010). 80  Delacroix (2005); for a critique to the decisionist approach see in higher detail Dyzenhaus (2011). On the decisionist theory see Schmitt (2007), arguing that in abnormal situations a need to take decisions in unrolled situations justifies the executive to do so without any supervision. 81  For an analysis of differences and similarities between epistemic authority and decisionism see Rosen (2014). 82  Emphasis added. Banco National de Cuba v. Sabbatino, 376 US 398,423,427 (1963). By the same token, United States v. Verdugo-Urquidez, 110 S.Ct 1056, 29 ILM (1990) 441, at 449–450. 83  Haljan (2013), pp. 31–35. 84  Ibid., pp. 47–48. 85  Ibid., p. 60. 78 79

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

341

problematic characterization of avoidance doctrines, since insinuating the existence of a clash between the right of access to justice and reparation and the very foundation of the forum State’s constitutional system has the potential to make entirely hollow the protection of individual rights. Indeed, it is well known that, from the intrinsically “external perspective” of international law, domestic legal concerns—even of a constitutional nature—cannot be adduced as justifications for internationally wrongful acts. Thus, as far as avoidance doctrines and targeted killing go, the joint operability of international human rights law and IHL requires States to harmonize their internal legal systems with conventional provisions and to provide victims with effective local remedies, whose absence would amount in and by itself to a violation of a State’s international obligations.86 It is indeed from this “outsider’s view of [S]tate conduct”87 that the UN Special Rapporteur on EJK has averred in relation to drone strikes that “efforts should be strengthened to bring perpetrators of unlawful killings, be they military contractors, intelligence agents, high  - or low  - ranking Government officials, to justice”.88 Still by this perspective, the UN Human Rights Committee has expressed its concern about the “lack of accountability for the loss of life resulting from [the US practice of targeted killing]”, further recommending the State to “conduct independent, impartial, prompt and effective investigations of allegations of violations of the right to life and bring to justice those responsible [and] [p]rovide victims or their families with an effective remedy where there has been a violation”.89 However, when a well-entrenched jurisprudential doctrine envisages the existence of a full-out contrast between the principle of division of power and international law obligations, how likely is it that a court could give precedence to the latter over the former? It has been argued that the problem at the origin of this seemingly irreconcilable clash between the constitutional principle of division of powers and international law lays in the fact that the latter remains “willfully blinded by [its] external perspective to constitutional peculiarities” and it therefore ignores relationships among national actors “which go to fashioning law and the rule of law in a national setting”.90 As a consequence, the dualism between international and national law could not easily be overcome by giving precedence to one body of law over the

 UN Basic Principles on the Right to a Remedy and Reparation cit., Principle 2(c). To this end see also International Law Commission, Articles on Responsibility of States for Internationally Wrongful Acts (hereinafter ARSIWA), Article 32, as to the “irrelevance of internal law” and HRC, General Comment No. 31 cit., para. 13 as to the shared position of international human rights bodies in this regard. By the same token see, inter alia, the separate opinion of judge Cancado Trindade in Massacre of Pueblo Bello case cit., para. 23. 87  Haljan (2013), p. 14. 88  Christof Heyns, Follow-up to Country Recommendations—United States of America, UN Doc. A/HRC/20/22/Add.3, 30 March 2012, para. 88. 89  HRC, Concluding Observations on the Fourth Periodic Report of the United States of America, UN Doc. CCPR/C/USA/CO/4, 23 April 2014, para. 9. 90  Haljan (2013), pp. 27–31. 86

342

L. Gervasoni

other.91 This conundrum is well mirrored in practice by the ongoing contrast between the US and the UN Special Rapporteur on EJK who has stressed that: the nearly universal sense I was given during my visit […] is that systematic accounting of, and prosecutions for, wrongful deaths are unlikely. In short, war crimes prosecutions in particular are politically radioactive.92

This difficulty in reconciling constitutionalism and international law is at the core of the controversy insofar as avoidance doctrines and targeted killing are concerned, with a clear and unavoidable detrimental effect over efficiency in the promotion and protection of fundamental rights as some States’ judiciaries are extremely reluctant to accept that they not only have the right but also the duty, under international law, to grant access to justice to victims of drone strikes. Some of them are equally resistant to accept that international law has a role to play in their considerations, rejecting any argument grounded on international human rights law and actually behaving as if international obligations in this realm did not bear any value. In this regard, the US attitude in its latest Universal Periodic Review has been particularly revealing, clarifying that “[t]he US supports recommendations calling for prohibition and vigorous investigation and prosecution of any serious violations of international law, as consistent with existing US law, policy and practice”, while explicitly rejecting  “portions of these recommendations concerning reparation, redress, remedies, or compensation”.93

5  Alternative Pathways to Justice Since avoidance doctrines, if anchored to separation of power logics, are effectively used to “block international norms that did not receive the express approval of the country’s legislature”,94 the problem with them is not only the need to underline their incompatibility with international law, but also to find a way to overcome their devastating effect in practice. Henceforth, it should be noted first and foremost that what is represented by some as an irreconcilable conflict between constitutionalism and international obligations may very well not be a real conflict after all. A proper interpretation of domestic legal provisions in light of international law shows that both legal systems could actually be fully respected.95 Something of the sort has been recently done by  Ibid.  Alston Report cit., para. 60. 93  Emphasis added. Human Rights Council, Report of the Working Group on the Universal Periodic Review—Views on conclusions and/or recommendations, voluntary commitments and replies presented by the State under review, UN Doc. A/HRC/16/11/Add.1, 8 March 2011, para. 14. 94  See accordingly Benvenisti (1993), pp. 173–175. 95  Trindade (2011), pp.  84 and 86: “The judicial power ought to apply the treaty norms in the domestic legal order effectively, and to ensure that they are respected. This means that the national legislature and the judiciary have a duty to provide and apply effective local remedies against 91 92

