speakers’ contributions - vrije universiteit brussel · the eu’s current data protection...
TRANSCRIPT
SPEAKERS’ CONTRIBUTIONS
DATA PROTECTION IN THE AREA OF EUROPEAN CRIMINAL JUSTICE TODAY
Trier, 5-6 November 2012 312D122
SPEAKERS’ PRESENTATIONS
1. Calling for reform? The EU’s current data protection framework in the field
of criminal justice
Monica den Boer
2. A robust reform? The EU’s data protection package for police and justice
Giovanni Buttarelli
3. Which law to apply? Status and scope of implementation of the 2008
Framework Decision on the protection of personal data processed in the
framework of police and judicial cooperation in criminal matters
Thomas Zerdick
4. The new features of the draft Directive
• A wider scope: domestic processing
• New concepts, definitions, and additional principles
• The role of data protection authorities
• Transfer of data to third states: improved assessment
Paul de Hert
5. OLAF's transfers to third countries and international organisations by means
of adequate safeguards: what would change?
Laraine Laudati
6. The proposed directive on data protection in the area of police and justice: a
closer look:
The omission of Europol and Eurojust from the draft Directive
Diana Alonso Blas
7. Accessing private-sector data: the need for common regulations for the police
Caroline Goemans-Dorny
8. Law enforcement access to Eurodac: the Commission’s proposal of 30 May
2012
Priscilla de Locht
9. Put to the test: state of play of the Data Retention Directive
• The Directive’s validity before the CJEU
• The German and Romanian court rulings
• The Commission’s impact assessment on future options
Herke Kranenborg and Cecilia Verkleij
Calling for a Reform? The EU Current Data Protection
Framework in the Field of Criminal Justice ERA, Trier, 5/11/12
Trends & Developments
Principle of availability – Swedish Framework Decision – direct interface
Interoperability & Multi-agency co-operation; networked security environments
Public-private data exchange
Technological innovation & interface
Expansion of the number of authorized users in international data exchange environment (enlargement)
Precautionary security (proactive monitoring / surveillance / risk assessment)
Digitalization of entry / exit / border controls
EU Data Protection Framework Long Overdue Why?
• Most, if not all, regulatory instruments on police and judicial co-operation relate to information and/or intelligence exchange
• Since early nineties, a considerable number of international data-bases have been established
SIS EIS VIS Eurodac
• Number of surveillance instruments in the EU has significantly expanded:
Data Retention Interception of telecommunication TFTP – SWWIFT PNR
Challenges for a Data Protection Framework
Multi-level governance: local, regional, national, international Different data protection cultures & standards, between countries
(citizens, oversight mechanisms) & between sectors
• Some MS lack framework legislation, e.g. The Netherlands
Data protection is seen as an obstacle rather than a facilitator (by police officers)
Or is data protection a smoke-screen for non-cooperation (lack of trust / reciprocity?)
Data protection as an issue for training, professionalization and ethics
Purposes of data-gathering and –exchange practices have geared towards aggregating state knowledge about sizeable parts of the population
By searches on the basis of specific characteristics and by means of data- and text-mining techniques (Foucault).
Formal Guarantees & Outlook Leading principles:
• Council of Europe Recommendation • Article 8 ECHR • Article 7 Fundamental Rights Charter • Former EU Data Protection Directives (1995, 1996)
The Lisbon Treaty and the Stockholm AFSJ Action Programme enshrine data protection as a fundamental right in the EU Charter, making it binding for EU-institutions
The Stockholm Programme called for a new comprehensive legal framework in its chapter on the fundamental right of the citizen
Article 16 TFEU creates a general and horizontal basis for data protection
The strengthened role of the EU-institutions – Commission, Court and Parliament – will enhance checks and balances, also in data protection terms
Data Protection Concerns
Increased volume of data (proportionality) Use of data systems for newly arising policy objectives
(finality) The vast number of authorized users in an increasingly
multi-disciplinary environment (access & authorization) Interlinking massive data-bases (subsidiarity,
proportionality) The differentiation in data quality standards between the
Member States (quality control) The lack of judicial redress for the submission and handling
of individual complaints (procedural safeguards, fair trial)
Issues of proportionality and subsidiarity have been addressed in the proposed Data Protection Directive
Recommendations (I) Select before you collect -> change from information
quantity to information quality. Surveillance measures should only be used when
(externally) evaluated as effective -> proven effectiveness; avoidance of function creep
Sunset-clauses should be introduced for each new surveillance measure, allowing parliaments and civil oversight bodies (to propose) to withdraw the relevant measure -> proven effectiveness, efficiency and proportionality. Sunset-clauses may help to prevent mission-creep in the policy use of ICT-technology.
Encryption of personal data in networked environments -> data integrity in surveillance contexts
No interconnection between electronic databases -> interoperability only when categories of data are shielded.
Data should not migrate between authorities, services and data-bases without approval of the individual who is the owner of the data -> prior consent, informationelle Selbstbestimmung.
Retention of data should also be based on individual consent.
Recommendations (II) Information rights are pivotal. The EU should introduce an Information Charter, imposing norms
on public and private authorities in the EU Member States. Independent oversight: 9 March 2010 EU Court of Justice ruled on
criteria for the independence of data protection authorities under European Union law. This is one of the cornerstones of data protection.
Accountability procedures for the authority that performs the surveillance and judicial redress for individuals.
Professionals who are endowed with surveillance powers should receive ethics and data protection training at several stages throughout their career.
(Organisational) transparency about surveillance instruments and the processes employed for data-gathering; the decisions which are based on data-collection and data-analysis
Concluding Notes and Outlook Comprehensive legal framework proposed by the European
Commission; consultation rounds. New surveillance measure should be assessed and
scrutinized prior to its introduction -> pre-assessment check / impact assessments: prior checking by the EDPS
EP should require that a risk-impact assessment for all e-activities and R&D includes high specification technical provisions to safeguard privacy
The Stockholm Programme proposed a so-called certification scheme for privacy-aware technologies, products and services.
Governmental restraint (based on classic data protection principles finality, proportionality and subsidiarity) should be exercised in the mass collection of data
Public Debate!
