Auteursarchief: Cedric Ryngaert

Cedric Ryngaert

Over Cedric Ryngaert

Cedric Ryngaert (1978) is hoogleraar internationaal recht en programmaleider van de master public international law. Hij studeerde rechten aan de Katholieke Universiteit Leuven (2001), promoveerde aan dezelfde universiteit in 2007 op een proefschrift over rechtsmacht in het volkenrecht, en trad vervolgens in dienst bij de Universiteit Utrecht. Tussen 2010 en 2013 deed hij onderzoek naar niet-statelijke actoren op basis van een NWO-subsidie (VENI). Sinds eind 2013 leidt hij twee onderzoeksprojecten over de unilaterale uitoefening van rechtsmacht, op basis van subsidies van NWO (VIDI) en de European Research Council (ERC Starting Grant). In deze projecten onderzoekt hij in hoeverre staten en regionale organisaties hun eigen wetgeving buiten hun eigen grenzen kunnen toepassen om internationale waarden te verwezenlijken. Hij werkt hieraan met 7 AIO's.

The European Production Order – Tackling the Problem of Enforcement Jurisdiction and Extraterritoriality in Cyberspace

On April 17th, 2018, the European Commission proposed new legislation to facilitate and accelerate access to digital evidence across borders in criminal investigations. The proposal aims at providing enforcement authorities with new tools for cross-border investigations in the digital era. European Production and Preservation Orders (the Orders) would allow law-enforcement authorities of a Member State to compel service providers – both domestic and foreign – offering services in the European Union to disclose or preserve user data, regardless of the data’s location. With this proposal, the European Commission moves away from territoriality as the determinative factor for enforcement jurisdiction in cyberspace. Thereby it could possibly set an international precedent to modernize international law in the area of transborder access to e-evidence.

With the proposal, the Commission is reacting to a particular challenge which the digitalized world has posed to law-enforcement. People nowadays make use of online services, such as Gmail, Facebook and Dropbox, that allow them to access their data in the, such as emails and photos, from different devices and different locations at all times. The service providers work with cloud computing, storing data on servers in several different jurisdictions to minimize data transmission and processing times. Facebook, for example, which is based in the US, uses servers not only in the US but also in Ireland, Sweden and Singapore. What is convenient for users, is problematic for law-enforcement authorities, however. If French law-enforcement authorities seek the contents of a Facebook message sent by a French suspect in the context of a crime committed on French soil against a French victim, they have to make use of mutual legal assistance treaties to access this data, as it is stored in foreign territory. Having to rely on this complex and slow mechanism (requests under such treaties take an average of ten months to be processed in the US!), has understandably led to frustration among law-enforcement agencies. This is not only because data can easily be moved, altered or deleted, but also because the data location in a foreign state (the ‘residual state’) is often the only international dimension of the case – making it hard for law enforcement agencies to understand why they should work through international cooperation channels.

How does the proposed EU regulation tackle the problem?

The European Production Order would allow law-enforcement agencies in an EU Member State to request service providers to disclose user data (not only information about the user, but also contents of e-emails, online storage accounts, etc.) within ten days or, in case of emergency, within six hours. The European Preservation Order would allow law-enforcement agencies to compel service providers to preserve data up to 60 days to allow time for requesting assistance from the data’s residual state.

The orders would be binding on all service providers established or offering services in the EU, regardless of the location of their offices. A provider is “offering services” if its service is accessible in a Member State and a sufficient connection between the provider and the territory of that state is established. Such a connection would inter alia exist when the provider offers and advertises the service in a Member State language, or when there are a considerable number of users within a member state’s territory. Facebook, for example, has such a connection with the EU: it offers its services under domestic domain names (Facebook.de; Facebook.it; Facebook.pl), it offers and advertises them in Member State languages (e.g.German, Italian and Polish), and it counts 370 million users per month in the EU.  It is recalled that, in the field of data protection, the Court of Justice of the EU, in the Google Spain case (2014), had, somewhat similarly, considered the EU Data Protection Directive applicable to a foreign operator of a search engine when it ‘sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State’.