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

343

the UK Supreme Court which, following suit in the erosion of the non-justiciability prerogative already triggered by previous judgments,96 has reached a decision in stark contrast with the Noor Khan jurisprudence, averring that “in deciding whether an issue is non-justiciable, English law will have regard to the extent to which the fundamental rights of liberty, access to justice and freedom from torture are engaged by the issues raised”, and finding “no basis for accepting a yet further doctrine whereby United Kingdom courts might be precluded from investigating acts of a foreign state”.97 The recalled judgment offers a further inspiration: while some of the States responsible for drone strikes may not be willing to grant an effective remedy to victims, the very nature of drone operations often requires the involvement of third States which may be called into question—and whose officials’ responsibility may be entangled—due to their role in the targeting process.98 As a consequence, it may prove extremely effective to turn to countries which assist in these killings by means of intelligence or logistic support, in order to hold them and their organs responsible for the role they played in adding and assisting targeting States.99 As a matter of fact, knowingly providing a facility essential to a wrongful conduct, permitting the use of a State’s territory to use force against a third State,100 or aiding in the commission of human rights violations101 are prototypical conducts triggering a State’s responsibility due to complicity. Accordingly, locating a target for a drone strike would squarely fall within the scope of the material conduct of aid and assistance.102 This line of argument has been pursued and rejected, as we have seen, before the UK judiciary in the recalled Noor Khan case.103 The conclusion thus reached, nonetheless, seems to amount in and by itself to a breach of the right of access to court and reparation: no violation of third State immunity from foreign civil jurisdiction would indeed be integrated by a mere analysis incidenter tantum of such a State’s behavior. In line with this argument, international judicial and quasi-judicial bodies have already had occasion to deliver judgments over the responsibility of a State for its complicity in a third party’s human rights violations, even when they did not have jurisdiction over the latter.104 The soundness of this reasoning finds further confirmation in the violations not only of the rights constitutionally foreseen but also of the rights enshrined in human rights treaties which bind the State at issue”. 96  Scott (2015), p. 3, who argues that such an erosion had already started following the joint appeals in Serdar Mohammed v. Ministry of Defence and Rahmatullah v. Ministry of Defence. 97  Belhaj & Rahmatullah (No 1) v. Straw and Others [2017] UKSC 3, January 2016. On this judgment in higher detail see Simonsen (2017); Gibson (2017), p. 113. 98  To this end see, inter alia, Gibson (2017), pp. 105–106. 99  Cvijic and Klingenberg (2017), p. 40. 100  Draft Articles on Responsibility of States for Internationally Wrongful Acts, Article 16, Commentary, para. 8. 101  Ibid., para. 9. 102  Moynihan (2016), p. 8. 103  In higher detail on this case see Gibson (2017), pp. 103–104. 104  El-Masri v. the former Yugoslav Republic of Macedonia (App No. 39639/09), ECtHR, Grand Chamber, judgment of 13 December 2011, para. 211; Al Nashiri v. Poland (App No. 28761/11),

344

L. Gervasoni

very judgment delivered by UK Supreme Court in the case of Belhaj v. Straw,105 which has rejected the idea that courts may be prevented from judging upon the UK’s responsibility only because doing so would entail consideration of third States’ conducts. A further venue to seek redress may be found in the judiciary of those States on whose territories drone strikes take place. Indeed, “disclosure of these killings is critical to ensure accountability, justice and reparation for victims or their families”,106 a result that may be at least in part achieved through such legal action. Thus, for instance, the Peshawar High Court in Pakistan has found that more than 1449 Pakistani civilians were killed between 2008 and 2012 and directed the Pakistani Government to do whatever was in its power to prevent future drone strikes on its soil.107 Again, following a complaint filed by Karim Khan, in 2014 the Islamabad High Court ordered the local police to initiate a criminal investigation into the involvement of the CIA personnel stationed in Pakistan in relation to their involvement in the drone strikes perpetrated on Pakistani soil. Also in this connection, however, a vacuum in accountability and redress still remains. Not only because, as already noticed by commentators, drone strikes continue to take place regardless of the recalled decisions,108 but also because of the practical difficulties of apprehending, judging and sanctioning those responsible, and seizing their goods for reparation. A final way that may prove useful in overcoming the obstacles posed by avoidance doctrines would be to resort to universal titles of jurisdiction in States other than those directly involved in or by targeted strikes.109 Even though such a pursuit would seem to be hardly workable in terms of suits directed at third States due to well-known principles of sovereign immunity,110 the same cannot be said for either criminal prosecution or actions in tort damages directed against those personally responsible of the grave violation of international law complained of.111 In this ECtHR, judgment of 24 July 2014, para. 516; Husayn (Abu Zubaydah) v. Poland (App No. 7511/13), ECtHR, judgment of 24 July 2014, para. 511. HRC, Alzery v. Sweden, Views of 25 October 2006, para. 11.6. For a critical comment of the recalled decisions see Scheinin (2014) and Nollkaemper (2012). 105  Belhaj & Rahmatullah, case cit. 106  Akbar (2017), pp. 95–96. 107  Peshawar High Court, Foundation for Fundamental Rights vs. Federation of Pakistan and Four Others, May 11, 2013. 108  Akbar (2017), pp. 95–96. 109  Keith Hall (2003), p. 111, considering universal jurisdiction “one way of making the right recognized in Article 8 of the Universal Declaration to an effective remedy in national courts”. On the principle of universal jurisdiction see also, inter alia, Wolfrum (1994). 110  ICJ, Jurisdictional Immunities of the State (Germany v. Italy), Judgment of 3 February 2012, I.C.J. Reports 2012, p. 99. 111  Whereas currently senior sitting officials continue to enjoy qualified immunity (ICJ, Arrest Warrant of 11 April 2000 (Democratic Republic of the Congo v. Belgium), Judgment of 14 February 2002, I.C.J. Reports 2002, p. 3, paras. 54–55), the same does not apply to former high officials, including heads of State.

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

345

regard, it should be pointed out that both IHL and international human rights law apply to States other than those directly involved in armed conflict112 or directly responsible for violations of international law.113 Moreover, fundamental principles of IHL and some human rights law norms, including those related to the right of access to justice and reparation, have arguably obtained the status of customary international law, with the consequence that their reach and the obligations deriving from them go well beyond the States directly interested by the relevant conducts,114 creating obligations erga omnes which every State has a legal interest to protect.115 When such violations occur, every State has a right to demand the cessation of the wrongful act and reparation for the persons affected.116 Furthermore, the general duty to respect and ensure respect, both in IHL and human rights law, entails that all States should take all the appropriate measures to safeguard compliance with conventional obligations, even when their breach derives from another State’s conduct. Indeed, the 1949 Geneva Conventions establish that every State party is under an obligation to ensure that the Conventions are complied with, bearing a positive obligation to prevent and bring violations to an end.117 It further specifies that States “shall be under the obligation to search for persons alleged to have committed, or have ordered to be committed, […] grave breaches and shall bring such persons, regardless of their nationality before its own court”,118 thus bringing them to justice pursuant to universal titles of jurisdiction.119 This requirement is mirrored in Principle 16 of the Basic Principles and Guidelines on the Right to a Remedy and Reparation, which extends such an obligation to cases of “gross violations of international human rights law”, clarifying that “in these cases, States should […] cooperate with one another and assist ­international

