1. The preventive turn in European security policy: counter-terrorism as a catalyst
Starting with responses to 9/11, counter-terrorism efforts have acted as a catalyst for the furthering of European integration in the field of security. Each successive wave of terrorist attacks has led to the adoption of further legislation at EU level and to the proliferation of EU security structures, with counter-terrorism acting as a legitimising tool for the emergence of the EU as a strong internal and external security actor. Responses to 9/11 have led to the adoption of a number of key legal instruments in EU Criminal Law, including of the Framework Decision on the European Arrest Warrant, of the Framework Decision on combatting terrorism, of the Decision establishing Eurojust and of the EU-US Agreements on Extradition and Mutual Legal Assistance – while legal bases outside the then third pillar were used to implement the UN Security Council Resolutions on terrorist sanctions within the EU, and to conclude an agreement with the US on the transfer of Passenger Name Records (PNR). Subsequent responses to terrorist attacks have expanded the EU acquis, by focusing predominantly on a data-driven counter-terrorism response. Reactions to the London bombings led to the adoption of the controversial Data Retention Directive, now annulled by the CJEU, and to growing calls for the securitisation of migration, including via the use of EU migration databases. Later responses to the Paris and Brussels bombings led to the intensification of data exchanges, including through the legal adoption of the concept of interoperability of EU databases, and to the expansion of the criminal and surveillance law on terrorism, under the justification of the fight against ‘foreign fighters.’
The expansion of the EU counter-terrorism acquis has signified what I have called the preventive turn in European security policy. This preventive turn is a reflection of what has been framed within the context of domestic criminal law as ‘preventive justice’. It places criminal justice within the framework of the ‘preventive state’, transforming criminal law into ‘security law.’ Preventive justice is understood here as the exercise of state power in order to prevent future acts which are deemed to constitute security threats. There are three main shifts in the preventive justice paradigm: (i) a shift from an investigation of acts which have taken place to an emphasis on suspicion; (ii) a shift from targeted action to generalised surveillance; and, underpinning both, (iii) a temporal shift from the past to the future. Preventive justice is thus forward rather than backward looking. It aims to prevent potential threats rather than punishing past acts and in this manner it introduces a system of justice based on the creation of suspect individuals on the basis of on-going risk assessments (see Mitsilegas, 2017). The present analysis will outline the three main strands of this EU paradigm of preventive justice – criminalisation, border control and surveillance – and examine the extent to which the resulting rule of law challenges essentially render it a paradigm of preventive injustice.
2. Preventive Criminalisation: Anticipatory Criminal Law and the blurred boundaries between criminal and administrative law
A key example of preventive justice has been the shift to anticipatory criminal law. Criminal offences are created for harm which is increasingly remote from the core criminal activity. The evolution of the three waves of EU criminal law on terrorism demonstrates the expansion of this preventive paradigm. The 2002 Framework Decision on terrorism introduced a broad definition of terrorist harm, while introducing also the concept of a terrorist organisation. Its 2008 successor broadened criminalisation, including by criminalising public provocation to commit terrorist offences, which initiated the debate on the appropriate extent of criminalisation of glorification of terrorism. The 2017 EU Terrorism Directive expanded criminalisation further by introducing a number of criminal offences aimed to prevent the mobility of ‘foreign fighters’- including offences related to travel and its facilitation, also by third parties. The temporal and ratione personae expansion of criminal law are remarkable here – criminal law is geared not against the commission of a terrorist act itself, but against everyday activity which may occur way in advance and which does not necessarily result in the commission of an actual terrorist crime. In this manner, the targets of criminal law move from perpetrators of criminal offense to suspects.
This trend is confirmed by the growing blurring of boundaries between criminal and administrative law on counter-terrorism. Take the example of the imposition of sanctions to suspected terrorists via listing. The response of the CJEU to the UN Security Council listing system in the Kadi litigation is well-documented. However, it must be observed that the Court resorted to a model of procedural justice without questioning the principle of the sanctions regime. It is noteworthy that the Court has declined to rule on whether terrorist sanctions constitute in reality, by virtue of their severity and duration, criminal and not administrative sanctions, requiring the application of higher criminal justice safeguards.
3. Preventive Border Control: Externalisation as Border Security
A questionable legacy of the responses to 9/11 which has been reinforced since has been the securitisation of migration, and the treatment not only of migrants but also of mobility as such as a security threat. This approach has led to the shift from border control to border security on both sides of the Atlantic. The preventive aims of border security are clear: to stop undesirable third-country nationals reaching the border. In EU law, a key component of this preventive agenda has been the establishment of large-scale immigration databases, a number of which (such as the VIS and the ETIAS) target third-country nationals specifically in advance of travel. A second element has been the securitisation of these databases, by enabling access to them not only by immigration, but also by law enforcement authorities. At the same time, criminal law databases (such as the European Criminal Law Information System – ECRIS) have now been expanded to include data of third-country nationals. These developments reflect a preventive security agenda premised on the maximum connection and exchange of personal data – the EU legislation on the interoperability (here and here) of EU databases (regardless of their purpose) is a decisive shift in that direction.
4. Preventive Surveillance: Pre-emption and prediction as a public-private partnership
Perhaps the most emblematic reflection of the preventive justice paradigm has been the shift towards the mass surveillance of everyday life, including via the co-option by the state of the private sector. Surveillance covers a wide range of everyday activity and focuses on the flows of people, money, and data, as well as on the growing monitoring of online activity. Well-established models of privatised law enforcement in the field of anti-money laundering law have been gradually complemented by new requirements by private providers to monitor mobility and the flows of passengers (airlines under PNR law), to routinely report financial flows (under the TFTP requirements), to retain and transfer content and metadata to state authorities (communications providers under data retention law) and to moderate and remove harmful content online (via the Regulation on terrorist content online and now under the DSA). These developments raise a number of questions as to both the role of private providers and the place of the citizen in a democratic society – questions which become more acute in view of the reach of preventive surveillance in all areas of everyday life, from which individuals cannot be realistically expected to opt out from.