The EU’s data protection for police and justice
Need for robust reform
Giovanni Buttarelli ERA, 5 November 2012
A new data protection framework
Reasons for a substantive reform
• Increased transnational flows of data to be facilitated while ensuring adequate protection
• Institutional changes: the Lisbon Treaty (Article 16/Declaration 21) and the Charter
• A fragmented legal framework at EU level: need for more
harmonisation and new coherent and uniformly applied EU rules
• Legal certainty
• Need for a change on processing of personal data for police and judicial co-operation
• Technological changes
The new Data Protection framework is a huge step forward for DP in the EU:
-Enhances harmonisation of data protection
-Reinforces position and rights of data subjects -Makes controllers more accountable
-Strengthens supervision and enforcement
General Assessment
Lack of comprehensiveness:
- The Regulation and the Directive taken
together do not create a comprehensive DP framework
New data protection framework
- The Chapeau Communication - The draft Regulation
- The draft Directive for law enforcement
Proposal for a DP
Directive for law enforcement purposes
Area of police and judicial cooperation in criminal matters requires:
- High level of protection due to intrusive nature and major impact on the individual’s life
- Equal protection for all data subjects in all MS
- That every departure from general DP rules is duly justified and based on proper balance
What we appreciate at the EDPS
• The objectives of the reform • COMM says that EU needs a more comprehensive approach • The scope of application of the Directive • Subsidiarity and proportionality tests • Transparency and data protection policies • Distinctions between categories of data subjects • Distinctions about categories of data • Rights of data subjects • Privacy by design and by default • The obligation to notify personal data breaches • The intervention of a supervisory authority in case of restrictions of
data subjects rights • Data Protection Officers
What we regret
• A Directive as a self standing legal instrument
• The global level of data protection
• Definitions and ambiguities
• Lack of clarity about rules applicable to transfers of data between LAB and other authorities or private entities
• No specific attention to the position of children
• Lack of comprehensiveness
• Specific acts on police/judicial co-operation in criminal matters remain unaffected
• absence of any obligation to demonstrate compliance with the Directive
DP instruments in Area FSJ:
– DPFD – Council Decision on Prüm + Implementing Decision – ‘Swedish’ Framework Decision – Europol-Decision – Eurojust-Decision – Criminal Records + ECRIS-System – PNR-Agreements, TFTP- Agreement – SIS, VIS, Eurodac – Data retention
New instruments announced:
• Action Plan Stockholm Programme, incl.
Information Management Strategy • EU PNR • EU TFTS • Entry-Exit, Registered Travellers • Law enforcement access to Eurodac • Revision data retention directive • Review Europol framework
A global framework ?
• Until Lisbon, only supervisory competence for First Pillar. • Now also ex 2nd + 3rd former pillars, but not replacing
specific bodies (JSBs) • Coordinated supervision for CIS, VIS, Eurodac and in
future SISII • Consultative role also in ex 2nd and 3rd former pillars • International aspects: Comprehensive protection, also in
relation with US: ‘General Agreement on its way.’
Other issues to be discussed
• A reform as a package. Timing • The notion of ‘competent authority’ • The purpose limitation principle • Provisions on special categories of data • Unduly limited powers of supervisory authorities • Supervision on judicial authorities • Recipients in third countries • EU institutions and bodies • Delegated acts and implementing acts
• Increase the level of data protection
• More clarity on definitions and on all substantive principles • Ensure that controllers demonstrate compliance for each processing
operation • Improve evaluation mechanisms for assessments on necessity and
proportionality • Better define and apply limitations and exceptions to fundamental
rights • Data quality: storage periods and periodic reviews • Better align powers of supervisory authorities in the Regulation and
in the Directive. DPAs are to be better consulted • A stricter deadline to amend existing legal instruments
What we encourage
Conclusion
The proposed rules for data protection in the law enforcement area are unacceptably weak.
In many instances there is no justification whatsoever for departing from the rules provided in the proposed Regulation.
The law enforcement area requires some specific rules, but not a general lowering of the level of data protection.
Thank you for your attention
Status and scope of implementation
of FD 2008/977/JHA
ERA, Trier, 5 November 2012
Thomas Zerdick, LL.M. EU Commission, DG Justice
1. Status of implementation
Fully implemented
Partially implemented
Not implemented
14 MS 9 MS 4 MS
2
• Deadline for implementation: 27 November 2010 • Situation on 9 November 2011:
3
2. Scope of implementation
4
• General data protection legislation: Most MS
• + Criminal Procedure Act: 13 MS
• + Police (Data) Act: 7 MS
• + Specific legislation to implement FD: 3 MS
• Distinction: domestic vs. cross-border?
(Source: MS)
3. More info
5
• Commission’s report on implementation of the FD: • COM(2012) 12 final
• Annex: Commission Staff Working Document: • SEC(2012) 75 final
Thank you for your attention! http://ec.europa.eu/justice/data-protection/minisite/index.html
November 12, 2012 1
ERA – Data Protection in the Area of European Criminal Justice Today
Trier, 5-6 November 2012
The new features of the
draft Directive
Prof. Dr. Paul De Hert
12 November 2012 2
Presentation overview
Overview of the Directive
Comparison with the 2008 Framework Decision
Comparison with the 2012 Draft Regulation
Conclusions
Overview of the Directive
• 64 Articles, 54 p.
• Chapter 1: Scope of application
• Chapter 2: Principles of processing
• Chapter 3: Rights of the data subject
• Chapter 4, 6 & 7, 8: Enforcement mechanisms & provisions on remedies, liabilities and sanctions
• Chapter 5: Data transfers
November 12, 2012 3
Comparison with the 2008
Framework Decision
November 12, 2012 4
More streamlining
• FW Decision: no streamlining with the instruments already in place (Schengen, Europol etc)
• Article 59 Draft Directive: no hierarchy, previously adopted acts within its subject-matter remain unaffected, BUT
-Article 60 Directive asks Member States to amend bilateral agreements as per its provisions
-Article 61 evaluation 3 years (cf. Buttarelli)
• => differentiations from principles and regulations of the Directive increasingly hard to justify
November 12, 2012 5
Data protection principles become the rule
• FW Decision: exemptions from almost every data protection principle
• Draft Directive: more balanced approach: although specialized conditions of processing are acknowledged (e.g. Articles 5 and 6), general rules and principles of data protection – rather than exceptions to them – continue to apply
• Remark: wisdom since development towards exchange between LEA and private actors warrants system that resembles Regulation
November 12, 2012 6
A chapter on liabilities
• Chapter 8: provisions on remedies, liabilities and sanctions
• Taken from Regulation
• Is new; FD leaves this to MS
November 12, 2012 7
Supervisory bodies
• FW Decision: no supervisory body => the data protection principles featured in the instrument have not been incorporated into EU policy-making.
• Draft Directive: enforcement mechanisms
-supervisory authorities at Member State level
-European Data Protection Board (art. 49)
November 12, 2012 8
Broader scope of application
• Domestic processing (contrary to FD Cf. CofJ O. Rundfunk)
• Important additions refer to terms of ‘personal data breach’, ‘genetic’ and ‘biometric’ data Cf. Regulation
• Profiling (next slide): this goes beyond processing of personal data, is regulating an investigating tool
• But: nothing on private-LEA exchange (see Buttarelli & den Boer) this contrary to Europol Decision
November 12, 2012 9
Profiling (tbc)
• Basis of several EU law enforcement processing activities e.g. VIS or PNR
• BUT: no mention of data protection safeguards for the protection of individuals
• E.g. EU ‘Proposal for a Directive on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime’: single article on data protection (Article 11) says nothing on conditions for ‘assessment of passengers’ procedures as basis of relevant processing
November 12, 2012 10
Profiling (tbc)
• FW Decision: no explicit reference to profiling, incidental reference in Articles 7 and 15 by way of automated-decisions on individuals
• Draft Directive also applies to profiling (Articles 9, 11): significant improvement for current regulatory framework
• Draft Directive allows it but under certain conditions (next slide)
November 12, 2012 11
Profiling: conditions
• not for sensitive data!