 Chetail (2003).  ICJ, Wall Opinion, case cit. para. 106. 114  Article 36 Vienna Convention on the Law of Treaties (adopted on 23 May 1969, entered in force 27 January 1980). 115  ICJ, Barcelona Traction, Light and Power Company Limited (Belgium v. Spain), Judgment of 24 July 1964, I.C.J. Reports 1970, p. 3, para 33. 116  Cassese (2010), p. 416. 117  ICJ, Wall Opinion, case cit., paras. 157 and 158; ICRC, Commentary on the First Geneva Convention: Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 2016, paras. 37 paras. 42, 43 and 48; ICRC, Improving Compliance with IHL, 2004, p. 2. 118  Geneva Convention IV, Article 146. To this end see also the Rome Statute of the International Criminal Court, Preamble, paras. 4–6: “the most serious crimes of concern to the international community as a whole must not go unpunished […] it is the duty of every State to exercise its criminal jurisdiction over those responsible for international crimes”. Notably, even though neither the IV 1949 Geneva Conventions nor their 1977 Additional Protocols expressly provide for universal jurisdiction for violations of IHL in non-international armed conflicts, substantial State practice demonstrates that national courts can exercise universal jurisdiction over persons allegedly responsible for such violations. To this end see Keith Hall (2003), pp. 121–122. 119  The Princeton Principles on Universal Jurisdiction, Princeton University, 2001, Principle 1. 112 113

346

L. Gervasoni

judicial organs competent in the investigation and prosecution […] States shall incorporate or otherwise implement within their domestic law appropriate provisions for universal jurisdiction”.120 In particular, it could be argued that extrajudicial executions, in both times of peace and armed conflict, fall within those crimes that impose or at least permit the exercise of universal jurisdiction.121 Importantly, this might go to fashioning both criminal and civil jurisdiction,122 especially considering the role that victims are granted in the criminal process in multiple (for the majority, civil law systems) legislations.123 In line with this assessment, UN Special Procedures have already recommended States to abide by the aut dedere aut judicare principle.124 It should be noticed, nonetheless, that universal civil and criminal jurisdiction lacks mechanisms which may render effective decisions taken in this area on third States’ soil125 and may be hard to pursue since hindrances similar to those characterizing typical avoidance doctrines might be coupled with further obstacles to prosecution and reparation relating to standing and further jurisdictional concerns.

6  C  onclusions: Targeted Killings and Avoidance Doctrines as Intertwined Façades International law places on States a duty to grant a judicial review of the decision to target and kill a pre-identified person as well as of the lawfulness of any such a killing once the victim has been deprived of his life, granting full reparation whenever a violation of IHL or human rights law occurs.126 Being the right to an effective remedy a basic pillar of the rule of law itself, moreover, it is exactly under emergency scenarios that the protections it grants become all the more crucial: since the link between the principle of legality and the right to an effective remedy is inextricable, in fact, judicial guarantees cannot be either suspended nor derogated from.127

 UN Basic Principles on the Right to a Remedy and Reparation cit., Principles 4 and 5. To this end see also Tomuschat (2002a, b), pp. 315, 325, and 326; Bassiouni and Wise (1995), pp. 21–25 and 51–55, arguing that this principle is paralleled by the evolution of a customary rule to prosecute the most serious human rights violations. 121  UN Principles on the Effective Prevention and Investigation of Extra-legal, Arbitrary and Summary Executions, 1989, Principle 18; UN Commission on Human Rights, Resolution 2000/31 of 20 April 2000, para. 4. Accordingly see also Keith Hall (2003), p. 118; Ratner et al. (2009), pp. 72 and 87. 122  Ronzitti (2007). 123  Zappalà (2003), p. 219. 124  Alston Report cit., para. 90. 125  Ronzitti (2007). 126  See accordingly Alston (2011), pp. 391–392. 127  See IACtHR, Advisory Opinion of 30 January 1987, paras. 24, 26, 27, 36, 43 and 44. 120

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

347

Under this light, “accountability for violations of international human rights law is not a matter of choice or policy; it is a duty under domestic and international law”.128 However, one particularly controversial feature of drone strikes relates to the insurmountable hindrances that impede access to justice and reparation to victims and their families.129 Indeed, since their first systematic deployment in the international arena, the use of armed drones has largely resulted in an “accountability vacuum”.130 As noted by the former UN Special Rapporteur on Extrajudicial, Summary or Arbitrary Executions, “there is no evidence in relation to targeted killings to indicate that they provide anything other than a façade of legality to dignify official lawlessness”.131 Interestingly enough, the same expression had previously been used to suggest that behind the “façade of legality” they offer, avoidance doctrines are actually the incarnation of “judicial timidity” related to courts’ unwillingness to get involved in the “mysterious realm of international politics”.132 This coincidence is quite peculiar insofar as two practices which—on the face of it—would seem to be only remotely related, in practice significantly reinforce each other: while one endangers the fundamental rights of persons selected as targets of lethal strikes, the other waters down the procedural guarantees aimed at avoiding an arbitrary use of lethal force. It thus appears that, when jointly considered, drone strikes and targeted killing have the devastating effect of placing a person outside the protection of the law, leaving his fate to the will of the executive power alone. So that the current state of affairs seem to perfectly embody Voltaire’s avowal that “all murderers are punished unless they kill in large numbers and to the sound of trumpets”, consecrated by the deafening silence of courts that, envisaging areas of non-justiciability, provide their governments with “effective shields against judicial review”133 and thus leave victims in situations of “virtual defencelessness”,134 regardless of their right of access to justice and to an effective remedy. In other words, States kill to the sound of trumpets, while victims die in the silence of courts. Against this background, victims do have the chance of resorting to alternative judicial venues, pursuing justice and reparation in fora other than those of the States responsible for drone strikes. It should however be kept well in mind that at this stage no solution seems to be immune of significant hurdles, so that the chances of victims of targeted killing being restored in their violated rights remain “very meagre”.135 Nonetheless, a continuous engagement before national judiciaries  Christof Heyns, Report of the Special Rapporteur on Extrajudicial, Summary or Arbitrary Executions—Armed Drones and the Right to Life, UN Doc. A/68/382, 13 September 2013, para. 97. 129  Amnesty International, The UN Human Rights Committee’s Proposed General Comment on the Right to Life—Preliminary Observations, London, 2005, p. 35. 130  Alston Report cit., para. 92. 131  Alston (2011), p. 293. 132  Benvenisti (1993), p. 173. 133  Ibid., p. 161. 134  Trindade (2011), p. 194. 135  Ronzitti (2007). Notably, the rare national judgments in the matter of targeted killings which did not make application of avoidance doctrines remain today largely unimplemented in practice. To this end see B’Tselem (2010), pp. 19–20. 128

