Introduction

As many of you know the Schengen Agreement (Named after the Luxemburg City "Schengen" where the initial contract was signed) introduced the free flow of goods and people across the European Union. Many claim it to be on of the core backbone agreements of the European Union.

Synopsis

Germany decided to introduce border controls following the SARS-CoV-2 epidemic during  March-Mai 2020. Luxembourg has a particular situation that is best displayed via this illustration: every day over 1/3 of the entire working population enters the country via Germany, France, and Belgium to drive home in the evening thus passing these very borders every day. 

Germany decided, for reasons that are still not clear to me as of today, that Luxembourg nationals (not germans) need to have a justified reason to enter Germany (a limited list of these existed). It appears that German State Heads believed that the virus somehow differentiates between nationalities and that this made total sense considering the thousands of German border commuters enter and exit every day "freely".

Back to the topic.  The Schengen agreement allows for the introduction of border controls under certain rules and under certain requirements. I have been curious to find out what Germany brought forward as reasons as I could not imagine a scientific reason to do just that.

Title3, Chapter 2 of the Schengen Accord details under which conditions and form the border control could be introduced.Relevant Articles:

Art. 25.1 & 25.2  :

• Where [..] there is a serious threat to public policy or internal security in a Member State, that Member State may exceptionally reintroduce border control [..] for a limited period of up to 30 days or for the foreseeable duration of the serious threat [..]
  
  
• Border control at internal borders shall only be reintroduced as a last resort, and in accordance with Articles 27, 28, and 29. The criteria referred to, respectively, in Articles 26 and 30 shall be taken into account in each case where a decision on the reintroduction of border control at internal borders is considered pursuant, respectively, to Article 27, 28, or 29.

Art 26 ("Criteria") :

• Where a Member State decides, as a last resort, on the temporary reintroduction of border control [..] it shall assess the extent to which such a measure is likely to adequately remedy the threat to public policy or internal security, and shall assess the proportionality of the measure in relation to that threat.

Art. 27  : 

• Where a Member State plans to reintroduce border control [..], it [...]  shall supply the following information :
  (a) the reasons for the proposed reintroduction, including all relevant data detailing the events that constitute a serious threat to its public policy or internal security;
  (b) the scope of the proposed reintroduction, specifying at which part or parts of the internal borders border control is to be reintroduced;
  (c) the names of the authorized crossing-points;
  (d) the date and duration of the planned reintroduction;
  (e) where appropriate, the measures to be taken by the other Member States.

Art. 28 :

• If the serious threat to public policy or internal security persists beyond the period provided for in paragraph 1 of this Article, the Member State may decide to prolong the border control at internal borders for renewable periods of up to 20 days. In doing so, the Member State concerned shall take into account the criteria referred to in Article 26, including an updated assessment of the necessity and the proportionality of the measure, and shall take into account any new elements.

Requesting Acces to the Documents

Germany appears to have a solid Information Access law ("Informations Zugangs Gesetz") that even allows foreign nationals to request documents that are even sent free of charge across the European Union. 

My Initial Request for Information from the 04.05.2020 included the Information and requests below :

• A copy of the Notification Letter addressed to the European Commission
• Which reasons, data, and other factors led to the conclusion that proportionality of the measure in relation to that threat is adequate. (Quoting Art 26)
• During the time the BMI decided to forbid Luxemurgish nationals entry to Germany (unless they demonstrated important reasons). Luxemburg had on average 15 (!) infections per week including German commuters, so my question was: In light of 15 infections per week how did Germany come to the conclusion that "proportionality of the measure in relation to that threat that Luxembourg nationals pose is adequate".

My Request to the BMI

Answer

One of their answers included the following quite revealing sentence :

• "We are not required to communicate legal assessments that have yet to be done"

I am publishing these documents because they may have historic value and offer food for thought. 

Why food of thought you might ask? Well, Germany didn't really give a reason as required by the Articles 25/26/27/28 that would explain how closing the borders is necessary and proportional. In the first letter, it states it's intent and simply "that it is required" and in every followup letter extending the closure (a total of 4), Mr. Seehofer just points to the first letter creating a circular non founded argument.  Especially in the context of thousands of daily german commuters that stay for a minimum of 9 hours in Luxembourg (In offices, Hospitals, and so forth) closing the border to Luxemburgish nationals made absolutely no sense whatsoever and could be even seen as being discriminatory.

Summary of my Analysis (There may be more in these letters but that's currently all I am being equipped to answer). Please feel free to contact me in case you stumble across something you want to point out.

• 15 March 2020 (Letter1): Notification per Article 28 of the planned 10 days of Border Controls. Art. 28 is referenced.
  