5. Blurring the Boundaries of Legality: Preventive (In)Justice as a Rule of Law Challenge
The preventive turn in European security policy poses a number of challenges to a wide range of fundamental rights, including the principle of legality in criminal law, effective judicial protection, privacy, data protection and freedom of expression. The purpose of the present analysis is not to examine these challenges in detail, but to evaluate critically the challenges that the EU paradigm of preventive justice pose on the rule of law – both in terms of how the law is being produced, and in terms of how the law is being implemented. The emergency nature of the 9/11 responses appears to have been normalised in the evolution of preventive security policy, with initiatives blurring the boundaries of legality, challenging fundamental legal and constitutional assumptions and thus leading to preventive injustice.
As seen above, a key element of the EU paradigm of preventive justice has been the central role of the private sector in delivering state security objectives. A wide range of private actors have been co-opted and have increasingly been asked to assume state-type functions. In particular – and as evidenced by the new measures on removal of online content, e.g. the DSA – private actors are now being asked to undertake fundamental rights assessments of their decisions. This change in the role of the private sector poses fundamental rule of law challenges for both private companies and their customers. To what extent can the state reasonably expect the private sector to provide justice to citizens in the same way as the state, in cases when private decisions affect fundamental rights? And, from a citizens’ perspective, to what extent is there an effective remedy or redress against an act by a private actor? Current legislative measures do not provide satisfactory responses from a rule of law perspective. They raise the question of the adequacy of EU law standards placed within the global operating field of internet giants and of the relationship between hard and soft law, legislation and self-regulation, in providing a fundamental rights and rule of law compliant framework.
Recourse to technology has been instrumental in the development of the EU preventive agenda. The use of big data, AI and algorithms take centre-stage in the development of new EU systems and initiatives to pre-empt and predict. A key question (which has been raised strongly in the debate on removal of online content but extends into other surveillance practices) is the extent to which reliance on technology – especially without human intervention – provides effective protection of fundamental rights and can grant an effective remedy to affected individuals. Attention should also be paid into the negative rule of law consequences of the framing of preventive initiatives as technical and not legal issues. A key example in this context has been the evolution of the EU interoperability framework. There, from the outset, the Commission has claimed that the issue is technical and not legal, and thus does not require additional legal scrutiny. The final shape of the interoperability legislation (here and here), entrusting control to an EU agency (EU-lisa), which is not a fundamental rights agency but a single-agenda IT agency with limited accountability, is a further reflection of this trend. The reliance on technology should not obscure the need for real – and additional – rule of law safeguards in the development of new mechanisms of prevention.
The EU is not alone in the development of its model of preventive justice, which has evolved in a global context. The development of EU responses in a global context has raised a number of rule of law issues: (i) in terms of how EU law has been adopted in the first place and (ii) in terms of the extent to which EU law adopted in synergy with global actors is compliant with internal EU fundamental rights benchmarks. Two examples are illustrative of these tensions. The first one involves the relationship between the EU and the United Nations Security Council (UNSC) – an executive body whose legitimacy to legislate is questionable. The EU has transposed the UNSC system of terrorist sanctions, which caused controversy and has led to the intervention of the CJEU (Kadi I and Kadi II). However, the EU continued to rely on the UNSC and legitimised the expansion of its criminal law regime on terrorism without an impact assessment, through the pre-existing UNSC and Council of Europe standards. Thus, EU legislation challenging the principle of legality is imported from and via an external executive body with limited accountability.
The development of PNR standards constitutes a further example of problematic law making. The EU response was initially promoted by unilateral US actions post-9/11. Three controversial agreements on the transfer of PNR date were signed with the US, leading also to EU agreements with Canada and Australia. The CJEU has struck down the EU agreement with Canada, a ruling which arguably applies to the two other agreements and demonstrates how problematic this preventive paradigm of surveillance is for fundamental rights. Nevertheless, undeterred, after the Paris attacks, the EU has used the ‘foreign fighters’ justification to internalise the preventive paradigm by adopting a far-reaching, legally controversial EU PNR Directive which is currently under challenge before the CJEU. Fundamental rights concerns notwithstanding, the EU has further emerged as an external actor within the auspices of ICAO, with the aim to standardise and globalise the PNR transfer paradigm.
The final word in this analysis is devoted to the direct impact that the emerging paradigm of preventive justice has on the citizen. We are moving steadily to a landscape where citizens are increasingly treated as suspects. Criminal law intervenes in an ever earlier stage, disconnected from the commission of the core criminal offence. Heavy sanctions are imposed through executive listing on the basis of suspicion. Individuals increasingly face guilt by association, through assisting individuals deemed dangerous. The presumption of innocence is being replaced by a presumption of potential dangerousness. Nowhere is this trend better exemplified than in the field of preventive mass surveillance – where populations are being constantly monitored and profiled. This shift has been well-documented by the CJEU, which is trying to maintain fundamental rights and rule of law benchmarks on mass surveillance in spite of the fierce resistance by Member States’ executives. It is worth reminding ourselves that the CJEU has reminded us that the interference of systematic and continuous data retention with the rights to privacy and data protection is very far-reaching and must be considered to be particularly serious, as the fact that the data is retained without the subscriber or registered user being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance.