Last month, the Permanent Representatives Committee (Coreper) of the Council of the EU  the compromise texts agreed with the European Parliament on data protection reform. As a reminder, the reform is a legislative package concerning two legislative instruments: the second of which discussed here (and far less catching the press headlines than the General Data Protection Regulation or GDPR mentioned in my recent post  ) is the data protection Directive on the processing of data by law enforcement agencies (intended to replace the 2008 data protection framework  ).

It is probably a euphemism to say that Article 29 Data Protection Working Party (Article 29 WP) had some concerns about the draft Directive on the processing of personal data by law enforcement agencies. In its opinion dated 1 December 2015 commenting on the Council of the draft Directive (discussed by Alison in her earlier post) it stated:

“In this regard, the current Council text of the draft directive raises concerns in that it does not ensure that interferences in the private life of individuals and in the right to protection of personal data are limited to what is strictly necessary.

More specifically, …, the WP29 notes that personal data processed in a law enforcement context could be further processed for incompatible purposes”. [What does incompatible really mean and imply? Would it be at all possible to re-collect the data in order to pursue an incompatible purpose? Why not simply saying that the further processing would be unfair or even unlawful?]

Article 29 WP does not stop here. It also mentions that:

• Law enforcement agencies are not required to distinguish between different categories of data subjects when they process the data.
• Law enforcement agencies are not under an obligation to carry out a data protection impact assessment.
• There is nothing or very little on the conditions for granting access or transfer the data to private parties or third countries.
• Nothing prevents law enforcement agencies from creating profiles of data subjects “on the sole basis of sensitive data”.
• There is no obligation to notify data breaches.
• Law enforcement agencies’ powers are not sufficiently detailed.

The Council text is thus “highly detrimental” to the interests of data subjects.

The starting point for assessing the adequacy of the draft Directive should be Recommendation No. R(87)15 of the Committee of ministers to Member States regulating the use of personal data in the police sector at Council of Europe level, adds Article 29 WP, which should be used as a minimum threshold.

In addition, as the draft Directive and the proposed GDPR are part of the same package, the core aspects of the GDPR should actually be reflected within the Directive. In other words, Article 29 WP is saying that the GDPR contains a cluster of key rules of data protection from which a special piece of regulation cannot depart. These are the rules concerning data protection privacy impact assessments, data breach notifications, data subjects’ rights (…although these rights have to be adapted), and the role of supervisory authorities.

Article 29 WP is particularly concerned about PPP (the trendy abbreviation for public-private partnership) and the delegation of powers and prerogatives to private actors.

All of this also suggests that the draft Directive is not an access regime, a regime which according to the Court of Justice of the European Union (CJEU) in the Digital Ireland Rights case, discussed at length previously on this blog, would be needed to justify interferences to the right to private life caused by the imposition of retention obligations on private actors.

Then follows by the Article 29 WP in its Opinion a list of more specific comments regarding:

• Subject matter and objectives
• Fairness of the processing
• Purpose limitation
• Data minimization
• Distinction between the different categories of data subjects
• Special categories of data
• Genetic and biometric data
• Processing of personal data relating to children
• Profiling
• Data subjects’ rights
• Data controllers and data processors’ obligations
• Transfers of personal data to third countries or international organizations
• Role and powers of the supervisory authorities
• Right to lodge a complaint
• Previously concluded international agreements in the field of judicial cooperation in criminal matters and police co-operation

Reading the compromise text dated 16 December 2015, it is important to note at least the following points:

1. The subject matter of the compromise text still covers the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against as well as the prevention of threats to public security (See Article 1). Yet Article 29 WP had said that “the prevention of threats to public security” is too vague as a concept: it can potentially cover many activities and would result in divergences between Member States (MS).
2. While the subject matter of the compromise text covers a list of purposes (as aforementioned), Article 4 then states that “MS shall provide that personal data must be: collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes;” (Article 4.1.b). The question is therefore whether Article 4.1.b really adds anything to Article 1. In other words, what is the point of recalling the principle of purpose limitation when a list of purposes has already previously been identified? The obvious answer seems to be that to make a processing lawful it would not be enough to allege that the processing is necessary for the prevention, investigation, detection or prosecution of criminal offences or for the prevention of threats to public security… in general. One would need to be more specific and look at the context. In other words, it would be essential to identify the types of criminal offence at stake, as well as the link between the offence and the data subject, and maybe as well the type of data to be collected. This is what Article 29 WP means when it says that “law enforcement, per se, shall not be considered as one specified, explicit and legitimate purpose”. [Wouldn’t it have helped if the compromise text had been clearer on this point?]. Article 5 has however been reintroduced in the 16 December version. It states that “Member States shall provide that, where applicable and as far as possible, the controller makes a clear distinction between personal data of different categories of data subjects”. [Does it mean that this distinction is crucial to define the purpose of the processing?].
3. Article 4 still mentions the data minimisation principle: “adequate, relevant, and not excessive in relation to the purposes for which they are processed”, although Article 29 WP was favouring a more restrictive version expressly mentioning that personal data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”.
4. Article 9 provides that profiling based on sensitive data is prohibited, “unless suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place”.
5. Article 25a now requires data protection impact assessments to be undertaken in advance by the controller, “Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk for the rights and freedoms of individuals”.
6. Article 28 on personal data breach notification has been slightly [but only slightly] reworded. It states that “Member States shall provide that in the case of a personal data breach, the controller notifies without undue delay and, where feasible, not later than 72 hours after having become aware of it, the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk for the rights and freedom of individuals”.

Has Article 29 WP been heard?

To note, for background, Article 29 WP previously published an opinion (01/2014) on the application of necessity and proportionality concepts and data protection within the law enforcement sector. The opinion analyses how the European Court of Human Rights (ECHR) has interpreted necessity and proportionality and considers how these concepts link to data protection.

As regards the UK, the hot question is whether the Directive would offer at least the same level of protection as the Data Protection Act 1998 and its set of exceptions, such as s.29 covering personal data processed for crime and tax investigation purposes.

Sophie Stalla-Bourdillon