Adoption of new Data Protection Directive for police and judicial cooperation is one step closer – however, arguments continue over the extent to which the processing of personal data for the purposes of law enforcement , as well as the “safeguarding against and the prevention of threats to public security”, should be subject to traditional EU data protection rules
On 9 October, it was announced that Ministers in the Justice and Home Affairs (JHA) Council have reached agreement over their first reading of the proposal for a new data protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (‘the proposal for a Directive’). The JHA Council endorsed amendments to the text that was forwarded by the Presidency on 2 October 2015 (following a meeting of the Permanent Representatives Committee the day before). If adopted, EU Member States would be required to implement the Directive into their national law, while leaving them necessary flexibility when implementing its rules and their exemptions at national level.
The proposal for a Directive is intended to replace Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters, which currently lays down the minimum data protection safeguards (necessary measures that must be taken in respect of data processing, data transmission, rights of data subjects, and data security) in the area of police and judicial cooperation. In particular, this Framework Decision applies to cross-border exchanges of personal data within the framework of police and judicial cooperation between law enforcement authorities of different EU Member States.
For background, the proposal for a Directive was originally put forward by the European Commission in 2012, as a supplement to the Commission’s proposal for a General Data Protection Regulation (GDPR) because the latter would specifically exclude the regulation of processing activities for criminal law enforcement purposes from its scope (draft Article 2(2)(e)). The proposal was issued based upon Article 16(2) of the Treaty on the Functioning of the EU (TFEU), a new, specific legal basis introduced by the Lisbon Treaty for the adoption of rules relating to the protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies, and by Member States when carrying out activities which fall within the scope of EU law, and the rules relating to the free movement of such data. The text of the proposal for a Directive was published by the Commission in tandem with a Report based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. This report contains an assessment of the extent to which Member States had complied with the provisions of the Framework Decision, upon which the Commission’s belief was founded that a new Directive was required.
The proposal for a Directive adopts the same baseline approach of the Framework Decision but raises its requirements to a higher level. One of its most important aims (to distinguish it from the Decision) is to broaden the scope of the application of the existing rules so that they will apply to processing activities by the police and judiciary authorities at national level, and not just to cross-border transfers of data by such authorities. It has also been proposed – by the Council – that the Directive should apply not just to traditional areas of criminal law enforcement and justice activity, but also when authorities process personal data in the context of “safeguarding against and preventing threats to public security”. What might the latter cover in practice? The Council’s text amendments gives a clue in stating that such activities are “aimed at preventing human behaviour which may lead to threats to fundamental interests of the society protected by the law and which may lead to a criminal offence”, giving the example of the “exercise of authority by taking coercive measures such as police activities at demonstrations, major sporting events and riots”.
Other proposed benefits of the Directive would include the following:
- Better protection of EU citizens’ fundamental rights when their data are processed by relevant public bodies – All EU citizens’ personal data should be processed lawfully, fairly, and only for a specific (legitimate) purpose – i.e. within the bounds of necessity, proportionality and legality – with appropriate safeguards for the individuals. Supervision should be ensured by national data protection authorities (acting independently).
- Effective judicial remedies enabled – The new Directive would also grant data subjects the right to receive compensation if he or she has suffered damage as a consequence of a processing that has not respected the rules.
- Cutting costs – Police and criminal justice authorities will only have to apply one set of rules to both domestic processing and cross-border transfers of personal data.
- Better agency cooperation – More harmonised laws on data protection should enable police and criminal justice authorities to cooperate more effectively nationally and internationally. In turn, this should facilitate the exchange of personal data between law enforcement authorities within the EU.
The Justice Ministers’ approach in reaching agreement in its first reading, however, has not been without some disagreement, in particular regarding the proposed scope of the new Directive. For example, the Council of the EU stated in 2011 (in its Conclusions on the Communication from the Commission on data protection reform) that “certain limitations have to be set regarding the rights of individuals in the specific context in a harmonised and balanced way, when necessary and proportionate and taking into account the legitimate goals pursued by law enforcement authorities in combating crime and maintaining public security”. Or course, the next question is, to what extent?
In 2012, by comparison, the European Data Protection Supervisor (EDPS) expressed disappointment in his opinion on the proposed data protection reform package about the lower level of protection granted by the Directive compared to the GDPR. The EDPS stated that “consistency and comprehensiveness militate in favour of an approach whereby a Regulation sets out the general rules on data protection, complemented by additional sectoral rules”, as such a Regulation “would indicate the general conditions for restricting certain rights and obligations for the purpose of prevention, detection, investigation and prosecution of criminal offences” and “[a]dditional specific rules would harmonise national rules adopted in this area…” (para 35). In other words, the proposal for a Directive contains a separate version of data protection concepts and principles, which could lead to confusion and inconsistencies in application, both due to differing provisions and, over time, due to court decisions under each instrument. He gave the example of where activities of the private sector and law enforcement authority interact (such as regarding the transfer of passenger names records by airlines), or where information is transferred by one public authority to another that is not responsible for law enforcement.