348

L. Gervasoni

aimed at enforcing international law obligations both in those States that are directly responsible for drone strikes and in other States that may have competence to decide upon a drone-related controversy (or at least upon certain aspects of it) pursuant to different titles of jurisdiction, remains the most effective way to pursue justice and accountability for victims of unlawful drone strikes. This perspective, as some of the latest judicial outcomes show, invites for (an albeit cautious) optimism for future litigation.

References Akbar, Shahzad. 2017. Drones: Beyond the Myths of Precision and Legality. In Litigating Drone Strikes, Challenging the Global Network of Remote Killing, ed. Wolfgang Kaleck and Andreas Schuller, 88–101. Berlin: European Center for Constitutional and Human Rights. Alston, Philip. 2011. The CIA and Targeted Killings Beyond Borders. Harvard National Security Journal 2: 283–446. Amoroso, Daniele. 2011. A Fresh Look at the Issue of Non-justiciability of Defence and Foreign Affairs. Leiden Journal of International Law 23: 933–948. ———. 2015. Judicial Abdication in Foreign and the Effectiveness of International Law. Chinese Journal of International Law 14: 99–134. B’Tselem. 2010. Void of Responsibility: Israel Military Policy Not to Investigate Killings of Palestinians by Soldiers, 19–20. http://www.btselem.org/Download/201009_Void_of_ Responsibility_Eng.pdf. Bassiouni, Cherif M. 2002. Accountability for Violations of International Humanitarian Law and Other Serious Violations of Human Rights. In Post Conflict Justice, ed. Cherif M. Bassiouni, 383–442. Leiden: Brill/Nijhoff. ———. 2006. International Recognition of Victims’ Rights. Human Rights Law Review 6: 203–279. Bassiouni, Cherif, and Edward M. Wise, eds. 1995. Aut Dedere Aut Judicare: The Duty to Extradite or Prosecute in International Law. Leiden: Brill. Ben-Naftali, Orna, and Keren R. Michaeli. 2003. Justice-Ability: A Critique of the Alleged Non-­ justiciability of Israel’s Policy of Targeted Killings. Journal of International Criminal Justice 1: 368–405. Benvenisti, Eyal. 1993. Judicial Misgivings Regarding the Application of International Law: An Analysis of Attitudes of National Courts. European Journal of International Law 4: 159–183. Benvenisti, Eyal, and George W. Downs. 2009. National Courts, Domestic Democracy, and the Evolution of International Law. European Journal of International Law 20: 59–72. Brown, George D. 2011. Accountability, Liability, and the War on Terror-Constitutional Tort Suits as Truth and Reconciliation Vehicles. Florida Law Review 63: 193–249. Cassese, Antonio. 2010. The Character of the Violated Obligation. In The Law of International Responsibility, ed. James Crawford, Alain Pellet, and Simon Olleson, 415–420. Oxford: Oxford University Press. Chetail, Vincent. 2003. The Contribution of the International Court of Justice to International Humanitarian Law. International Review of the Red Cross 85: 235–269. Clapham, Andrew, ed. 2006. Human Rights Obligations of Non-state Actors. Oxford: Oxford University Press. Cvijic, Srdjan, and Lisa Klingenberg. 2017. Armed Drones Policy in the EU: The Growing Need for Clarity. In Litigating Drone Strikes, Challenging the Global Network of Remote Killing, ed. Wolfgang Kaleck and Andreas Schuller, 28–57. Berlin: European Center for Constitutional and Human Rights.

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

349

Daskal, Jennifer. 2015. Germany’s Highest Ranking Prosecutor on the Legality of Drone Strikes  – and Much More. Just Security. https://www.justsecurity.org/24440/ germans-highest-ranking-prosecutor-legality-drone-strikes/. Delacroix, Sylvie. 2005. Schmitt’s Critique of Kelsenian Normativism. Ratio Juris 18: 30–45. Demiray, Mehmet R. 2010. Schmitt’s Realist Approach to Law and the Pivotal Significance of the Notion of Legitimacy for an Order of Law. Ankara Law Review 7: 109–126. Dyzenhaus, David. 2011. Emergency, Liberalism, and the State. Perspective on Politics 9: 69–78. Evans, Christine, ed. 2012. The Right to Reparation in International Law for Victims of Armed Conflicts. Cambridge: Cambridge University Press. Gervasoni, Luca. 2016. Assassination and Targeted Killing in Times of Armed Conflict: A Clash of Theory and Practice. Bicocca Open Archive. https://boa.unimib.it/retrieve/handle/10281/129669/182598/phd_unimib_705717.pdf. ———. 2017. A Contextual-Functional Approach to Investigations into Right to Life Violations in Armed Conflict. Questions of International Law 36: 5–26. Ghobari, Mohammed, and Phil Stewart. 2017. Commando Dies in US Raid in Yemen, First Military op OK’d by Trump. Reuters, January 29. https://uk.reuters.com/article/uk-usa-yemen-qaeda/ commando-dies-in-u-s-raid-in-yemen-first-military-op-okd-by-trump-idUKKBN15D094. Gibson, Jennifer. 2017. The US’s Covert Drone War and the Search for Answers: Turning to European Courts for Accountability. In Litigating Drone Strikes, Challenging the Global Network of Remote Killing, ed. Wolfgang Kaleck and Andreas Schuller, 102–117. Berlin: European Center for Constitutional and Human Rights. Greenwald, Glenn. 2011. The Killing of Awlaki’s 16-Year-Old Son. Salon, October 20. https:// www.salon.com/2011/10/20/the_killing_of_awlakis_16_year_old_son/. Griffin, Jennifer. 2011. Two U.S.-Born Terrorists Killed in CIA-Led Drone Strike. Fox News, September 30. Haljan, David, ed. 2013. Separating Powers: International Law Before National Courts. The Hague: Springer. Hartley, Trevor C., and John Aneurin Grey Griffith, eds. 1981. Government and Law: An Introduction to the Working of the Constitution in Britain. London: Widenfeld and Nicolson Publishers. Heinsch, Robert, and Sofia Poulopoulou. 2017. Difficulties in Prosecuting Drone Strikes as a War Crime Under International Law: An International Humanitarian Law Perspective. In Litigating Drone Strikes, Challenging the Global Network of Remote Killing, ed. Wolfgang Kaleck and Andreas Schuller, 58–87. Berlin: European Center for Constitutional and Human Rights. Heller, Kevin J. 2011. Judge Bates’s Infernal Machine. University of Pennsylvania Law Review 159: 183–188. Henckaerts, Jean-Marie, and Louise Doswald-Beck, eds. 2005. Customary International Humanitarian Law. Cambridge: Cambridge University Press. Henkin, Louis. 1976. Is There a “Political Question” Doctrine? Yale Law Journal 85: 597–625. Kalshoven, Frits. 1991. State Responsibility for Warlike Acts of the Armed Forces. International and Comparative Law Quarterly 40: 827–858. Kalshoven, Frits, and Liesbeth Zegveld, eds. 2011. Constraints on the Waging of War. Cambridge: Cambridge University Press. Keith Hall, Christopher. 2003. Contemporary Universal Jurisdiction. In Human Rights and Criminal Justice for the Downtrodden, Essays in Honour of Asbjorn Eide, ed. Morten Bergsmo, 111–137. Leiden: Martinus Nijhoff Publishers. Mann, F.-A., ed. 1986. Foreign Affairs in English Courts. Oxford: Oxford University Press. Mazzeschi, R. Pisillo. 2003. Reparation Claims by Individuals for State Breaches of Humanitarian Law and Human Rights: An Overview. Journal of International Criminal Justice 1: 339–347. Melzer, Nils, ed. 2008. Targeted Killing in International Law. Oxford: Oxford University Press. Moynihan, Harriet. 2016. Aiding and Assisting: Challenges in Armed Conflict and Counterterrorism. Chatham House Research Paper.