• requires a special law to regulate such processing, to be evaluated against the Directive’s provisions – individual right to data protection acknowledged in
the EU Treaty (Art. 16 TFEU)
– potential accession of the EU to ECHR
• Also Article 6°2 distinction personal data based on facts v. personal data based on assessements
November 12, 2012 12
Profiling: definitions
• Attempt to provide definition of profiling in Art. 9: ‘automated processing of personal data intended to evaluate certain personal aspects relating to the data subject’.
• Good definition?
• Differences with art. 20 Regulation
November 12, 2012 13
Transparency (tbc)
• Draft Directive: guiding principle in article 4, but only reference in article 10
• Would imply processing by data controllers in easily identifiable and controllable way
• Would imply processing to be open and accessible to the individuals concerned as well as to the data protection authorities and to any third party with an interest in inquiring into its operation and effectiveness
Context: cf. den Boer networked security environment
November 12, 2012 14
Transparency: are we there?
• Art. 10 using clear language
• Art. 5 categories of data subjects (Cf. Europol & Recomm. of CoE
• Requirement for data controllers to engage in prior consultation with supervisory authorities (Art. 26)
• Rules as to data breach notifications (Art. 28 & 29 taken from Art. 30 Regulation)
• Introduction of Data Protection Officers (Art. 30)
November 12, 2012 15
Comparison with the 2012
Draft Regulation
November 12, 2012 16
Principle
• ‘Detailed explanation’: Draft Directive follows, whenever possible, the provisions of the General Data Protection Regulation and the 1995 Directive
• => positive contribution to the individual right to data protection, finally affording data subjects means to protect their rights effectively.
• BUT (next slides)
November 12, 2012 17
Data protection impact assessments
• Draft Regulation: Chapter 4, Section 3
• Draft Directive: lacking
November 12, 2012 18
Transparency
• Draft Regulation: central in Chapter III, Section I ‘Transparency and modalities’
• Draft Directive: only reference in article 10
• Art. 14 indirect right to access could be better (Buttarelli): never once and for all
Ideas missed
-right to notification Cf. Information Charter den Boer Comp. art. 11°1 but vague
-Prior consent when data is exchanged or in case of interoperability
November 12, 2012 19
Burden of proof
• Draft Regulation: reversal of the burden of proof is not included in Article 22 but is found in various other provisions in its text (for instance, in Articles 7, 12 or even 19).
• Draft Directive: lacking
November 12, 2012 20
Conclusions
• Acknowledgment of grave risks for individual data protection created by the networking and profiling societies. See Buttarelli list of 13 bullets ‘What we appreciate at the EDPS”
• Positive measures (regardless whether adequate or not) are taken to address them
• A balanced text that caters to the needs of all its recipients, data controllers (security agencies) and data subjects alike
• More alignment with Draft Regulation is welcome See Buttarelli list of 7 bullets ‘What we do not appreciate at the EDPS”
November 12, 2012 21
OLAF's transfers to third
countries and international
organisations: what would
change?
Laraine Laudati, DPO
European Anti-Fraud Office (OLAF)
November 2012
Outline of presentation
1. Overview of OLAF and its cooperation partners
2. OLAF's implementation of DP Rules governing
transfers to 3C/IO
3. What would change under the proposed regulation?
Présentation Powerpoint
11/12/2012
2
1. Overview of OLAF
and its cooperation
partners
Présentation Powerpoint
11/12/2012
4
What is OLAF?
The “Office Europeen de Lutte Anti-Fraude”
(European Anti-Fraud Office)
A service of the European Commission
Created in 1999
Conducts administrative investigations
Produces reports, often with recommendations
Présentation Powerpoint
11/12/2012
5
OLAF’s independence
Independent in investigative activities
Director nominated by Commission after
consulting with European Parliament and Council
Director decides on opening/closing investigations
Director may not receive instructions
Supervisory Committee reinforces independence
Oversight by European Parliament and
Commission
OLAF appoints own DPO
Présentation Powerpoint
11/12/2012
6
OLAF staff
+/-480 persons
85% working on investigative activities
Many with law enforcement background
Investigators/auditors
Police/customs/tax officials
Intelligence analysts
Forensic examiners
Magistrates
Présentation Powerpoint
11/12/2012
7
OLAF’s partners
Who are OLAF’s partners?
EU institutions, bodies
MS authorities
3C authorities
International organisations
How do they help OLAF?
inform OLAF of matters giving rise to suspicions
cooperate in investigations
receive and (hopefully) implement OLAF
recommendations
Présentation Powerpoint
11/12/2012
8
Typical cases involving 3C, IO partners
Agriculture
Customs
Direct expenditure
External aid
Location of OLAF's 3C partners
Agriculture/
Customs
Direct
Expenditure
Pre-accession
funds
External Aid
Asia Malaysia, Thailand, Vietnam
India, Pakistan, Vietnam
Africa Egypt, Morocco Burundi, Cameroon, DR Congo, Ghana, Ivory Coast, Lesotho, Morocco
Eastern Europe Croatia Albania , Croatia, Serbia,, Macedonia
Middle East Jordan, Turkey, UAR Turkey Israel, Palestine,
Tacis countries Azerbaijan, Belarus, Kazakhstan, Ukraine
Azerbaijan, Georgia, Kazakhstan, Russia, Ukraine
South/Central
America
Bolivia, Brazil, Paraguay, Venezuela
Bolivia, Nicaragua, Honduras
Présentation Powerpoint
11/12/2012
9
Présentation Powerpoint
11/12/2012
10
Why must OLAF cooperate with
3C/IO partners?
OLAF must investigate in 3Cs, IOs
OLAF has no jurisdiction or coercive powers in 3Cs, IOs
OLAF depends on partners for exchange of information
If investigation reveals wrongdoing, results must be passed to
local prosecutors for implementation of its recommendations
Présentation Powerpoint
11/12/2012
11
Why transfers of PD are made to
partners
During active case:
Request assistance from an authority
Reply to a request for assistance from an
authority
For use in legal proceedings of recipient
At completion of investigation
For implementation of OLAF recommendations
Présentation Powerpoint
11/12/2012
12
What type of PD is transferred?
Categories of PD transferred:
Identification data
Professional data
Case involvement data
PD included in:
Interview records
Mission reports
Final case reports
2. OLAF's
implementation of DP
Rules governing
transfers to 3C/IO
Présentation Powerpoint
11/12/2012
14
OLAF must apply
Article 9 of Regulation 45/2001
3 possibilities:
Adequate level of protection ensured by
recipient in 3C or IO
Adequate safeguards authorised by EDPS
Exceptionally, derogation
Présentation Powerpoint
11/12/2012
15
Commission findings on adequacy
1. Andorra
2. Argentina
3. Australia
4. Canada
5. Switzerland
6. Faeroe Islands
7. Guernsey
8. State of Israel
9. Isle of Man
10.Jersey
11.United States – PNR data;
American enterprises that have
signed up to Safe Harbour
• Adequacy decisions taken by Commission
following consultation with MS reps
• Commission’s adequacy decisions from 1995-
2012:
• These are not very helpful to OLAF, which has
few transfers to these countries.