Pursuant to the proposed instruments, the orders can pertain to all data at the disposition of the service provider, regardless of its storage location. Taking the example of Facebook, this would mean that Facebook would also have to disclose to French law-enforcement authorities data that is stored on servers in Singapore, the US or any other non-EU state. This can obviously lead to a conflict between the provider’s obligations under the European Production Order and the residual state’s law. Therefore, the legislation allows service providers headquartered in third states to refuse compliance with the European Production (although not Preservation) Order when facing such a conflict of obligations (Article 16). The US Electronic Communications Privacy Act, for instance, forbids service providers in § 2702 to disclose content data without a U.S. warrant. However, if the issuing authority intends to uphold the order, it has to request a review by the competent court in its own state. If that court finds a conflict with laws that protect fundamental rights or interests of national defense and security, it has to consult the competent authorities in the respective third state through official channels, which then have 15 (with an extension possibility to 30) days to object to the order. If the third state’s authorities do not reply in time, the court can release the order for execution after sending a reminder with a five-day deadline. If the conflicting norms do not serve the protection of fundamental interests, the court can make its decision whether to quash the order by balancing the interests of the states in the disclosure of the data and in preventing the disclosure of the data. For this balance of interests, the court has to consider factors such as the degree of connection of the criminal case to either one of the jurisdictions.

What does the new legislation mean for enforcement jurisdiction in cyberspace?

Pursuant to the Lotus principle (established by the Permanent Court of International Justice as early as 1927), the exercise of enforcement jurisdiction, as an expression of a sovereign state’s power, is strictly limited to a state’s territory. As investigations are measures to enforce the criminal law, states are normally barred from conducting investigations on foreign states’ territory, unless the state has consented to the foreign investigation measures on its soil. However, applying this principle to the challenge posed by cyberspace seems to be contradictory, as cyberspace was designed to be borderless. Moreover, the location of data is just the result of a service provider’s business considerations. Therefore, the European Commission saw the need to move away from data locationto data connectionas the determinative factor for enforcement jurisdiction in cyberspace.

From an international law perspective, for European Production Orders that only have an internal EU dimension (the data is located on a server in an EU Member State), this move is not particularly problematic, as long as there is a valid EU legal basis. Such a basis appears to be present, as the proposed regulation is based on Article 82(1) of the Treaty on the Functioning of the EU, which provides that judicial cooperation in criminal matters is based on the principle of mutualrecognition of judgments and judicial decisions.Thisincludesthe approximation of the laws andregulations of the Member Statesin a number of areas, including computer crime.

In contrast, Production Orders pertaining to data located on a server in a non-EU state, are –from an international law perspective – more questionable. States outside the EU have not, at least not in a general sense, allowed EU-based law-enforcement authorities to carry out investigatory measures on their territory. Accordingly, such European Production Orders risk being in breach of the Lotus principle. Still, these orders respect foreign states’ sovereign interests insofar as they leave room for the affected states to protect their fundamental interests by requiring law-enforcement agencies to go through mutual legal assistance channels. Only when non-fundamental interests are at stake can the investigating state, on the basis of a Production Order, unilaterally access the data. This approach balances the notion of territoriality with the reality of the modern digitalized world.

Concluding observations

Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality recently said: While law-enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law-enforcement authorities with 21stcentury methods to tackle crime, just as criminals use 21stcentury methods to commit crime.” The new proposals on EU Production and Preservation Orders hand law-enforcement authorities important tools in the fight against crime that exploit the opportunities offered by de-territorialized cyberspace. In the United States a similar legislative initiative, mooting the Microsoft Ireland Case which was pending before the US Supreme Court, has been taken to tackle such crime: the 2018 US CLOUD Act allows US law-enforcement agencies to compel domestic service providers to disclose data, regardless of its storage location.

At first sight, these initiatives push the boundaries of international law, as they allow for the taking of unilateral enforcement action on the territory of a non-consenting state. However, it must be kept in mind that public international law has been shaped and reshaped by states overstepping boundaries, thereby moulding customary international law (see, e.g., M Hakimi, ‘Unfriendly Unilateralism’, Harvard International Law Journal 2014). These proposals, if they become law, could trigger emerging custom on the permissibility of unilateral production orders.

