27 MARCH 2019
Summary by Alessandra Calvi, Brussels Privacy Hub, VUB
On 27 March 2019, the Brussels Privacy Hub hosted the seventh event of the Meet the Author series. This time, Juraj Sajfert (European Commission, DG JUST) and Teresa Quintel (Luxembourg University/Uppsala Universitet) presented their paper entitled “Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities” addressing the particularities of data protection in the area of police and justice by law enforcement agencies (LEAs).
They debated the outcomes of their work with Prof. Gert Vermeulen (Ghent University) and Cecilia Verkleij (European Commission, DG HOME). Dr Hielke Hijmans (Brussels Privacy Hub) chaired the discussion, that was followed by a lively Q&A with the audience.
Hielke Hijmans opened the event, introducing the authors and the discussants. He recalled the importance of data protection in the law enforcement area, considering the increasing importance of electronic evidence in this field. He invited the authors to discuss some of the challenges posed by the Directive 2016/680 (LED), namely, the scope and possible overlaps with other legal instruments, taking into account the role of private companies in law enforcement activities and the exclusion of national security matters from the scope of the Directive; the complicated relationship between data protection rights and procedural rights under criminal law; and the four focal points of the Directive as identified in the authors’ paper, namely profiling, indirect exercise of data subject rights, logs and international transfers.
Teresa Quintel clarified that both material and personal scope need to be met for the application of the LED: meaning that the processing must be carried out by a competent authority (personal scope) for the purposes of the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (material scope) (Article 1). Hence, when a competent authority does not process data for law enforcement purposes, other instruments apply, mainly the General Data Protection Regulation (GDPR).
She warned against the grey areas left by broad wording in several provisions ofthe LED. Firstly, the issue that national security remains a competence of Member States, therefore intelligence and military agencies are excluded from the scope of the Directive. Moreover, the vague definition of competent authority (Article 3(7)), the possibility to include minor offences in the scope of the Directive (recital 12) and the notion of criminal offences depending on national laws, coupled with the margin left to Member States, may lead to divergences in the transposition. At the same time, she noted that the Directive could theoretically apply to certain processing activities by intelligence services whenever they carry out processing for law enforcement purposes, as intelligence services could fall within the definition of Article 3(7) in certain situations.
She outlined that the objectives of the Directive require more flexibility regarding the restriction of data subject rights compared with the GDPR (e.g. limitation to data access are justified not to hamper investigations), adding that also the understanding of principles, such as purpose limitation and data minimisation, are quite different and that, while the architecture of Chapter V on international transfers is similar to the one under the GDPR, the logic applied to such transfers under the Directive is different.
She concluded by saying that the effectiveness of the LED will depend on the implementation by the Member States.
Juraj Sajfert expressed his regrets that the Directive, albeit being very innovative and capable to unify the patchwork of different rules that used to be in force under the former third pillar, was not recognised as revolutionary as the GDPR. He outlined that both the GDPR and LED are enabling laws, the Directive in particular enabling Member States’ law enforcement authorities to “bring their house in order”.
Then, it was the turn of the discussants to convey their critical remarks. Gert Vermeulen questioned the revolutionary feature of the LED claimed by the authors. He pointed out that many positive elements of the Directive, as the logging rules and the classification of data subjects in different categories, were already contained in the criticised patchwork of former rules. He mentioned the Recommendation No. R (87) 15 regulating the use of personal data in the police sector, based on the Convention 108 or the Protection of Individuals with regard to Automatic Processing of Personal Dataand the Europol Conventionand he added that the limits of former Council Framework Decision 2008/977/JHAdepended mainly on the lack of EU competences in the field.
He highlighted that the Directive failed to address certain crucial challenges, such as the interoperability of EU Information Systems. He questioned the idea that the LED offers less protection than the GDPR, outlining that the prohibition of profiling based on sensitive data and the right to obtain human intervention are stronger in the LED than in the GDPR. He highlighted certain scope inconsistenciesin the Directive that create confusion and uncertainty. He referred to Financial Investigation Units (FIUs) and administrative authorities, that in certain Member States, as Belgium, have been considered falling within the LED, a solution opposed by the Commission but apparently supported by recital 12 LED. He also mentioned minor offences, that should not qualify under the Directive, whereas the cooperation in criminal matters historically encompassed also them.
He observed that the article failed to analyse in depth the divide between national security and law enforcement, and that uncertainty may lead to the bypass of LED rules and affect also procedural rights. He observed that, whereas in criminal matters the right of defence entails the right to know the origin of the information and transparency on how data has been transferred between different authorities, in case of intelligence, the rights of suspects may be more limited. He outlined how data protectionand right to defence may clash, providing that a mere focus on data protection could counter procedural guarantees or rights. He referred to extradition in international criminal law and to the specificity principle, which has a subjective right feature, that is to ensure that the recipient state does not change the purpose of the received information and prosecutes a suspect only for a specific offence. However, if the same information may be used in another case to acquit a person, the purpose limitation clashes with the right to defense.