OLAF's first consultation with EDPS
of 3C/IO transfers
2005: OLAF memo to EDPS on 3C/IO transfers in its
cases
2006: EDPS working document with recommendations
2006: OLAF response to recommendations
EDPS found to provide a good basis for establishing
adequate safeguards
Présentation Powerpoint
11/12/2012
16
OLAF's second consultation with EDPS
concerning 3C/IO transfers
January 2012: OLAF submitted consultation on
revised model DP contractual clauses to be used in
administrative cooperation arrangements
April 2012: EDPS reply with recommendations
June 2012: OLAF's proposal to implement
recommendations
July 2012: EDPS final reply with further
recommendations
Présentation Powerpoint
11/12/2012
17
OLAF's model DP contractual clauses
Model DP contractual clauses attached to OLAF's Administrative
Cooperation Arrangements (ACAs)
Main provisions:
Definitions
Joint obligations
OLAF obligations
Partner obligations
Resolution of disputes with DS/EDPS
Suspension and termination
Text available at OLAF internet site
(http://ec.europa.eu/anti_fraud/policy/international-
cooperation/index_en.htm
Présentation Powerpoint
11/12/2012
18
Legal status of OLAF DP contractual
clauses
OLAF has no legal personality; no standing to enter
legally binding agreements
Art. 9(7) states that "safeguards may in particular
result from appropriate contractual clauses": Does
this mean legally binding?
Practical solution: OLAF's DP contractual clauses,
annexed to ACAs, not legally binding
Perhaps still under derogation 9(6)(d), but with
maximum protection OLAF can offer
Présentation Powerpoint
11/12/2012
19
OLAF's ACAs
Africa Americas Asia Europe IOs
Pre-2006
2006-2011 with earlier version of DP clauses
Benin IG; Congo Brazaville anti-corruption commision; Djibouti IG; Senegal IG; South Africa IG
US ATF Macedonia prosecutor
2006-2011 without DP clauses
Congo Brazaville IG; Morocco customs; Morocco IG
Taiwan Customs
2006-2011 with adequacy
Argentina FIA
2012 with new DP clauses
Uganda IG World Bank Integrity Vice Presidency
Présentation Powerpoint
11/12/2012
20
OLAF's ACAs in the planning stage
Africa Middle East Americas Europe Asia/Ocenia IOs
Angola IG; Burundi prosecutor; Cameroon CCCS; Congo Kinshasa IG and Prosecutor; Ivory Coast CCCS; Kenya ACC; Tunisia CC; Uganda prosecutor and AG; Zambia DEC/ACC
Occupied Palestinian Territories ACC; Syria EC projects AFU
Costa Rica CG; Honduras TSC; Paraguay FGE; UD DoJ and FBI
Georgia IS; Moldova Customs; Russian Ministry of Interior; Russian Customs; Serbian National Bank; Ukraine SCSU;
Afghanistan ACO; Bangladesh EPB; Chinese State Tobacco Monopoly; Kazakhstan AFECC; Australian Customs
African Union Commission; African Development Bank; Council of Europe Development Bank; EBRD; EXIM Bank; Global Fund; Interpol; OSCE; UNDP
Présentation Powerpoint
11/12/2012
21
OLAF's transfers by derogation
Where no ACA, transfer by derogation
OLAF relies on derogation listed in Art. 9(6)(d):
"The transfer is necessary or legally required on
important public interest grounds, or for the
establishment, exercise or defence of legal claims"
OLAF includes "data protection safeguards" in all
transfers based on derogation (but no agreement
from recipient)
Présentation Powerpoint
11/12/2012
22
OLAF standard workforms
Three different workforms for transfers to 3C, IO,
with different DP transfer clauses
To recipient in 3C/IO with adequacy: limits on use
of PD transferred
To recipient in 3C/IO with ACA: limits on use of PD
transferred + reference to DP contractual clause
requirements
To recipient in 3C/IO with no ACA: limits on use of
PD transferred + list of DP safeguards to be
observed
Présentation Powerpoint
11/12/2012
23
OLAF's register of transfers
OLAF maintains register of all transfers to 3C/IO in
DP module of CMS
Meta data registered for each transfer:
Recipient type (EU institution/body, MS, 3C, IO)
Name of recipient
Organisation
Address
Means (written, oral, e-mail), with document
attached
Necessity of transfer
DSs to which transfer relates Présentation Powerpoint
11/12/2012
24
How many transfers to 3C/IO are made
by OLAF?
DP module report indicates for cases initiated after
1.1.2009:
27 transfers in internal cases
23 transfers involving external aid
2 involving new financial instruments
2 involving customs
Présentation Powerpoint
11/12/2012
25
3. What would change
under the proposed
regulation?
More adequacy decisions?
Adequacy (Art. 41):
Requires adequacy decision of the Commission
(comitology: examination procedure)
Finding may apply only to a territory or
processing sector within a 3C
New elements specified for assessing adequacy
Adequacy decisions will also apply to police
cooperation and criminal justice
Présentation Powerpoint
11/12/2012
27
Appropriate safeguards (Art. 42)
Provided in "legally binding instrument", which may be
Standard DP clauses adopted by Commission (comitology:
examination procedure)
Standard DP clauses adopted by a supervisory authority
(consistency mechanism), validated by Commission
(comitology: examination procedure)
DP contractual clauses with prior authorisation by a
supervisory authority (possible consistency mechanism)
Provided in an instrument which is not legally binding:
DP contractual clauses with prior authorisation by a
supervisory authority (possible consistency mechanism)
Présentation Powerpoint
11/12/2012
28
Derogations (Art.44)
In the absence of adequacy or appropriate
safeguards, a transfer or set of transfers may take
place on condition that (inter alia):
The transfer is necessary on important grounds of
public interest recognised in EU or MS law;
Commission may further specify (comitology)
The transfer is necessary for the establishment,
exercise or defence of legal claims
Présentation Powerpoint
11/12/2012
29
New OLAF Regulation
Final compromise text approved in October 2012
Article 10b provides
administrative arrangements may be agreed
between OLAF and competent authorities in 3C
and IO, including exchange of operational
information
OLAF shall keep a record of all transmissions of
PD, including the grounds for the transmission
Présentation Powerpoint
11/12/2012
30
Thanks for listening!
THE PROPOSED DIRECTIVE ON DATA PROTECTION IN THE AREA OF POLICE AND
JUSTICE: A CLOSER LOOK
The omission of Europol and Eurojust from the draft Directive
Diana Alonso Blas, LL.M. Head of the DP Service/Data Protection Officer
5 November 2012
ERA conference: Data Protection in the Area of European Criminal Justice Today
Data Protection is crucial Eurojust
• Need to receive, store and further process personal data to deal with the cases referred by national authorities
• Very sensitive information on persons subject of a criminal investigation or prosecution, witnesses and victims + persons having been convicted
• Both EJ and the JSB EJ have taken a great interest in this matter which is of crucial importance for the proper protection of the rights of individuals but also for the operation of the organisation.