  Reason given :
  
  German
  "Unser Gemeinames Ziel muss  angesicht der raschen Zunahme der Infektionen sein, möglichst frühzeitig Reisende aus Risiko gebieten sowie diejenigen mit Anzeichen für eine derartige Infektion zu erkennen um auf diese weisen durch unverzügliche medizinische Massnahme eine weitere Verbreitung bestmöglich einzudämmen"
  
  "Auch unter Berücksichtigung der grossen Bedeutung de Grenzkontrollfreien reisens innerhalb das Schengenraums bin ich der Ueberzeugung dass die vorübergehende  Wiedereinführung  von Binnen Grenzkontrollen eine notwendige flankierende Maßnahme zur Eindämmung der Ausbreitung und Unterbrechung der Infektionskettendarstellt.
  
  English (Translation)
  "In view of the rapid increase in infections, our common goal must be to identify traveler from risk areas early as possible and to identify those who show signs of such an infection in order to reduce its spread as far as possible through immediate medical measures.
  
  Also consider the importance of border control-free travel within the Schengen area, I am convinced that the temporary reintroduction of internal border controls is a necessary accompanying measure to contain the spread and interruption of the infection chain."
  
  
  Commentary: What a display of naivity and a simplistic view of the world. As if somehow the virus would differentiate between Germans and Luxemburgish nationals and that refusing entry to the country would allow for "Immediate medical measures". 
  
  Also of note is that Luxemburg is quite clearly an area of collateral damage where no data whatsoever justified closing the borders to Luxemburgish nationals.  We see no analysis of whether or not the measures are proportionate to the threat.
  
  My personal assessment : In case of Luxembourg, there is a very very high probability they were not. Also, notice the choice of words: "Flankierende Massnahme" is usually used to describe the political approach to immigration of third party nations (outside of the EU).
  
  

• 19 March 2020  (Letter 2): Adds  Air Travel ways to the list of border controls
  
  
• 25 March 2020 (Letter 3): Extends Border Control another 20 days
  Reason given : "Based on the previous communications"
  
  
• 14th of April 2020 (Letter 4): Extends Border Control by another 20 days
  Reason given : "Based on the previous communications"
  
  
• 4th of May 2020: Extended by 14 days
  Reason given:  "Fragile situation development"& "Based on previous communication"

Copies of the letters

Letter 1

Letter 2

Letter 3

Letter 4

Letter 5

This blog post will be updated periodically as I come across new practical information and experiences. You can subscribe to my blog if you wish to be kept updated.

Updates : 

• 24.07.2020: Added number of reported data breaches to Statistics
• 25.07.2020: Added the Role of the DPA as captured within the GDPR and added Sources
• 25.07.2020: Added the section "Parliamentary Oversight" capturing parlamentary enquiries
• 26.07.2020: Corrected the part about getting a copy of your original complaint. In fact, I only have received parts of it and am still waiting to receive the rest.
• 27.07.2020: Due to popular demand I added a section "Legal Procedure".
  
  

I thought it is useful for the general audience to summarise my experience working with the CNPD as a Data Subject. Aligned with many other administrative procedures in Luxembourg: they have a nice appearance at the frontend but are tilted against your interest in the backend.

The Role of DPA :

• "responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing" (ART 51. #1 GDPR)
• "shall act with complete independence" (ART 52 - GDPR)
• "remain free from external influence, whether direct or indirect and shall neither seek nor take instructions from anybody."  (ART 52 -GDPR)
• "members of each supervisory authority shall refrain from any action incompatible with their duties" 
• "Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers"

Complaint procedure :

• There is a simple online form available to guide you through the process. At the end of the process, you will have submitted a complaint and will receive confirmation and a case ID a few days later. Links: DE, EN, FR .  The User interface does not tell you it has been filed and is confusing to say the least.


• Make sure to download a copy of the generated complaint (There is a link when you press "submit"). Should you choose not to, you will remain without a copy of your original complaint. I didn't the first time around believing it to be in good hands at the CNPD.  One can ask the CNDP for a copy? Sure you can.  The CNPD made a partial copy available only after more than 3 months of waiting - after multiple emails (which were replied to at first, then subsequently ignored) and finally a registered letter to their Head. To this date (4months and counting) I am still waiting for a 1:1 copy of my original complaint. 

Progress and Status updates

• The CNPD is required by law (Art 8 #6) to update you on progress and status.  You will have to take the initiative to insist and ask. You will notice that their understanding of your legal right for an update on "progress" and "status" is the following sentence: "Your complaint is currently being investigated". If you choose to ask for more information, maybe an update on progress or an estimate of when they might come to a conclusion, they will answer with the same boilerplate answer. The answer will not even change after your complaint sits with them for more than 17 months.