He concluded by deeply criticising the E-evidence Regulation Proposal that over-prioritises data location instead of data subject location.1 He called for a procedural right position of the person to be protected under the law where the data subject is communicating from, rather than the place where the service provider is located.
Cecilia Verkleij outlined how regulating information exchange means effectively dealing with privacy and data protection. She pointed out that the LED proves that privacy, trust and security can go in the same direction. She admitted that the LED is not perfect but represents an improvement compared to earlier instruments based on the Schengen Conventionand the Maastricht Treaty. She highlighted the role of the European Court of Justice for the implementation of the Directive, also because this could clarify the understanding of the border between national security and law enforcement.
She pointed out that the level of protection offered by the LED is often misunderstood. She claimed that the Directive is stricter than GDPR in certain areas, but she admitted that certain points remain unclear, especially in relation with the borders of EUcompetences and in case of coordination with other instruments.
However, she warned against the risk to over-dramatize these shortcomings. She made clear that migration controls and identity checks at borders do not fall within the scope of the Directive, since they are not law enforcement activities, although they may become so insofar as a person gives forged documents or is without them. She asked more explanations about the difference between the notions of “further processing” under the GDPR and “subsequent processing” under the LED.She doubted that minor offences should be considered to be covered by the GDPR. She praised the ensuring of indirect data access, performed by a trusted third party (data protection supervisory authority), in situations where the direct one is not possible.
In the following debate, Juraj Sajfert admitted the importance of the previous third pillar rules, but highlighted that, for first time, the LED poses horizontal rules for all law enforcement authorities in Member States. He exalted the force of consolidation of the Directive, pointing out that in recent instruments, such as the proposal on interoperability, databases have been revised to converge towards the rules laid down by the Directive and the GDPR.
He admitted that the Directive offers more guarantees than the GDPR in certain circumstances, but he stressed that, for other aspects, GDPR safeguards are broader, especially concerning purpose limitation, transparency and data minimisation. He disagreed on the fact that FIUs should fall within the scope of the LED because FIUs have been entrusted with certain tasks under the Anti Money Laundering (AML) legal framework, that, when updated in 2017, explicitly referred to the GDPR, and not to the LED. He also argued that FIUs, rather than performing law enforcement tasks, actually provide assistance to the law enforcers, in a similar way as OLAF, which applies Regulation (EU) 2018/1725 (EUDPR).He pointed out that minor offences or decriminalised ones need to be covered by the GDPR.
He expressed optimism concerning the transposition of the LED, completed in 23 Member States up until now. He stated that the main issues with the transposition are the dysfunctional approach to the scope, as the same conduct can be a crime in one Member State but not in another and therefore may be covered either by the GDPR or the LED; the details on the restrictions to data subject rights; the indirect access via DPAs, which in certain Member States have not been entrusted with sufficient powers; the rules on international data transfers, which have not been fully implemented; and the attempt of certain Member States to introduce other legal bases for processing to the LED, such as consent, which is not possible.
Teresa Quintel argued that, since the Directive gives more flexibility to the definition of law enforcement activities, FIUs may be competent authorities within the scope of Directive. She outlined that the association of migration with security threats and terrorism, could lead to the application of the Directive instead of the GDPR where it would not be entirely clear whether data are being processed for immigration or law enforcement purposes. She pointed to the concerns that might arise with the interoperability of EU Databases in that regard. She reiterated the challenges posed by the difficult coordination between the LED and the GDPR in this field and suggested to consider Regulation (EU)2018/1725, and in particular, its Chapter IX on operational data as a role model on how processing could be done at national level, and how to delineate in the area of migration, between the application of the GDPR and the LED.
Hielke Hijmans then opened the Q&A with the public. The idea to have an article by article legal commentary on the Directive was raised.
The opportunity to discuss e-evidence proposal from a data protection perspective, to avoid inconsistencies, was stressed, providing that under the current Article11of the proposal the obligation to inform the data subject seems less strong than under the LED. It was clarified that, in relation with the right to defence, the Directive innovates, asnow the defendant’s lawyers do not have to verify the existence of cross-border transfers anymore, which was the caseunder the former Framework Decision. The need not to frustrate procedural legal guarantees in the name of data protectionwas emphasised. Doubts on the coordination of the LED framework with PNR rules were also raised. Hielke Hijmans concluded the session thanking the authors, the discussants and the audience for the lively debate.
Keep up to date of our activities and developments. Sign up to our newsletter:
Copyright © Brussels Privacy Hub