• Processing personal data is inherent to the core business of Eurojust.
ERA conference: Data Protection in the Area of European Criminal Justice Today
Data Protection after Lisbon Treaty I
•Article 16 of Lisbon Treaty – not only one legal instrument on DP.
•Article 16 of Lisbon Treaty talks about RULES (plural) and about independent supervisory AUTHORITIES (also plural).
•As WP 29 and WP on Police & Justice said, the specific rules in place are there not only because of different legal grounds before Lisbon but also because of the specific content needs.
•This is acknowledged in declaration 21 of Lisbon Treaty!
ERA conference: Data Protection in the Area of European Criminal Justice Today
Data Protection after Lisbon Treaty II
•It is fundamental that the various existing instruments are consistent with each other and offer an equally high level of protection.
•It should by all means not be an exception to the general protection regime.
•The core aspects need to be consistent with the general principles, the obligations and responsibilities of controllers and rights of the data subjects, even where limitations exist.
ERA conference: Data Protection in the Area of European Criminal Justice Today
The Data Protection Regime of Eurojust : robust, effective and tailored-made
Eurojust
Eurojust Decision contains detailed
provisions on data protection
(Articles 14-25)
Rules of Procedure on the processing and protection of
personal data (adopted unanimously by College of Eurojust
in October 2004 and by Council in February 2005)
Other European instruments: - Treaty of the EU (Article 6)
- ECHR (Article 8)
- CoE Convention 108
- Charter EU (Articles 7-8)
- Article 16 Treaty of Lisbon
Art.14: Processing of personal data
Art.15: Restrictions on the processing of
personal data
Art.16: CMS, index and temporary work files
Art. 16a: Functioning of temporary work files
and index
Article 16b: Access to the CMS at national level
Art.17: Data Protection Officer
Art.18: Authorised access to personal data
Art.19: Right of access to personal data
Art.20: Correction and deletion of personal data
Art.21: Time limits for the storage of personal
data
Art.22: Data Security
Art.23: Joint Supervisory Body
Art.24:Liability for unauthorised or incorrect
processing of data
Art.25: Confidentiality
New Eurojust Decision of 16 December 2008
reinforces the DP system, defining more
precisely provisions and introducing some
principles of DP RoP in the text .
Title I: Definitions
Title II: Scope of application and structure
Title III: Principles of general application to Eurojust
Title IV: Rules for case-related processing operations
Title V: Rules for non-case-related processing operations
Additional Rules of the Rules of
Procedure to non-case-related operations
(Decision of College of June 2006)
The ongoing DP reform and Eurojust I
•The proposed directive constitutes an improvement but is rather general.
•Eurojust: - complies with all the same general principles; - due to specific nature of its activities, the EJ’s legal system is much more detailed and precise; - offers much more legal certainty to data subjects; - EJ rules contains additional safeguards for victims and witnesses with strict conditions and time limits for processing of such data; - defined rules on possible access to the information; - system of data retention with regular review of compliance; - obligations to keep the data updated, relevant and not excessive.
•All those rules have been technically implemented in CMS - a good example of “privacy by design”.
•EJ’s rules offer a much higher level of protection than what is proposed by the Commission.
•Legal certainty is key in this field. Specific (not different) rules offer more protection!
ERA conference: Data Protection in the Area of European Criminal Justice Today
The ongoing DP reform and Eurojust II
•Rights of the individuals – specificity of the activities (ongoing investigations or prosecutions)
•Every request is dealt on a case by case basis and takes into account all interests at stake and makes efforts to provide information whenever possible.
•In a recent Court case, the General Court has praised the way EJ was dealing with data subject requests (judgment of 25 November 2010 in case T-277/10AJ K v Eurojust):
The General Court of the European Union evaluated very positively the fact that Eurojust had provided the individual information as to the fact that no personal data on him had been processed. The Court found that Eurojust not only duly met the requirements of Article 19(7) of the Eurojust Decision but even exceeded them, since it provided a detailed answer to the applicant’s allegations revealing that no personal data concerning him was processed by Eurojust.
•This is also an example of the fact that data subjects are not deprived of their rights to have judicial review of the decisions taken by EJ.
ERA conference: Data Protection in the Area of European Criminal Justice Today
Need for specific and effective supervision
•EJ has a robust DP system in place, tailor made to the mandate and tasks of EJ and closely monitored by DPO and JSB.
•The Lisbon treaty refers to independent DP authorities (plural).
•The supervision of processing operations carried out by judicial authorities cooperating in ongoing judicial investigations or prosecutions is often excluded at national level from the scope of the DPAs and, at EU level, the EDPS is also not competent to supervise the ECJ acting in its judicial capacity.
•The proposed Directive excludes as well these activities generally from its scope.
•At Eurojust such activities are not excluded from supervision. On the contrary, they are fully monitored by the JSB while respecting the specificity of the judicial powers.
ERA conference: Data Protection in the Area of European Criminal Justice Today
Specialised supervision
•EJ’s present system of specialised supervision works well:
- necessary expertise (judges and DPAs combination, fully independent); - effective: 3 elected members, meeting regularly (4-5 times a year) at EJ; - costs about forty thousands euros a year (all in); - in appeal cases appointees of involved MS are called in to join. It offers a quick and not cumbersome appeal procedure for individuals; - carries out on the spot supervision: frequent inspections with direct involvement of national DPAs (3 days x five persons inspections); - full transparency: webpage with regular updates, appeal decisions and reports published and distributed and so forth; - decisions of JSB are final and binding on Eurojust: quasi judicial nature.
•Data processed by EJ comes from MS and go back to MS. So it makes sense that national DPAs must be involved in supervision and this is ensured by the JSB appointees.
ERA conference: Data Protection in the Area of European Criminal Justice Today
Conclusions
•Legal certainty is key in this field. Specific (not
different) rules offer more protection!
•The JSB is working well, is effective, understands the business of EJ and ensures real compliance with rules in practice, which offer high protection for individuals and increased legal certainty.
•Let’s not mend what is not broken! Should the EC consider any changes: need to evaluate effectiveness and working of existing schemes and discussion with all involved parties needed.
ERA conference: Data Protection in the Area of European Criminal Justice Today
Thanks for your attention!
Questions? Comments?
Diana ALONSO BLAS, LL.M.
Data Protection Officer
Eurojust
Maanweg 174
NL-2516 AB The Hague
Tel: +31 70 412 5510
Fax: + 31 70 412 5505
www.eurojust.europa.eu
ERA conference: Data Protection in the Area of European Criminal Justice Today
INTERPOL For official use only
Accessing
Private Sector Data
ERA Conference
Trier, 5-6 November 2012
The need for a common regulation for the police
INTERPOL For official use only
Overview
A. Accessing private sector data
1. Increase in co-operation
2. Examples of existing co-operation
3. Why useful for investigations?
4. Data protection principles & requirements
for legitimate data transfers
B. Need for common regulation for the police
1. Why a need for regulation?
2. Basis in existing guidelines
3. Common regulation
INTERPOL For official use only
A. Accessing
Private Sector Data
INTERPOL For official use only
1. Increase in Co-
operation
• Threat of terrorism & fundamentalism
• Threat of nuclear & biological weapons, as well as cyber attacks
• Increase in cross-border criminality
INTERPOL For official use only
2 . Examples of existing
co-operation
INTERPOL For official use only
Example: Cybercrime
• Evidence needed by the police is often
held by the private sector & often in
other jurisdictions.