Esther Vehling and Cedric Ryngaert

Rotten fisheries: EU Advocate-General finds EU-Morocco Fisheries Agreement incompatible with international law 

Credit: Katarina Dzurekova (CC BY)

The validity and scope of EU-Morocco trade agreements with respect to Western Sahara – a territory occupied by Morocco – has kept the Court of the Justice of the EU (CJEU) rather busy lately. In 2016, in a case brought by the Front Polisario, a movement fighting for the national liberation of the people of Western Sahara (the Sahrawi), the CJEU ruled that the territorial scope of the EU-Morocco Liberalization Agreement, which liberalizes trade in mainly agricultural products, did not extend to Western Sahara (see for a comment on this blog here, and for other comments here, here and here). Currently, a request for a preliminary ruling, referred by a UK court, concerning the validity of the EU-Morocco Fisheries Partnership Agreement is pending before the CJEU. This Agreement gives EU vessels access to fisheries in Moroccan fishing zones, in return for which the EU provides Morocco with financial contributions. On its face, this Agreement appears to apply not only to the waters off the coast of Morocco proper, but also those off the coast of Western Sahara. The case raises issues of self-determination of the Sahrawi in respect of the exploitation of ‘their’ natural resources, and the role of the EU in this respect. In January 2018, Advocate-General (A-G) Wathelet of the CJEU delivered his opinion in the case, proposing that the Fisheries Agreement should be considered invalid on the ground that it violates the right to self-determination of the Sahrawi people. This post commends the opinion for its detailed, although not always accurate, engagement with international law, and highlights the political salience of the case.

Lees verder

The external effects of the EU’s regulation of sulfur dioxide (SOx) emissions

On 10 November 2017, I had the honor to be the sole opponent for the (successful) public defense of Philip Linné’s doctoral thesis on ‘Regulating vessel-source air pollution: standard-setting in the regulation of SOx emissions’, at Gothenburg University (Sweden). The thesis concerns the regulatory response, at different scales, including notably the EU scale, to tackle the environmental and human health impacts caused by sulfur oxide (SOx) emissions from the exhausts of seagoing ships. In this post, I reflect on the international legality and especially the external effects of relevant ‘unilateral’ EU action to tackle SOx emissions, i.e., action that goes beyond what is required by international law. Building on, but also adding to Philip Linné’s insights, I argue that by taking unilateral action, the EU has accelerated the calendar for strengthening global environmental standards in respect of SOx emissions. Lees verder

The Polisario Front Judgment of the EU Court of Justice: a Reset of EU-Morocco Trade Relations in the Offing

Credit: Katarina Dzurekova (CC BY)

On 21 December 2016, the Court of Justice of the EU (CJEU) gave its appeals judgment in the politically contentious Polisario Front case. The Court overruled an earlier decision of the General Court (GC, 2015) and decided that the EU-Morocco trade agreement does not apply to the territory of Western Sahara, which is claimed by Morocco as its own (see Sandra Hummelbrunner and Anne-Carlijn Prickartz’s analysis). The Court then went on to dismiss the action for annulment brought against the EU Council decision endorsing the agreement by the Polisario Front, a national liberation movement representing the Saharawi population indigenous to Western Sahara. In so doing, the Court largely followed Advocate General Wathelet’s advisory opinion, at least its first part (see on this Katharine Fortin’s analysis over at the UCall blog). The dismissal of the Polisario Front’s action may appear to be a victory for the EU Council and Morocco. However, in a manner reminiscent of Pyrrhus’s battles with the Romans in the 3rd century BC, it may well turn out to be a loss, and in fact a boon for the Saharawi. Although the CJEU held that the Front did not have standing to dispute the EU Council decision, this determination precisely followed from the Court’s recognition of the people of Western Sahara’s right to self-determination and the attendant exclusion of the territory from the trade agreement. Henceforth, the EU Council and Morocco have no other choice than to exclude products from Western Sahara from their trade agreements. Lees verder

Amerikaans Hooggerechtshof verklaart EU en haar lidstaten niet ontvankelijk in grote witwaszaak