• If you ask the CNPD to have a view of the documents the other party has submitted you will quickly discover that you have no right to. The other party ("Complaigned") has access to your complaint, you on the other hand, have no right to look at their responses or positions.
  
  In other words, you really can't be sure that any feedback provided by the CNPD  is based on substantiated information nor can you verify whether or not the answer contains further violations of your rights.
  
  

Decisions

• In case the CNPD doesn't come to a decision or that you disagree with the decision you can take it in front of a court called "Cours Administrative".
  
  
• According to their answers given to the EDPB the CNPD has enough budget and resources and the data controllers react swiftly. 

Stats and EDPB Survey

In their answer to a parliamentary question the CNPD responded with the following details for the timespan between 2018 and February 2020 :

• 665 complaints from Luxemburgish Data Subjects
• 318 complaints where the CNPD acted as lead DPA
• 26 complaints initiated as a concerned supervisory authority (Src EDPB Survey)
• 137 OSS cases (Where it declared itself lead under One-stop-shop)
• 498 data breach notifications between 25 May 2018 and 1 December 2019
• 0 fines

In their answers to the EDPB Survey the CNPD states :

• "Data controllers are responsive and answer quickly"
• That "Decisions taken by the CNPD [...] are considered as per the Luxembourg national law as administrative decisions [...]." 
• "As to the allocation of internal resources, the CNPD has one employee who is working full-time on all matters relating to the EDPB and eight thematic experts working (approximatively 20% of the working time) on the matters related to the ESG they usually attend."
• On the question whether the CNPD has enough resources: "The Luxembourg government has provided the CNPD with all the requested resources, which has allowed the CNPD to grow constantly and substantially over the past five years."
• Staff :
  • 2016: 19 
  • 2017: 25 
  • 2018: 38 
  • 2019: 43 
  • 2020: 48 
• Budget :
  • 2016: 2.050.922€
  • 2017: 2.499.348€
  • 2018: 4.415.419€
  • 2019: 5.442.416€
  • 2020: 6.691.562€
• On the question of how many fines the CNPD has issued, the answer is: N/A

Parliamentary Oversight: 

• When responding to the question of the EDPB The CNPD argues that SMBs represent >90% of LU based companies. (Source: EDPB Survey of the CNPD).  No mention of Large multinationals having their European HQ in Luxembourg, such as Amazon, Goodyear, Microsoft, etc.  If you have an in-house team of over Lawyers  you do not need education, you need a strong DPA willing to enforce.
  
  
• It speaks to itself that the Luxembourg Parliament has limited it's questions to simple statistics. It has to this day not followed up on the simple realization that there are 0 fines. While fundamental human rights are a regular topic in parliament, it seems that data protection (or anything that weakens the competitive advantage of Luxembourg) is  "Thema non grata". 
  
  
• The Powerhouse that was behind the creation of the GDPR as a European Commissioner and European MEP (Vivian Reding) is now a member of parliament of Luxembourg.  An email addressed to her on the topic remains unanswered as of today. There is no record of any Data Privacy related question by Reding as of today. On the 25th of May 2018, Reding took it to twitter to celebrate the GDPR as "Giving back power to the citizens".

Legal Procedure

• If you want to challenge a decision of the CNPD (or force them to take one) you can ask the "Court Administrative". You'll need a lawyer to proceed with the "Court Administrative". You will pay all fees. You can not engage this process as an individual. Legal counsel registered at the BAR can be found here.

Sources

• Law of the 1 August of 2018   [Legilux] Transposition of the "regulation" into local law) 
• Réglement d'Ordre Intérieur / Geschäftsordnung/ Internal Rules [CNPD] 
• Internal procedures on investigations [CNPD] 
• Evaluation Survey of the CNPD in 2019 [EDPB]
• Role of a DPA - [GDPR] 
• Vivian Reding [Wikipedia]  | Parliament Information about  Vivian Reding
• Vivian Reding [Interview]
• Vivian Reding on Twitter on the 25th May of 2018  "A historic Day for Europe / We give back the control to our citizens" 

RTL  published [1] an Interview (8th of July 2020)with Paul Wilmes a Full professor in "Systems Ecology" at Uni Luxembourg.

Paul Wilmes [2] is quoted as saying:

• LU: "Et hätten ni Deeg ginn zu Lëtzebuerg, an deene keng Nei-Infektiounen derbäi sinn."
  EN: "There has not been a single day in Luxembourg that we did not have new infections"
  
  Ed. : Unfortunately, that's just a basic fact of life (and science for that matter). There won't be any day that there are no (0) new viral infections in Luxembourg. It is dangerous to think or portray the short term (or even long term) goal as having no (0) infections. That's a matter of impossibility. If interested see my prior post about some of the dynamics [3]

• LU: "D'Zuelen schwätzen eng kloer Sprooch an d'Wëssenschaft kann nëmmen weider un d'Leit appelléieren, d'Mesuren anzehalen a sech testen ze loossen "
  EN:  The numbers speak a clear language and science can only continue to plead to the people, follow the measures.
  