Cross-border & cross-sector investigations: efficient
co-operation is necessary
Private sector is often the victim,
so willingness to co-operate
Privacy obligations towards
customers
Balance: benefits vs. costs
INTERPOL For official use only
Example: Cybercrime
The Microsoft Digital Crimes Unit (DCU) aims at
disrupting cybercrime through co-operation
across industry, law enforcement, academia,
government & NGOs worldwide
Case: Zeus botnets
INTERPOL For official use only
Example: Online Child
Abuse Material
• Private data from ISPs and the financial
sector can help reduce available
material online and save child victims
across the world
INTERPOL For official use only
Example: Online Child
Abuse Material
The Financial Coalition Against Child Pornography is
an example of a public-private partnership with the
financial sector
PayPal, for example, is a member and works closely with
US Immigration and Customs Enforcement, the FBI and
other regulatory bodies
Results:
Fewer commercial sites
reported
Higher subscription
prices
INTERPOL For official use only
Example: Camera
Surveillance
• Images from private camera surveillance
are often transmitted by private sector
companies to LEAs for the investigation
and prosecution of criminal offences
INTERPOL For official use only
Example: Camera
Surveillance
Case: Minsk metro bombing
Images of the suspects captured by private camera
surveillance in the metro station was transferred to
LEAs & made public for assistance identifying suspects
INTERPOL For official use only INTERPOL For official use only
3. Why useful for law
enforcement
investigation?
INTERPOL For official use only
Why useful for
investigation?
• Criminal activity increasingly organized and
carried out in the digital environment
• Mass amounts of digital data already
generated, collected and stored
• Mainly by private sector parties (ISPs, e-mail
providers, SNS,…)
• LEA budget and human resources can be
allocated to other purposes
INTERPOL For official use only
4. Data Protection
Principles
General Framework
• Fair & lawfull processing
• Purpose specification
! No incompatible use
• Adequacy &
proportionality
• Accuracy
• No longer than necessary
• Subject’s rights
• No onward transfer
without ALP
Transfer to Police
• Transfer to LEA
incompatible use
• Accuracy to be verified,
if data accessed from
private sector
• Consent not always
possible!
• Onward transfer:
internat. treaties & MLA
INTERPOL For official use only
Requirements for
Legitimate Data Transfer
• Required by law
• Court order or warrant
issued
• Consent data subject
obtained
• Vital interest data subject or 3rd person
• Legitimate interest or public interest
= Task LEA?
Transfer needs to be assessed on a
case-by-case basis
INTERPOL For official use only
Case-by-case
Assessment
• Legitimate or public interest balanced against
fundamental rights data subject
• Best performed by an independent, third party, such as
a judge Need for efficient & immediate authorization
• Judge can issue a warrant = legitimate data transfer
• Higher chance of evidence being admissible in a court
case
INTERPOL For official use only
Interoperability?
• No independent assessment
= legitimacy can be questioned
• Does not preclude interoperability for systems
with built-in privacy & security rules
Access limitation: specify legal authorization for
certain data types
Data minimization & anonymization
Allows anonymous analysis of databases to track
suspicious links or transfers
Audit trails
INTERPOL For official use only
B. Need for a common
regulation for the
police
INTERPOL For official use only
1. Why a need for
Regulation?
• Need for common regulation for police
agencies, even more so as criminality is
increasingly cross-border & online
Facilitation of police co-operation
Increase of legitimacy data transfers
• Good basis can be found in:
Human rights guidelines for Internet Service
Providers - CoE & EuroISPA
Guidelines for cooperation between law enforcement
and internet service providers against cybercrime –
CoE
INTERPOL For official use only
2. Existing Basis:
Human Rights
Guidelines
• Identity of users & communication, content and
traffic data accessed by them
no transfer, unless legal duty or following orders
from competent public authority in accordance
with the law
• Requests from abroad
through competent
authorities of your
own country
INTERPOL For official use only
Existing basis:
Co-operation guidelines
• Procedural requirements requests
• Requirements to determine competent
authorities & types of data they can acess
• Requirement verifiability source of request
• Requirement specific and accurate requests
• Requests in writing: documentary trail for
audits
Transparency & proof: data legitimately
obtained and lawfully processed
INTERPOL For official use only
3. Common Regulation
• Include requirement of case-by-case
assessment by an impartial third party when no
other legitimate ground for transfer
Warrant: need for efficient & rapid authorization
Increase of admissibility evidence
• Include requirement of interoperable systems
to have built-in privacy and security safeguards
INTERPOL For official use only
Common Regulation
• Evaluation of the reliability of a private sector
party
Private sector data can also be evaluated and
labelled or scored according to its accuracy and
relevancy, for example with the 4X4 system
Increase of data accuracy and data quality in
general, especially since data subject of an on-going
investigation can rarely access or correct personal
information
INTERPOL For official use only INTERPOL For official use only
Thank you!
Law enforcement access to Eurodac: the Commission’s
proposal adopted on 30 May 2012
Priscilla de Locht ERA conference
6 November 2012
1. What is EURODAC?
2. History of EURODAC recast
3. The 2012 proposal from a data
protection perspective
4. Provisions on law enforcement access and data protection safeguards
1. What is Eurodac?
• Large DB of fingerprints
• Asylum Purpose
• Central DB + communication infrastructure
• Three categories of individuals
• Hit/no hit system
2. History
• December 2008 : higher degree of harmonisation and
better standards of protection for the CEAS
• September 2009: bridging clause to allow access for LE
purposes and proposal for a Council Decision spelling out the modalities of such access
• October 2010: removal of LE access • May 2012: new proposal
3. The current proposal: A Data Protection perspective
a) Lack of a new critical impact assessment
b) Need to first implement and evaluate existing instruments
c) Risk of stigmatization of a vulnerable group of people
d) Worrisome trends of “function creep”
• Impact assessment of 2008 and 2009 still valid?
• Two reasons why not:
1. results not relevant (2008) or convincing (2009) 2. out of date
• No fundamental rights impact assessment
3.a) Lack of new critical impact assessment
3.b) Need to first implement and evaluate existing instruments
3.c) Risk of stigmatization of a vulnerable group of people 3.d) Worrisome trends of “function creep”
Terrorists?