supreme-court-building-1209701_1920In de jaren ’90 smokkelden Colombiaanse en Russische trafficanten drugs naar Europa. Met de opbrengst kochten ze via tussenpersonen grote hoeveelheden sigaretten van het Amerikaanse bedrijf RJR Nabisco. Ze importeerden die vervolgens in Europa. Je zou verwachten dat de Europese Unie en haar lidstaten RJR voor dit witwassen van criminele opbrengsten in Europa zouden vervolgen. Begin 2000 stond het Europees strafrecht echter in zijn kinderschoenen. Centrale afdwinging bestond niet en de coördinatie van strafvervolgingen in Europa liet ernstig te wensen over. Om toch tot een vorm van centrale vervolging van RJR te komen vonden de EU (de Europese Gemeenschap indertijd) en haar lidstaten er niets beters op dan in 2000 als eisers op te treden in een procedure in de Verenigde Staten op basis van de RICO Act (Racketeer Influenced and Corrupt Organizations Act). Die wet was in 1970 aangenomen om de maffia aan te pakken. Hij geeft niet enkel een mandaat aan Amerikaanse autoriteiten om een strafprocedure tegen ‘racketeers’ zoals RJR te starten, maar staat slachtoffers van de activiteiten van racketeers ook toe een civiele claim in te dienen bij Amerikaanse rechtbanken. Een dergelijke procedure is overigens erg aantrekkelijk, aangezien de eiser een drievoudige ‘punitieve’ schadevergoeding kan verkrijgen (treble damages). De EU en haar lidstaten voerden aan dat zij schade hadden geleden door de activiteiten van RJR, met name zouden hun nationale sigarettenindustrieën en de Europese financiële instellingen benadeeld zijn, zouden belastinginkomsten misgelopen zijn door zwarte-marktverkoop van sigaretten, en zouden Europese munten instabiel geworden zijn. Lees verder

Mag de Amerikaanse justitie onze emailgegevens inkijken?

Europese gebruikers van Gmail, Hotmail en MSN zijn voorlopig veilig voor de lange arm van de Amerikaanse wet. Een Amerikaanse rechtbank besliste vorige week (14 juli 2016) dat de Amerikaanse justitie Microsoft niet kan dwingen emailgegevens over te leggen die in een Iers datacentrum waren opgeslagen. De beslissing zou echter zomaar een Pyrrusoverwinning kunnen zijn voor internationaal opererende Internetproviders en gebruikers bezorgd om hun privacy. Niet alleen kan de Amerikaanse justitie nog in beroep gaan bij het Amerikaanse Hooggerechtshof, ook kan het Amerikaanse Congres steeds een andersluidende wet aannemen. De beleidsvraag hierbij is hoe we een efficiënte bestrijding van de transnationale misdaad kunnen verzoenen met adequate gegevensbescherming en respect voor de soevereiniteit van andere landen. Lees verder

Een Europees consumentenlabel voor Israëlische producten uit de bezette gebieden: een maat voor niets?

avocadoVorige week besliste de Europese Commissie dat producten afkomstig van Israëlische nederzettingen op de Westelijke Jordaanoever en de Golanhoogte voortaan als zodanig gelabeldmoeten worden. In 2005 had de Europese Unie al beslist hogere invoerrechten te heffen op deze producten. De Commissie is van oordeel dat ze met het labelvereiste uitvoering geeft aan haar internationale verplichting om de bezetting van de Palestijnse gebieden niet te erkennen. Bovendien redeneert ze dat Europese consumenten niet mogen worden misleid over de ware oorsprong van deze ‘Israëlische’ producten. Het valt echter te betwijfelen of het internationaal recht de EU verplicht deze maatregel te nemen. Het is evengoed twijfelachtig of consumenten hun aankoopgedrag werkelijk zullen laten leiden door een ‘bezet gebied’-label, en of deze maatregel dus enige impact zal hebben.

Lees verder

The long arm of EU law: EU animal welfare legislation extended to international road transport

6267369304_9061cb58e4_z

Copyright: Dirk-Jan Kraan

The Court of Justice of the EU has recently rendered an important judgment that will please animal welfare activists, especially those concerned about the welfare of animals outside the EU. Less pleased will be road transporters and foreign nations.

In Zuchtvieh-Export GmbH v Stadt Kempten, Case C-424/13, 23 April 2015, the Court held that the application of an EU Regulation concerning the welfare of animals during transport does not limit itself to road transports within the EU. According to the Court, it also applies to such transports between an EU place of departure and a non-EU place of destination. This means that, in the case, a cattle transport leaving from Kempten in Germany and arriving in Uzbekistan had to comply with EU law also after crossing the external EU border, notably on the territory of the Russian Federation. The exporter will now have to ensure that after 14 hours of travel, a rest period of at least one hour should be organized, during which the animals must be given liquid and if necessary fed. Subsequently, the animals may be transported for a further period of up to 14 hours, at the end of which animals must be unloaded, fed and watered and be rested for at least 24 hours. These rules are far stricter than what the exporter had planned to enter into his journey log: he had planned only two rest periods, one upon crossing the external EU border and another in Kazakhstan. The journey between those points was expected to take 146 hours (entirely in accordance with local legislation). Lees verder