350

L. Gervasoni

Nicholson, Matthew. 2015. The Political Unconscious of the English Foreign Act of State and Non-justiciability Doctrine(s). International and Comparative Law Quarterly 64: 743–781. Nollkaemper, André. 2012. The ECtHR Finds Macedonia Responsible in Connection with Torture by the CIA, but on What Basis? EJIL:Talk! https://www.ejiltalk.org/the-ecthr-finds-macedonia-responsible-in-connection-with-torture-by-the-cia-but-on-what-basis/. Nowak, Manfred. 2000. The Right of Victims of Gross Human Rights Violations to Reparation. In Rendering Justice to the Vulnerable, ed. Fons Coomans, 203–224. The Hague: Kluwer Law International. Provost, René, ed. 2002. International Human Rights and Humanitarian Law. Cambridge: Cambridge University Press. Ratner, Steven R., et al., eds. 2009. Accountability for Human Rights Atrocities in International Law, Beyond the Nuremberg Legacy. New York: Oxford University Press. Roht-Arriaza, Naomi, ed. 1995. Impunity and Human Rights in International Law and Practice. New York: Oxford University Press. Ronzitti, Natalino. 2007. Access to Justice and Compensation for Violation of the Law of War. In Access to Justice as a Human Right, ed. Francesco Francioni. New York: Oxford University Press. Rosen, Arie. 2014. Two Logics of Authority: Reasons and Fiat in Modern Law. Jean Monnet Working Paper. Rushe, Dominic, and Chris McGreal. 2011. Anwar Al-Awlaki’s Death: US Keeps Role Under Wraps to Manage Yemen Fallout. The Guardian, September 30. Sassoli, Marco. 1988. The Victim Oriented Approach of International Humanitarian Law. Victims, nouvelles études pénales: 147–180. Scheinin, Martin. 2014. The ECtHR Finds the US Guilty of Torture  – As an Indispensable Third Party? EJIL:Talk! https://www.ejiltalk.org/ the-ecthr-finds-the-us-guilty-of-torture-as-an-indispensable-third-party/. Schmitt, Carl, ed. 2007. The Concept of the Political. Chicago: University of Chicago Press. Scott, Paul. 2015. The Vanishing Law of Crown Act of State. https://eprints.soton.ac.uk/384044/1/ The%2520vanishing%2520law%2520of%2520Crown%2520act%2520of%2520state.pdf. Shelton, Dinah, ed. 2005. Remedies in International Human Rights Law. Oxford: Oxford University Press. Simonsen, Natasha. 2017. The UK Supreme Court’s Blockbuster Decision in Belhaj. EJIL: Talk! https://www.ejiltalk.org/the-uk-supreme-courts-blockbuster-decision-inbelhaj/. Tomuschat, Christian. 2002a. Reparation for Victims of Grave Human Rights Violations. Tulane Journal of International and Comparative Law 10: 157–184. ———. 2002b. The Duty to Prosecute International Crimes Committed by Individuals. In Tradition un Weltoffenheit des Rechts: Festschrift fur Helmut Steineberger, ed. Hans-Joachim Cremer, Thomas Giergerich, Dagmar Richter, and Andreas Zimmermann. The Hague: Springer. Trindade, Antonio A.C., ed. 2011. The Access of Individuals to International Justice. Oxford: Oxford University Press. Verdoot, Albert, ed. 1963. Naissance et signification de la Déclaration Universelle des Droits de Homme. Louvain: Nauwelaerts. Vermeule, Adrian. 2009. Our Schmittian Administrative Law. Harvard Law Review 122: 1098–1149. Vogel, Ryan J.  2011. Drone Warfare and the Law of Armed Conflict. Denver Journal of International Law and Policy 39: 134–135. Weill, Sharon, ed. 2014. The Role of National Courts in Applying International Humanitarian Law. Oxford: Oxford University Press. Wittes, Benjamin, ed. 2009. Law and the Long War: The Future of Justice in the Age of Terror. Washington D.C.: Brookings. ———. 2011. No Appeal in Al-Aulaqi. Lawfare. http://www.lawfareblog.com/2011/02/ no-appeal-in-al-aulaqi/.