  Ed. : This diatribe has 0 content that is convincing or conveying the "Why". If anything, what follows points to science not speaking a clear language.


• LU: Déi nei Fäll sinn haaptsächlech duerch Infektiouns-Cluster gedriwwen, dat heescht duerch grouss Usammlungen vu Leit. Manner an de Schoulen, mä éischter op de Partyen. Et gëtt awer och sporadesch Fäll vu Persounen, déi sech am enke Kontakt mat Aneren ugestach hunn. Dat Ganzt wier ebe gedriwwen duerch sozial Kontakter
  
  EN: The new positive tests are mainly rooted in infection clusters, meaning a big gathering of people. It is less the Schools but more partys. There are however also "sporadic" cases of people that infected each other through close contact. The pandemic is driven through social contacts.
  
  Ed: We learn that the Virus prefers Partys, and the Virus dislikes Schools. We also learn that "social contacts" are the problem. It is evidently the physical distance, not social contact.
  N.B this follows right after the "science speaks a clear language" diatribe.

• LU: Eng Tracing- App wier en effikasst Instrument, confirméiert de Mikrobiolog.
  EN: He confirms that a tracing app is an efficient/effective mechanism
  
  
  Ed:  We learn that tracing-apps are effective - although all data points to the Opposite. As an example, the Germany Corona app had over 14 million downloads. It alerted 310 people, of which we do not even know the percentage actually was that ended up being infected.

Disclaimer: I do think the Pandemic is a Problem, this series is solely looking at the state of reporting and journalism in Luxembourg. There is no intent to downplay the consequences of the Pandemic. It is, however, laughable how the Government and Press fail to communicate consistently, truthfully, and logically. Giving births to deniers as a result of losing trust.

The R number points to weeks where we will need to be cautious in Luxembourg, but it is not through such journalism that we will succeed in winning over the population to do the right thing. A totalitarian draconian political approach won't work either. Be honest/truthful, humble, try your best to be neutral and say what the things are that we/you do not know. That wins trust and that wins the reader because it is truthful. We never were in such a situation, there are a lot of known unknowns and unknown unknowns. Just say it, there is no shame in not knowing.

[1] https://www.rtl.lu/radio/invite-vun-der-redaktioun/a/1545684.html (08.07.2020)
[2] https://wwwfr.uni.lu/lcsb/people/paul_wilmes
[3] https://blog.zoller.lu/2020/07/luxembourg-press-coverage-on-sars-cov-2.html

"The amount of cases in the last 3 weeks has increased 10 fold!"  That's what I read in the article [1] published by RTL today on the 7th of July 2020. There is no indication or thoughts as to what could be the reasons for that increase and the conclusion is left to the reader.

Hoping to see press coverage that went a bit further than just relaying official statements I had a read and also opened up [2] Ben Elsen's excellent statistical analysis.

According to the article, there was apparently a 10 fold increase in the last three weeks - so let's take a look at the percentage of positive tests in that time period :



I am unable to see a 10 times increase in relative Positive Test numbers, so what can that possibly mean?

In the graph above, we can see that the number of tests have increased roughly 10 fold over the last 3 weeks aswell.

And that's what we don't call journalism my friends you cannot just communicate such numbers without any context or even attempt at explanation. This article is throwing a bunch of copied figures at the reader, without any additional insights or analysis. Worse, it leaves us with the thinking that all hell will break loose soon.

20 years ago we called that "spreading FUD" (Fear Uncertainty and Doubt). It's the self-feeding journalistic echo chamber that lets the clicks coming and the paranoia rise. It is unfortunately also what creates the very people that ignore the requirements to wear masks because they believe that everything that they read is a bunch of BS and loose trust. (In my humble opinion, such reporting  deserves that judgment).

In all fairness, the R number points to weeks where we will need to be cautious in Luxembourg, but it is not through such journalism that we will succeed in winning over the population to do the right thing. A totalitarian draconian political approach won't work either. Be honest/truthful, humble, try your best to be neutral and say what the things are that we/you do not know. The result is trust because the message is truthful. We never were in such a situation, there are a lot of known unknowns and unknown unknowns. Just say it, there is no shame in not knowing everything at 100% at this stage.

[1] https://www.rtl.lu/news/national/a/1545407.html
[2] https://donneeen.lu/covid19/overview/