4. Provisions on LE access and DP safeguards
MS law enforcement authorities access if: - Prior check under Prüm
- Necessary for the prevention, detection or
investigation of a terrorist or other serious criminal offences
- In a specific case (no systematic comparison)
- Reasonable grounds
• EUROPOL access if :
- Necessary for the performance of its tasks
- Necessary for the purposes of a specific analysis or an analysis of a general nature and of a strategic type
• Designated and verifying authorities
Need for more effective safeguards, eg:
• clear indication that the perpetrator has applied for asylum
• Verification truly independent; preferably a judicial authority • Same conditions of access for EUROPOL as for MS
Conclusion • Eurodac : large database of fingerprints of
asylum applicants and illegal immigrants
• Amendments to Eurodac Regulation are not new
• The 2012 Commission’s proposal: truly necessary and proportionate?
• Should the necessity and proportionality be demonstrated, more effective safeguards are needed.
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
Revising the data retention Directive:
Just do it and do it now!
Herke Kranenborg
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
What is the problem?
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
I. Data retention as such II. Data retention as laid down in the Data
Retention Directive
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
I. Data retention as such
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
EDPS 3-12-2010 (www.edps.europa.eu)
The most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it
affects.
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
EDPS 3-12-2010 (www.edps.europa.eu)
This needs profound justification. The evaluation should be used to prove the strict necessity of the measure.
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
EDPS 3-12-2010 (www.edps.europa.eu)
The evaluation is the “moment of truth”
for the Data Retention Directive!
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
3-12-2010 (through rapid)
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
3-12-2010 (through rapid)
Data retention is here to stay!
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
3-12-2010 (through rapid)
There is no evidence that it has led to serious abuse in any concrete cases.
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
18 April 2011: Evaluation report of the Commission ‘Most Member States take the view that EU rules
on data retention remain necessary as a tool for law enforcement.’
31 May 2011: EDPS Opinion on the report ‘the necessity of data retention as provided for in
the Data Retention Directive has not sufficiently be demonstrated’
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
II. Data retention as laid down in the Data Retention
Directive
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• Data retention is an exception:
– See Article 15(1) of the ePrivacy Directive • This exception is harmonised with the
Data Retention Directive
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
However
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• Only the obligation to retain data has been (more or less) harmonised and the legitimate aim has been (sort of) indicated.
• Commission report: – ‘The responsibility for ensuring [the right to privacy
and the right to data protection] are upheld lies with the Member States’.
• This is problematic: how to assess whether
the measure is proportionate?
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• The safeguards are to be put in place at national level
• Member States cannot choose not to retain data
• And: Member States can even decide to use this data for another purpose!
– The ‘legal loophole’
– See the Evaluation Report of the Commission and the CJEU
ruling in Bonnier Audio of 19 April 2012 (C-461/10)
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• EDPS Opinion of 2011:
‘The Data Retention Directive lacks foreseeability’.
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• So, that’s what is wrong with the Directive…
• Moreover: the evaluation report makes clear the instrument failed from an internal market perspective!
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
What is the solution?
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• Demonstrate necessity of data retention as such!
• If demonstrated: any revised Directive should be – complete and – exhaustive
• Cover and clarify all aspects of the measure
and close the legal loophole
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
What is the problem?
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
• Why is the revision postponed?
• Article 15 ePrivacy and the reform process…
• Two cases before the court might change the ‘default setting’
– C-293/12 (DRI) and C-329/12 (Com/Germany)
Eu
rop
ea
n D
ata
Pro
tecti
on
Su
pe
rvis
or
Trier 5-6 November 2012
Any questions?
Thanks for your attention!
EDPS website: www.edps.europa.eu
https://twitter.com/#!/EU_EDPS
Herke Kranenborg
ERA Conference on Data Protection
in the Area of European Criminal
Justice
Trier 5-6 November 2012
SUBJECT: STATE OF PLAY OF THE DATA RETENTION DIRECTIVE
The Commission adopted on 18 April 2011 a report on the evaluation of the Data Retention Directive (Directive 2006/24/EC). In the light of this report, the Commission said that it would propose a revision of the current data retention framework. In its Action Plan implementing the Stockholm Programme, the Commission announced a revision proposal for 2012.
In the Commission's evaluation report evidence provided by Member States and Europol so far has vindicated the value of the measure for combating serious crime. The Commission has continued to press Member States to provide credible and comparable statistics and case studies to demonstrate this. Law enforcement and judicial authorities throughout the EU have repeated emphasised the importance of this guarantee that data will be available if there is a need.
Also in the report, the Commission indicated that a number of aspects of the data retention framework needed improvement to address, in particular, some of the concerns about proportionality and safeguards for the rights to privacy and protection of personal data, and the burden it placed on economic operators.
These aspects, set out clearly in the evaluation report, have been further examined since: for instance, a reduced and more harmonised data retention period; a scope which is clear and exhaustive in terms of the types of data to be retained and the purposes for which data may be used; clear and consistent minimum standards for access and use of the data; better accountability on the part of authorities for the data which they access, and the statistics that they provide to demonstrate why accessing those data were necessary; a consistent approach to reimbursing operators' costs.
Furthermore, there needs to be coherence between the obligation to require data retention - in the Data Retention Directive – and the possibility for Member States to require or to allow data retention – which is provided for by the e-Privacy Directive. A proper reform proposal needs to ensure that data retained in application of the Data Retention Directive cannot be cannot be used for other purposes than those provided for in the Data Retention Directive. Currently Member States have this option pursuant to the e-Privacy Directive.
Since the evaluation, the Commission has consulted stakeholders in law enforcement, the judiciary, industry, data protection authorities, consumer groups, NGOs and Member States on possible options for amending the framework. Several workshops were held in 2011, and a set of questions were published on the DG
2
Home Affairs website.1 Discussions have also taken place in Council working groups and in the Commission's expert group on data retention.2
As has been pointed out during those workshops by stakeholders in industry and the data protection community, as well as numerous NGOs campaigning for the protection of privacy and concerned professional groups including journalists and lawyers, data retention has a significant impact on the right to privacy and the protection of personal data, and is burdensome for service providers especially SMEs.
Opinions about the need for data retention in principle and the effectiveness of the Data Retention Directive specifically are starkly divided. Most if not all Member States, and all police and judiciary consulted, appear to support the current framework and to oppose any reform on the grounds that it would weaken their capability to investigate and prosecute serious crime. Industry stakeholders seek at least limited changes, while the current situation is strongly criticised by data protection stakeholders, and by privacy advocates some of whom believe that data retention should be prohibited altogether.
The Commission has been consistent on data retention, ever since it tabled its original proposal for a directive in 2005. In that proposal, the Commission acknowledged that telecommunications data were an integral part of evidence gathering in investigations and prosecutions of very serious crimes, and that such data could be crucial in serving the needs of justice and protecting victims against harm.
It was, and remains necessary to guarantee that, within the bounds of proportionality and subject to appropriate controls and safeguards, these data will be available for a limited period of time if police and prosecutors need to access them. The limitations and procedures for data retention should be as harmonised as possible to minimise the negative impact on the internal market, while at the same time respecting the legitimate and varying requirements of national circumstances.
Although the Commission continues to believe that data retention is a necessary measure for combating serious crime, it also acknowledges that there are considerable concerns that have been raised by a number of stakeholders to which the adequate solution is to reform the Directive.