Overflying Justiciability? Drones and Avoidance Doctrines Before National Courts

351

Wolfrum, Rudiger. 1994. The Decentralized Prosecution of International Offences Through National Courts. Israel Y.B. International Law Journal 24: 183–189. Zappalà, Salvatore, ed. 2003. Human Rights in International Criminal Proceedings. Oxford: Oxford University Press. Zegveld, Liesbeth. 2003. Remedies for Victims of Violations of International Humanitarian Law. International Review of the Red Cross 85: 497–526.

Part IV

Conclusions

New Technologies in International (and European) Law—Contemporary Challenges and Returning Issues Maurizio Arcari

Abstract  The article argues that the contributions gathered in the book help to dispel the “fog of technologies”, i.e., the uncertainty lawyers face when confronting the challenges posed by new technologies. Overall, the chapters are effective in dealing with the challenges that new technologies pose for International and European law at the three different levels of spaces, actors and governance and they eventually contribute to provide an updated and complete overview of this complex issues. To underscore how challenging it can be to attempt to reach some concluding remarks in a book devoted to new technologies in International and European law amounts to a statement of the obvious. That new technologies represent a complex and multifaceted topic is widely demonstrated by the sixteen contributions gathered in this book: they cover issues ranging from high-tech migration control to information cooperation tools for law enforcement purposes; from the use of unmanned aerial vehicles to the training and education of armed forces in high-tech hostilities; and from the gathering and transfer of digital data to the contrast of illegal hate speech online, with all the related problems of attribution, jurisdiction, and enforcement which can arise therefrom. To these issues one may add problems relating to autonomous weapons systems and to the exploitation of space resources, which have been the object of two scholarly debates published elsewhere under the supervision of the two editors of this book.1 A further overlook at the complexities of the

 See E.  Carpanelli, N.  Lazzerini, Coming Soon…? A Reappraisal of the Legal and Ethical Implications of Autonomous Weapons Systems (AWS) ahead of the First Meeting of the CCW Group of Governmental Experts on Lethal AWS. (2017). 43 QIL-Questions of International Law, with contributions from D.  Amoroso, A.  Spagnolo and O.  Ulgen; and E.  Carpanelli, New Developments and Open Issues Concerning Off-Earth Mining: Interpretative and Law-making Challenges in Light of the Current Legal Regime. (2017). 35 QIL-Questions of International Law, with contributions from T. Masson-Zwaan and N. Palkovitz and S. Freeland, all available at www. qil-qdi.org. 1

M. Arcari (*) University of Milano-Bicocca, Milano, Italy e-mail: [email protected] © Springer Nature Switzerland AG 2019 E. Carpanelli, N. Lazzerini (eds.), Use and Misuse of New Technologies, https://doi.org/10.1007/978-3-030-05648-3_17

355

356

M. Arcari

topic is provided by the recent UN Secretary-General (SG) report on “Harnessing new technologies to achieve the Sustainable Development Goals”, which singles out additional areas that have been substantially impacted by the influence of new technologies: among others, health care, sustainable food systems and food production, education and e-learning, action to mitigate climate change.2 Remarkably, the SG report m ­ entions at its very outset a feature which helps to explain the complications affecting the subject under consideration, namely the inherent “dual” impact of new technologies. That is to say, if new technologies “can support the shared goals of humanity”, at the same time “they are not risk-free”, insofar as “they can be used to malicious ends and can have unintended negative consequences”.3 One can argue that, if new technologies are inherently tricky to manage from a legal perspective by reason of their innovative technical peculiarities (i.e., the difficulties arising from the legal governance of Internet, due to the dematerialized character of the cyberspace), legal hurdles cannot but be multiplied when the “distorted” use of new technologies reaches the forefront and when the need arises to shield humans from the threats generated by such distorted uses (i.e., the need to prevent and protect against the abusive use of communication technologies by terrorist and extremist propaganda). All these complexities considered, the use of the image of the “fog of technology” to identify the situation of uncertainty that lawyers face when confronting the challenges posed by new technologies seems to be entirely appropriate.4 In light of such challenges, a fresh approach aiming at construing an appropriate normative framework for technology-driven innovations seems to be unescapable.5 If such an approach can be welcomed, at least for providing an adequate taxonomy of new technologies and their related regulations, it is however also essential to ask and try to understand what role international law and the traditional categories thereof may perform in this respect. Before addressing this point, it is however important to identify some cross-­cutting themes which are characteristic of the topic under review. In this regard, it is hardly debatable that the main challenges posed by new technologies to international law arise at the three different but interconnected levels of spaces, actors and normativity/governance. Most of the contributions gathered in the book are prominent in conveying the idea that the classic notions of “space” and “territory”, as well as the tools traditionally used for delimiting them, i.e. frontiers, are severely challenged by current technological developments. This clearly emerges, for example, from the examination of instruments relating to the control of mobility across frontiers and of migration flows, or concerning police and judicial criminal cooperation, in the context of which the concepts of “smart borders” and interoperable ­environment have been advanced.6 The above dimension is not estranged from topics such as the use of  See “Harnessing new technologies to achieve the Sustainable Development Goals” (2018) UN Doc. E/2018/66, pp. 3–4, paras. 6–14. 3  Ibid., p. 3, para. 2. 4  See Hollis (2015), p. 489. 5  See the chapter by F. De Vanna. 6  See the chapters by P. Hanke and D. Vitiello and by S. Montaldo. 2

New Technologies in International (and European) Law—Contemporary…

357

drones and targeted killings, where the same very notions of battlefield with its boundaries, and of jurisdiction with its limits, are placed at stake.7 The concept of an “a-territorial” space without established borders, where the traditional prerogatives of State’s jurisdiction can hardly be displayed, is even more compelling when issues concerning the governance of Internet and cyberspace are approached.8 Taken together, the insights contained in the chapters of this book provide support for the idea that a movement towards the “de-­territorialization” of international law is currently ongoing.9 The conclusion that new technologies are contributing to a progressive demise of the territorial element, at least as traditionally conceived in international law, is something that can be convincingly argued in light of the phenomena analyzed in this book.10 What however seems noteworthy for the present purposes is that the above trend towards de-territorialization does not appear in isolation, but is developing in parallel with the emergence of new protagonists at the level of international relations, especially in contexts marked by new technological developments. As pointed out by one author with reference to Information and Communication Technologies (ICT), “at the heart of such challenges lie the new ICT, which change the power dynamics between traditional actors (primarily state executives) and new entrants (primarily social media companies) …”.11 In the context of the present book, an awareness of this phenomenon is noted by the point made in one chapter that “in the area of online governance, like in many others, there is no governance without those private actors”.12 It may at some stage be comfortably argued that the topic of new technologies in international law cannot be addressed in isolation from the general issue of the status and role of non-state actors in the international legal order.13 It is exactly at this stage, however, that the third level of impact arising from new technologies becomes evident, i.e., their impact on normativity and governance. The existing interface in the space/actors/ normativity dimensions are neatly outlined in a passage of the above-­mentioned report of the SG, stating that [m]any technologies are designed, developed and deployed on infrastructures or in spaces that remain beyond any single’s State jurisdiction. Increasingly, the decisions that shape the public’s everyday experiences can be influenced by software codes. They are made not by elected officials in parliaments, but by scientists and innovators in private settings. The choices of all these actors will resonate in the coming generations, and not all of the impacts are clear.14

