Last Thursday, April, 14th, the European Parliament gave the last kick for the adoption of the directive for data protection in the police and justice sectors. Jan Philip Albrecht, Marju Lauristin and Vera Jourova presented the new directive as key to improve cooperation across Europe in the fight against terrorism and other serious crime. The Directive is said to smooth data exchanges by setting a common standard of data protection and to protect EU citizens against mass surveillance or indiscriminate bulk data collection.
A text that went largely unnoticed
The text was long awaited since Framework Decision 2008/977/JHA failed to regulate internal data processing activities of law enforcement. For the first time, the Directive provides a harmonized framework for data processing activities with purposes of prevention, investigation, detection or prosecution of criminal offenses. The Directive also comes after two judgements, Digital Rights Ireland and Schrems, in which the CJEU has set important criteria for the respect of the fundamental rights to privacy and to data protection in the field of law enforcement, giving concrete guidelines to EU policy makers on how to “ensure full compliance with fundamental rights” in EU Security policies.
Despite being a milestone in the regulation of law enforcement data processing activities, the Directive has developed in the shadow of the heavily debated General Data Protection Regulation. CiTiP and TILT thus decided to organise a workshop on 2016 February, 1st, moderated by Frank Verbruggen, where the Directive was put under scrutiny.
A common standard for data protection?
Is there sufficient justification for separating the European data protection framework in two different regimes with different thresholds for personal data protection? Eleni Kosta recalled that the Lisbon Treaty allowed for the adoption of a single data protection instrument. However, the initial choice of the EU legislator of a regulation as general data protection instrument made it extremely difficult to even consider the option. Indeed, the subject remains a sensitive topic: law enforcement data processing activities were so far regulated by a Council Framework Decision and the UK, Ireland and Denmark (Protocols 21, 22 and 36) can opt out from the instruments adopted in the area of freedom, security and justice. Eleni stressed that the choice for a directive however leaves large margins of appreciation to the Member States, which might jeopardise the harmonisation objective of the Directive.
Which are the remaining challenges for building a robust data protection framework for the EU criminal justice and law enforcement area? Paul de Hert further pointed out that the Directive does not touch upon the legal regimes of the European Agencies involved in criminal justice and law enforcement (Europol, Eurojust, EPPO, EJN and OLAF). It does not regulate either the personal information they routinely exchange amongst them and with third countries or international organisations. De Hert advocates for a review of Regulation no. 45/2001 in order to subject these agencies to a strict oversight system that would combine internal data protection oversight, joint committees and the oversight of the EPDS. The EDPS would then hold a general monitoring role in cooperation with agency-appointed data protection officials.
Smoother cooperation and information exchange: what about purpose limitation?
Does the Directive provide meaningful rules for the implementation of the principle of purpose limitation in a sector that calls for increased data pooling and data flows? Fanny Coudert stressed that the Directive accommodates the use of big data by law enforcement and the implementation of intelligence-led policing methods via broad derogations to the purpose limitation principle (Article 4.2 and Recital 19). Yet, the directive includes strong obligations of transparency in terms of logging and requires data sharing to be proportionate. Supervisory authorities should leverage these two obligations to install a strict scrutiny over information exchange between law enforcement authorities.
A protection against mass surveillance
Which role will the Directive play in the broader context of the surveillance reform, particularly following significant recent CJEU and ECHR case law? TJ McIntyre looked at the recent case law of the ECHR and the CJEU on surveillance. He noted that the directive partially integrated these criteria set by the Courts (recital 18, 33, art. 7). TJ however showed concerns with regard to the efficiency of the implementation of the rules in practice, most particularly where national law does not separate national security and policing function (such as in Ireland). He also wondered to what extent DPAs could do a better job as oversight bodies than the ones already in place. He finally raised the question of whether the enforcement mechanisms installed by the directive would be more accessible than litigation for civil society.
A step forward?
The Directive does offer a substantial improvement for data protection as for the first time it establishes a common data protection standard for the police and justice sectors. It however remains a minimum harmonization text and it only contains loose provisions with regard to the new threats posed by intelligence-led policing. It thus remains to be seen how the Directive will be implemented in practice and which room of manoeuver will be let to data protection authorities and civil society to play their roles as watchdogs.