Besides those mentioned earlier (a need for a reduced and more harmonised data retention period, for a clearer, exhaustive scope of the types of data to be retained and the purposes for which data may be used, and for consistent minimum standards for access and use of the data) there is also a need to address the possibility, under Directive 2002/58/EC (the 'e-Privacy Directive'), for Member States to apply data retention in ways and for purposes which go beyond those regulated by the Data Retention Directive. The Commission has already announced that it will analyse the need to review the e-Privacy Directive once the new general data protection framework is stable.
1 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-
retention/index_en.htm 2 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-retention/experts-
group/index_en.htm
3
Amendment of the e-Privacy Directive thus is only likely to take place once there is greater clarity as to the outcome of deliberations within and between the Parliament and the Council on the Commission's proposal for reforming the data protection framework. Therefore, the Commission intends to present a coherent reform, for which at present there is no precise timetable. So the reform will not be for this year as announced in its Action Plan implementing the Stockholm Programme.
The Commission will therefore continue working towards a reform of the Data Retention Directive, to be presented at the same time as a future revision of the e-Privacy Directive, if the latter is opened for review. In bringing this work forward, the Commission will take full account of the ongoing discussions on the general data protection reform.
The Commission will also continue to focus on implementation of the Directive. All but two Member States have now transposed the Directive following a number of infringement cases.
Given the technical and legal complexity and political sensitivity of data retention, and the early stage of discussions on the draft Data Protection Regulation, it is likely to take some time before the Commission is in a position to make such proposals.
4
Scheme of the Data Retention Directive
Participants may find it helpful to have an explanation of the scheme of Directive 2006/24, in particular in the light of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
Directive 95/46 lays down rules relating to the processing of personal data in order to protect the rights of individuals in that respect, while at the same time ensuring the free movement of those data in the European Union. However, it provides in Article 3(2) that it does not apply to the processing of personal data "in the course of an activity which falls outside the scope of EU law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case the processing operations concerning public security, defence, State security…and the activities of the State in areas of criminal law".
Article 13 of Directive 95/46/EC allows for the exemption from certain data protection provisions for reasons of national security, defence and public security and prevention, investigation, detection and prosecution of criminal offences.
Directive 2002/58 was adopted with a view to supplementing Directive 95/46 by provisions specific to the telecommunications sector. It is expressed to particularise and complement Directive 95/46 and, like that Directive, does not apply to activities falling outside the scope of the Treaty, in particular the activities of the State in areas of criminal law (Article 1).
Article 15 of Directive 2002/58/EC allows for the exemption from certain data protection provisions for reasons of national security, defence and public security and prevention, investigation, detection and prosecution of criminal offences.
Article 5(1) inter alia requires Member States to ensure the confidentiality communications and related traffic data. In particular, it requires Member States to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and related traffic data except when legally authorised to do so in accordance with Article 15(1).
Article 15(1) of Directive 2002/58 provides for a derogation in that it permits Member States to restrict certain rights and obligations in Articles 5, 6, 8 and 9 of the Directive inter alia when such a restriction is a necessary, appropriate and proportionate measure for the "prevention, investigation, detection and prosecution of criminal offences".
As is recorded in recitals 5 to 11 of the preamble to Directive 2006/24, several Member States had adopted legislation in reliance on Article 15 of Directive 2002/58, providing for the retention of data by service providers for the prevention, investigation, detection and prosecution of criminal offences; such provisions varied considerably, which in turn caused obstacles to the internal market for electronic communications, as the Court itself acknowledged in Case C-301/06, Ireland v European Parliament and Council3. At the same time, the Conclusions of the Justice and Home Affairs Council of 19 December 2002 underlined that data relating to the use of electronic communications were a valuable tool in the prevention,
3 2009 ECR I-593, in particular at paragraphs 63-72.
5
investigation, detection and prosecution of criminal offences, in particular organised crime4.
Article 1 of Directive 2006/24 specifies that its aim is to harmonise Member States' provisions concerning providers' obligations with regard to the retention of data for the purpose of the investigation, detection and prosecution of serious crime.
Article 3 provides a derogation from Articles 5, 6 and 9 of Directive 2002/58 by requiring Member States to ensure that certain categories of data (specified in Article 5 of Directive 2006/24) are retained by service providers.
Article 5 specifies the categories of fixed line and mobile telephony and internet-related data that are to be retained. The Directive does not authorise retention of data revealing the content of the communication (Article 5(2)).
Article 6 requires Member States to ensure that the data are retained for not less than 6 months and not more than two years from the date of the communication.
Article 11 makes a consequential amendment to Article 15 of Directive 2002/58 in that it disapplies paragraph 1 thereof to data specifically required by Directive 2006/24 to be retained.
Like Directive 2002/58, Directive 2006/24 is based on Article 95 EC (now Article 114 TFEU) and is thus to be seen predominantly as an internal market measure. A challenge to the choice of the legal basis was dismissed by the European Court of Justice in Ireland v Parliament and Council, in which the Court held as follows:
80. In that connection, the provisions of Directive 2006/24 are essentially limited to the activities of service providers and do not govern access to data or the use thereof by the police or judicial authorities of the Member States.
81. More specifically, the provisions of Directive 2006/24 are designed to harmonise national laws on the obligation to retain data (Article 3), the categories of data to be retained (Article 5), the periods of retention of data (Article 6), data protection and data security (Article 7) and the conditions for data storage (Article 8).
82. By contrast, the measures provided for by Directive 2006/24 do not, in themselves, involve intervention by the police or law-enforcement authorities of the Member States. Thus, as is clear in particular from Article 3 of the directive, it is provided that service providers are to retain only data that are generated or processed in the course of the provision of the relevant communication services. Those data are solely those which are closely linked to the exercise of the commercial activity of the service providers.
83. Directive 2006/24 thus regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities. Those matters, which fall, in principle, within the area covered by Title VI of the EU Treaty, have been excluded from the provisions of that directive, as is stated, in particular, in recital 25 in the preamble to, and Article 4 of, Directive 2006/24.
4 On the background to Directive 2004/24, see generally the judgment in Ireland v European Parliament
and Council, supra, in particular at paragraphs 7-11.
6
84. It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of service providers in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty.
Thus to summarise, Directive 2006/24 primarily provides for a solution to the internal market problem caused by divergent utilisation by the Member States of the derogation facility in Article 15 of Directive 2002/58 by providing for minimum harmonisation of the periods during which the data set out in Article 5 must be retained. At the same time, it aims to ensure, for the purposes of law enforcement in the Member States, that data are retained in all Member States and that they are made available to law enforcement authorities for a certain period5.
Directive 2006/24 simply requires the Member States to adopt measures to ensure that the data specified in Article 5 thereof are retained for a minimum period of six months and a maximum of two years. By contrast, the Directive does not authorise retention of data revealing the content of the communication. Nor does it contain any provisions regarding access to those data, other than to stipulate they are "available for the purpose of the investigation, detection and prosecution of serious crime" (Article 1(1) and that the procedures and conditions relating to access are regulated by national law, including where relevant, other EU law provisions and international law (Article 4).
5 Recital 9 of the preamble.