 See the chapters by C. Candelmo and by L. Gervasoni.  See the chapters by K. Podstawa and by O. Feraci. 9  The topic has been developed primarily by Brölmann (2007), pp. 84–109. See also Milano (2015), pp. 53–69. 10  For a more general assessment of the phenomenon and its implications see Ruiz-Fabri (1999), pp. 187–212. 11  Benvenisti (2018), p. 55. 12  See the conclusive section of the chapter by K. Podstawa. 13  See generally on this question d’Aspremont (2011), pp. 1–20. 14  UN Doc. E/2018/66 (2018), at 6, para. 28. 7 8

358

M. Arcari

The point above has been emphasised in different terms with reference to the ICT landscape by two scholars, who have pointed out that “a diverse array of problems rooted in diverse communities of actors … requires diverse normative solutions”. In this vein, they have ultimately called for an alternative, process-­centered approach to normative production in the field of new technologies: “[n]­orms are social creatures that grow out of specific contexts via social processes and interactions among particular groups of actors. Understanding both those contexts and those processes is as important to successful norm construction as agreeing on content”.15 There is no need to elaborate too much in order to recognize that behind these suggestions are echoes of some past American scholarly doctrines, based on a sociological reading of the interplay existing between the multiple protagonists of the international legal order and the law-making function in international law.16 At the same time, it cannot be excluded that the attention paid in different chapters of this book to the role of some “traditional” players such as the EU as a “global standard setting actor”,17 or to the function played in our field by international judicial institutions18 represents an alternative way (expressing a more “continental”, or “positivistic” approach, one would be dare to say) to cope with the normative challenges posed by new technologies. Over and above, the doctrinal and legal responses occasionally elaborated at a regional or local level, one is however left with the critical question concerning the overall role that traditional categories of international law can play in the governance of the challenges under review. Several contributions gathered in this book provide convincing attempts to manage the problems raised by new technologies through the lens of (some) traditional categories of public international law. This is true for example for the chapters claiming that the scope of certain international human rights or international humanitarian law obligations of States are not substantially altered by new technologies,19 as well as for those analyzing questions of responsibility raised by new technologies and demonstrating the vitality of the categories of attribution elaborated under the ILC codification work on the topic,20 or advocating the need for complementarity between the different forms of state/individual accountability.21 But what about the “global” function of international law and the overall attitude of the main users of international law, i.e. States, concerning its role and impact vis-à-vis new technologies? Some interesting clues on this point can be drawn from the consideration of the topic “Developments in the field of information and telecommunications in the context of international s­ ecurity”, which has figured as an item on the agenda of the UN General Assembly (GA) since 1998. As is well known, in 2015 a Group of  Finnemore and Hollis (2016), pp. 427–429.  See in particular the basic tenets of the New Haven school of International Law, aptly summarized by Reisman (1992), pp. 118–125. See also, on the European side, Higgins (1994), pp. 38–55. 17  See the chapters by S. Saluzzo and by V. Nardone. 18  See the chapters by A. Miglio and M. Gervasi. 19  See respectively the chapters by A. Spagnolo and by M. Longobardo. 20  See the chapters by F. Delarue and by M. Buscemi. 21  See the chapter by D. Amoroso and B. Giordano. 15 16

New Technologies in International (and European) Law—Contemporary…

359

Governmental Experts established by the SG was able to submit to the GA a report containing a set of eleven “recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behavior of States aimed at promoting an open, secure, stable, accessible and peaceful ICT environment”.22 Essentially, this set of recommendations builds on classic principles of international law to address the security challenges raised by ICT, for example by calling on States to cooperate (“States should cooperate”) in developing and applying measures to increase the stability and security in the use of ICT, or by reminding States not to knowingly allow (“States should not knowingly allow”) their territory to be used for internationally wrongful acts using ICTs.23 Besides the rather vague content of these recommendations, the proposals of the Group of Governmental Experts were based on the assumption that “existing obligations under international law are applicable to State use of the ICTs” and on the underlying idea that international law is relevant for the matter at hand.24 That basic approach has proved however to be far from simple, as some States have repeatedly proposed that the topic of ICT security be subject only to a code of conduct based on strictly voluntary acceptance.25 As attested in its 2017 report,26 even the newly appointed Group of Governmental Experts on the matter was unable to reach a consensus on the basic point of applicability on international law to the use of ICTs.27 A draft resolution is actually tabled for the current (2018) GA session, whereby a revised set of international rules, norms and principles of responsible behavior of States in the field of ICTs security has been proposed.28 Interestingly enough, the preamble of the draft resolution is most relevant for revealing the real challenges that lie behind the text. First, it is stressed here that “capacity-building is essential for cooperation of States and confidence-building in the field of ICT security”.29 Second, the preamble endorses the view that “international law, and in particular the Charter of the United  See “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” (2015) UN Doc. A/70/174, pp. 7–8, para. 13. 23  See ibid., letters (a) and (c). 24  See ibid., the whole section IV of the report, entitled “How international law applies to the use of ICTs” at 12–13, paras. 24–29 and in particular para. 28(b). 25  See the Annex to the letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, Russian Federation, Tajikistan and Uzbekistan, proposing an “International code of conduct for information security” (2015) UN Doc. A/69/723, pp. 3–6. 26  See “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” (2017) UN Doc. A/72/327, p.  2, para. 5. 27  See Benvenisti (2018), pp. 76–77. 28  See Algeria, Angola, Azerbaijan, Belarus, Bolivia (Plurinational State of), Burundi, Cambodia, China, Cuba, Democratic People’s Republic of Korea, Democratic Republic of Congo, Eritrea, Iran, Kazakhstan, Lao People’s Democratic Republic, Madagascar, Malawi, Namibia, Nepal, Nicaragua, Pakistan, Russian Federation, Samoa, Sierra Leone, Suriname, Syrian Arab Republic, Tajikistan, Turkmenistan, Uzbekistan, Venezuela and Zimbabwe: revised draft resolution, UN Doc. A/C.1/73/L.27/Rev. 1 (29 October 2018). 29  Ibid., 4th paragraph of the preamble. 22

