Last week I wrote about the leaked draft of the Regulation that is to replace Directive 95/46/EC. This week’s leak is the Directive that extends data protection to Europe's law enforcement agencies. ("Proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of crime”).
This Directive has one main objective: data sharing between Europe's law enforcement agencies. This is a complex matter and not all Member States will like the interference from Brussels - nor will they like the implication that there can be sharing. This in turn means that the text of the Directive will be subject to detailed discussion by all Member States of the Union and is likely to undergo extensive modification before a final text is agreed.
For that reason, I am not going to analyse it much – but enough to give you a steer as to its content. I would not spend too much time on it - but please note: extension of sensitive personal data, role of data protection officer, mandatory data loss provisions, mandatory Privacy Impact Assessments, the concept of a "co-controller", and detailed attention to Article 8 of the Human Rights Convention.
The purpose of the Directive is to lay down rules relating to the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. If Member States implement the protective elements of the Directive (i.e towards individuals), then personal data can be exchanged by competent authorities (i.e. law enforcement bodies) within the European Union.
This Directive contains the definitions for terms used in the Directive 95/46/EC, adding new definitions such as ‘personal data breach’, ‘genetic data’ and ‘biometric data’. A ‘competent authorities’ is any law enforcement agency with the power to prosecute whilst a child is someone under 18. This latter provision will not endear itself to the UK - did you see all those children in last August's riots? I can imagine the Daily Mail headline already!
The data protection principles are augmented with a transparency principle, a data minimisation principle and 'principle of accountability'. Article 5 is a new provision as it requires the distinction between personal data of different categories of data subjects. These categories of data subjects are:
(a) persons where there are serious grounds for believing that they have committed or are about to commit a criminal offence;
(b) persons convicted of a criminal offence;
(c) victims of a criminal offence, or persons with regard to whom certain facts give reasons for believing that he or she could be the victim of a criminal offence;
(d) third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in (a) and (b); and
(e) persons who do not fall within any of the categories referred to above.
The implication is that the data protection rules will apply differently to the above categories of data subjects.
The Directive reduces the valid criteria for the processing of personal data (Schedule 2 for those familiar with the UK's DPA) by law enforcement bodies to “processing is necessary for the performance of a task carried out by a competent authority” (e.g. for a law enforcement purposes) or the “processing is necessary in order to protect the vital interests of the data subject”. No other options are possible (except where sensitive personal data has been made public by the data subject).
Article 8-11 sets out a number of general prohibitions. For example, if the purpose of the processing changes, then that change has to be prescribed by law Article 10 establishes rules on the processing of genetic data, “codifying” ECtHR case law (e.g Marper v UK); genetic data are classified as “Sensitive Personal Data” for those familiar with the UK Act. Article 11 requires profiling to be authorised by law.
Article 14 provides the obligation of Member States to ensure the data subject's right of access. Exemptions to this right must be enshrined by law and “constitutes a necessary and proportionate measure in a democratic society” (i.e. my emphasis of an explicit link to Article 8(2))). These exemptions have to be justified in terms of:
“(a) to avoid obstructing official or legal inquiries, investigations or procedures;
(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;
(c) to protect public security;
(d) to protect national security;
(e) to protect the rights and freedoms of others.”
Articles 20-25, responds to the debate on a "principle of accountability” and sets out obligations that demonstrate compliance, including the adoption of policies and mechanisms for ensuring compliance. Such data controllers “must ensure the compliance of the controller with the obligations arising from the principles of data protection by design and default” and clarify “the position and obligation of data processors”. There is new status of “co-controllers” (e.g. a processor that processes data beyond the controller's instructions is to be considered a co-controller).
The security provisions are based on those in Article 17(1) of Directive 95/46/E|C except there is an obligation to notify personal data breaches, inspired by the personal data breach notification in Article 4(3) of the ePrivacy Directive 2002/58/EC, clarifying and separating the obligations to notify the supervisory authority (Article 29) and to communicate, in qualified circumstances, to the data subject Data controllers and processors are to carry out a data protection impact assessment prior to risky processing operations by relevant information.
Areas where a PIA is envisaged includes:
(a) processing of personal data in large scale filing systems for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties;
(b) processing of special categories of personal data (i.e. sensitive personal data) related to children and of biometric data for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties.
(c) an evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's behaviour, which is based on automated processing and likely to result in measures that produces legal effects concerning the individual or significantly affects the individual; (d) monitoring publicly accessible areas, especially when using optic-electronic
devices (video surveillance); or
(e) other processing operations for which the consultation of the supervisory authority is required (because of the potentially controversial nature.
Articles 33-35 follows last week’s leaked Regulation and introduces a mandatory data protection officer of the controller, sets out the position of the data protection officer and defines the core tasks of the data protection officer. A Data Protection Officer has definitely become flavour of the month (indeed, I wonder where these guys can get training?).
Article 36 sets out the general principles for data transfers to third countries or international organisations, including onward transfers. It clarifies that transfers may take place to third countries in relation to which the Commission has adopted an adequacy decision or, in the absence of such decision, where appropriate safeguards are in place in a legally binding instrument, such as an international agreement.
I don't like these provisions. They give carte-blanche for the European Commission to determine any territory as offering an "adequate" level of protection. As with some transfers of PNR data to the USA, Europe's data protection authoritites disagree with what the Commission thinks as "adequate".
The rest of the Directive sets out the provisions similar to the Regulation with respect to a European Data Protection Board and the powers of national data protection supervisory authorities.
References
You can load the Proposed Directive by following the link: http://www.statewatch.org/news/2011/dec/ep-dp-leas-draft-directive.pdf
Comments
You can follow this conversation by subscribing to the comment feed for this post.