Out-Law / Your Daily Need-To-Know

Further data protection proposals for law enforcement will clarify existing law, expert says

Out-Law News | 14 Dec 2011 | 9:55 am | 2 min. read

Different categories of data subject and stricter criteria for the processing of personal data could be introduced under leaked proposals dealing with how data can be shared between Europe's law enforcement authorities.

A leaked draft Police and Criminal Justice Data Protection Directive (69-page / 376KB PDF) reduces the number and type of situations in which personal data which can be processed by law enforcement bodies to those where it is "necessary for the performance of a task carried out by the competent authority", or where the processing is "necessary in order to protect the vital interests of the data subject".

Civil liberties group Statewatch, which published a copy of the leaked Directive, last week obtained a leaked draft 'General Data Protection Regulation' outlining new requirements that organisations would have to comply with when collecting and processing personal data. Changes to EU data protection laws are expected to be formally proposed in late January.

If genuine, the new Police and Criminal Justice Data Protection Directive will lay down rules to protect individuals whose personal data may be processed by 'competent authorities' for the purposes of "prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties". If member states implement the proposals, then law enforcement bodies within the EU will be able to exchange this data.

Data protection law expert Kathryn Wynn suggested that while the new wording might appear to narrow the criteria for what personal data could be processed by law enforcement bodies, in practice it would bring more clarity to the existing law.

"The leaked Directive appears to be an attempt to harmonise national laws in relation to data processing and sharing between law enforcement agencies across the European Union. The leaked Directive does provide much of the detail that the Data Protection Directive, and therefore the DPA, lacked - the high level nature of which could often lead to more questions than it answered, particularly in relation to sharing the personal data of victims," she said.

However, she warned that some of the leaked Directive's provisions would likely be met with "resistance", particularly those granting greater access rights to data subjects.

Article 14 of the leaked Directive creates an obligation for member states to ensure a data subject's right of access to any personal data held about them. Any exemptions to this right must be enshrined by law and constitute "a necessary and proportionate measure in a democratic society", the document said.

Wynn highlighted the "explicit distinction" the leaked Directive made between different 'categories' of data subject. Article 5 of the leaked Directive introduces a distinction between the personal data of different categories of data subjects, including suspected and convicted criminals and victims.

"The Data Protection Directive was data subject neutral, although the identity of the data subject could be taken into account when determining whether any prejudice to the privacy of a data subject was unwarranted," she said.

The leaked Directive also introduces an obligation to notify the "supervisory authority" and, in some circumstances, the data subject in the event of any personal data breaches. The document said this was "inspired by" the requirements of the Privacy and Electronic Communications Directive, which currently only apply to telecommunications companies. The Information Commissioner's Office (ICO) acts as supervisory authority in the UK.

The law governing how personal data may be processed by law enforcement authorities is contained in the current Data Protection Directive, and is implemented in the UK by Schedule 2 of the Data Protection Act (DPA). Further measures covering the exchange of personal data between law enforcement agencies in EU member states were contained in a Council Framework Decision (44-page / 206KB PDF) in 2008, however this only applied to cross-border data processing.

In a speech at the second annual European Data Protection and Privacy Conference in Brussels last week, EU Justice Commissioner Viviane Reding outlined her commitment to introducing "the same rules for both cross-border and domestic processing for law enforcement purposes".

"This will enhance mutual trust between police forces in different Member States and improve the free flow of data in the fight against crime," she said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.