360

M. Arcari

Nations, is applicable and essential to maintaining peace and stability and promoting an open, stable, accessible and peaceful ICT environment”, while at the same time it also underscores the “voluntary and non-binding” character of the relevant norms, rules and principles.30 Third, the preamble insists on the fact that “States have a primary responsibility for maintaining a secure and peaceful ICT environment”, while it also pays lip service to the role of private actors in the field, by recognizing “that effective international cooperation would benefit from identifying mechanisms for the participation, as appropriate, of the private sector, academia and civil society organizations”.31 Also taking into account the composition of the group of countries supporting the draft resolution, there is room for seeing in the passages quoted above the signals of the polarization between Western/Eastern or Developed/ Developing States which so often splits the GA over vital political issues. At this stage it can be premature to foresee the outcomes of this debate, it is clear however that the legal regulation of new technologies is doomed to be the next very divisive issue for the international community in the years to come. There is a further aspect worth briefly considering in the present context, that is the impact of the time factor on the legal regulation of technological developments. Incidentally, this aspect is also mentioned in the preamble of the draft GA resolution quoted above, where it is stated that “given the unique attributes of such technologies, additional norms will be developed over time”.32 At this stage, it can just be noted that, if challenges posed by technological developments to international law are still new and evolving in their scope and content, at the same time they represent a kind of constant and re-occurring issue. In this regard, one may recall the 50 years old doctrinal symposium hosted in 1967 on the pages of the California Law Review, devoted to the “Impact of Science and Technology on International Law”.33 The issues selected for that debate, ranging from communication satellites to technological developments in the law of the sea, from long-range nuclear control policies to weather modification and control techniques, were of course very different from those currently retaining the attention of international scholars. It is however interesting to note that some of the general themes and considerations singled out by Oscar Schachter in his report, providing for a general overview of international law making in the area, may prominently feature in a contemporary assessment of the subject.34 To verify the likelihood of this statement, one may take the passage where Oscar Schachter praised as “high[ly] desirable” the “suppleness” of the declaratory resolutions adopted by international organizations in the field of technological developments, arguing that “the significance of this form of law-making is probably greater in the realm of science and technology than in other fields, for a central feature of science and technology is the rapidity of change”.35 The bulk of these state Ibid., 17th paragraph of the preamble.  Ibid., 21st paragraph of the preamble. 32  Ibid., 17th paragraph of the preamble. 33  See the general presentation of the debate by Seneker (1967), pp. 419–422. 34  See Schachter (1967), pp. 423–430. 35  Ibid., pp. 426–427. 30 31

New Technologies in International (and European) Law—Contemporary…

361

ments is not so estranged from the assessment of the law-making techniques in the area of ICT recently made by two scholars, who maintain that “existing research strongly challenges the idea that States and stakeholders can ‘settle’ on any set of cybernorms, providing fixed expectations for future behavior. Norms have an inherently dynamic character; they continuously develop via ongoing processes in which actors extend or amend their meaning as circumstances evolve. This suppleness is part of their attraction…”.36 Put into other words, though it can be contended that the content of norms, rules and principles may vary and may need to be adapted in line with technological developments which remain logically unforeseeable for lawyers, and if the normative processes and techniques used for the elaboration of relevant rules may be enriched by the involvement of new actors and players, nonetheless the basic need (of suppleness) which lays behind those processes and techniques has not substantially changed over time. Hence, the inference that the heterogeneous category of “soft law” probably remains, today as it did many decades ago, the most well suited for the international legal regulation of the challenges raised by new technologies. A final word can also be drawn, by way of conclusion, from the report on law-­ making and scientific advances written in 1967 by the venerable Oscar Schachter. That author concluded his assessment of the topic with a call for a “continuing and detailed inquiry into the multitude of new research projects which are apparently increasing at an exponential rate in all areas of science”.37 In Schachter’s view, a continuing and accurate fact-finding, based on an updated and as close to complete as possible record of scientific data, was essential in order to cope effectively with the challenges posed by new technologies. It is almost superfluous to underscore that the book under consideration here represents an essential contribution to that stated purpose. If only for that reason alone, the effort undertaken by the editors and the contributors of this volume must be unconditionally praised.

References Benvenisti, E. 2018. Upholding Democracy Amid the Challenges of New Technology: What Role for the Law of Global Governance? European Journal of International Law 29: 9–82. Brölmann, C. 2007. Deterritorialization in International Law: Moving Away from the Divide Between National and International Law. In New Perspectives on the Divide Between National and International Law, ed. J.E.  Nijman and A.  Nollkaemper, 84–109. Oxford: Oxford University Press. d’Aspremont, J. 2011. Introduction. Non State Actors in International Law: Oscillating Between Concepts and Dynamics. In Participants in the International Legal System. Multiple Perspectives on Non-state Actors in International Law, ed. J.  d’Aspremont, 1–20. London: Routledge. Finnemore, M., and D.B.  Hollis. 2016. Construing Norms for Global Cybersecurity. American Journal of International Law 110: 425–479. 36 37

 See Finnemore and Hollis (2016), pp. 427–428.  Schachter (1967), p. 428.

362

M. Arcari

Higgins, R. 1994. Problems and Process. International Law and How We Use It, 38–55. Oxford: Oxford University Press. Hollis, D. 2015. The Fog of Technology and International Law. Quaderni di SIDIBlog 2: 489. Milano, E. 2015. The Deterritorialization of International Law: Setting the Context. In A Lackland Law? Territory, Effectiveness and Jurisdiction in International and EU Law, ed. A. Di Stefano, 53–69. Torino: Giappichelli. Reisman, M. 1992. The View from the New Haven School of International Law. In ASIL Proceedings, 118–125. Cambridge: Cambridge University Press. Ruiz-Fabri, H. 1999. Immatériel, territorialité et Etat. Archives de philosophie du droit 43: 187–212. Schachter, O. 1967. Scientific Advances and International Law Making. California Law Review 55: 423–430. Seneker, C.J. 1967. The Impact of Science and Technology on International Law: Introduction. California Law Review 55: 419–422.