[The EDPS’ views on this point are a subject of debate at national, as well as EU, level. For example, the UK Government published a 2013 response on a report prepared by the House of Commons Justice Committee on the EU data protection reform proposals. The government argued in that response that it is important that the use of data in the areas covered is “very different” and that there is a need for greater flexibility in the field of police and judicial cooperation due to the operational requirements in this area. The government goes on to argue that “If the proposed Regulation [GDPR] were to be changed to a Directive and the proposal for a Directive were to be taken forward, then there would be two Directives, one for the general data protection framework and one for processing in the area of police and judicial co-operation in criminal matters. An advantage of this approach would be that the two Directives could then be implemented in a single piece of domestic legislation to help avoid confusion and support consistency where necessary”.]
Following the EU ordinary legislative procedure, also wading into this debate is the European Parliament. It set out its negotiating stance on this issue in its legislative resolution to its first reading dated March 2014. For example, Parliament has proposed amending the Commission’s original text in the following ways:
- Strengthening the powers of supervisory authorities. The latter should have the same duties and effective powers in each Member State, including effective powers of investigation, power to access all personal data and all information necessary for the performance of each supervisory function, power to access any of the premises of the data controller or the processor including data processing requirements. Supervisory authorities’ powers should also extend to: (i) warning or admonishing the controller or the processor; (ii) ordering the rectification, erasure or destruction of all data when they have been processed in breach of the provisions; (iii) imposing a temporary or definitive ban on processing; and, (iv) informing national parliaments, the government or other public institutions as well as the public on the matter. It was also proposed that each supervisory authority should have the power to impose penalties in respect of administrative offences.
- Strengthening general principles for the rights of the data subject and codifying these rights if necessary. Such rights would include: (i) the provision of clear and easily understandable information regarding the processing of one’s personal data, the right of access, rectification and erasure of one’s data, (ii) the right to obtain data, (iii) the right to lodge a complaint with the competent data protection authority and to bring legal proceedings, as well as (iv) the right to compensation and damages resulting from an unlawful processing operation. Such rights should in general be exercised free of charge.
- Requiring that the personal data must not be transmitted to a natural or legal person not subject to the provisions adopted pursuant to the Directive (such as private parties). In this context, see the Parliament’s proposal for a new Recital 65(a): “Transmission of personal data to other authorities or private parties in the Union is prohibited unless the transmission is in compliance with law, and the recipient is established in a Member State, and no legitimate specific interests of the data subject prevent transmission, and the transmission is necessary in a specific case for the controller transmitting the data for either the performance of a task lawfully assigned to it, or the prevention of an immediate and serious danger to public security, or the prevention of serious harm to the rights of individuals. The controller should inform the recipient of the purpose of the processing and the supervisory authority of the transmission. The recipient should also be informed of processing restrictions and ensure that they are met.”
In addition, European parliamentary concerns about the Council’s draft position are clear from extracts from a recent statement by Jan Phillip Albrecht – the rapporteur on the draft GDPR – as follows: “The common position expected to be agreed by justice ministers …is disappointing and would deliver almost no improvements on the current legal situation. EU governments are only willing to make vague commitments as regards the data protection rights of those affected. The ministers are looking to introduce numerous exemptions as regards the right to information. Worryingly, police and justice authorities would not have to specify if they reduce these rights even further…It is totally unacceptable that the proposals on the table fail to differentiate between suspects, witnesses, guilty parties and victims as regards the protection of their fundamental rights, with regard to the proportionality of privacy infringements. The role of data protection authorities in this context is also left totally unclear…The purpose behind this reform, namely that a better harmonisation would strengthen citizens’ rights, is being completely lost. Without cross-border data protection standards, it is unacceptable that there can be greater cooperation and information exchange between police authorities. The position of EU governments on this directive is clearly at odds with many elements of the position voted by the European Parliament.”
The next stage in the legislative process is for three-way ‘trilogue’ discussions to commence between representatives of the Commission, Parliament and Council later this month. This would bring the EU institutions a step closer to achieving their objective of concluding the entire data protection reform package by the end of this year.
A further key issue for debate at the negotiating table, not mentioned previously, regards the proposal that the new Directive would also establish general principles and clear rules for the transfer of personal data police and criminal justice authorities outside the EU. (Again, the current Framework Decision, only covers covers police and judicial data exchanged between Member States, EU authorities and systems). The Commission’s original 2012 text provided that where the Commission decides that a third country, or a territory within that third country, or an international organisation does not ensure an adequate level of protection, a controller or processor may not transfer personal data to it. This would aim to ensure that these transfers take place with an ‘adequate’ level of data protection. In turn, this might raise the prospect that the new Directive could be considered to provide some type of adequacy acknowledgement that those non-EU countries that commit to abide to the same minimum standards laid out in it (such as through explicit international and formal commitments) have an adequate level of data protection in the area of law enforcement cooperation. This could have implications for the recent debate on the Schrems decision and its revocation of the safe harbour EU-US data protection decision, at least in part.
Notwithstanding, until the trilogue negotiators agree on what safeguards are necessary to protect the data protection rights of persons whose personal data has been transferred to third countries in this context, this remains a moot point.
Finally, from a UK perspective, it appears that the new Directive would have less application than in other EU Member States – at least as compared with the existing situation – as the Data Protection Act 1998 applies to the domestic processing of personal data by police, such as between police forces.