speakers’ contributions - vrije universiteit brussel · the eu’s current data protection...

SPEAKERS’ CONTRIBUTIONS

DATA PROTECTION IN THE AREA OF EUROPEAN CRIMINAL JUSTICE TODAY

Trier, 5-6 November 2012 312D122

SPEAKERS’ PRESENTATIONS

1. Calling for reform? The EU’s current data protection framework in the field

of criminal justice

Monica den Boer

2. A robust reform? The EU’s data protection package for police and justice

Giovanni Buttarelli

3. Which law to apply? Status and scope of implementation of the 2008

Framework Decision on the protection of personal data processed in the

framework of police and judicial cooperation in criminal matters

Thomas Zerdick

4. The new features of the draft Directive

• A wider scope: domestic processing

• New concepts, definitions, and additional principles

• The role of data protection authorities

• Transfer of data to third states: improved assessment

Paul de Hert

5. OLAF's transfers to third countries and international organisations by means

of adequate safeguards: what would change?

Laraine Laudati

6. The proposed directive on data protection in the area of police and justice: a

closer look:

The omission of Europol and Eurojust from the draft Directive

Diana Alonso Blas

7. Accessing private-sector data: the need for common regulations for the police

Caroline Goemans-Dorny

8. Law enforcement access to Eurodac: the Commission’s proposal of 30 May

2012

Priscilla de Locht

9. Put to the test: state of play of the Data Retention Directive

• The Directive’s validity before the CJEU

• The German and Romanian court rulings

• The Commission’s impact assessment on future options

Herke Kranenborg and Cecilia Verkleij

Calling for a Reform? The EU Current Data Protection

Framework in the Field of Criminal Justice ERA, Trier, 5/11/12

Trends & Developments

Principle of availability – Swedish Framework Decision – direct interface

Interoperability & Multi-agency co-operation; networked security environments

Public-private data exchange

Technological innovation & interface

Expansion of the number of authorized users in international data exchange environment (enlargement)

Precautionary security (proactive monitoring / surveillance / risk assessment)

Digitalization of entry / exit / border controls

EU Data Protection Framework Long Overdue Why?

• Most, if not all, regulatory instruments on police and judicial co-operation relate to information and/or intelligence exchange

• Since early nineties, a considerable number of international data-bases have been established

SIS EIS VIS Eurodac

• Number of surveillance instruments in the EU has significantly expanded:

Data Retention Interception of telecommunication TFTP – SWWIFT PNR

Challenges for a Data Protection Framework

Multi-level governance: local, regional, national, international Different data protection cultures & standards, between countries

(citizens, oversight mechanisms) & between sectors

• Some MS lack framework legislation, e.g. The Netherlands

Data protection is seen as an obstacle rather than a facilitator (by police officers)

Or is data protection a smoke-screen for non-cooperation (lack of trust / reciprocity?)

Data protection as an issue for training, professionalization and ethics

Purposes of data-gathering and –exchange practices have geared towards aggregating state knowledge about sizeable parts of the population

By searches on the basis of specific characteristics and by means of data- and text-mining techniques (Foucault).

Formal Guarantees & Outlook Leading principles:

• Council of Europe Recommendation • Article 8 ECHR • Article 7 Fundamental Rights Charter • Former EU Data Protection Directives (1995, 1996)

The Lisbon Treaty and the Stockholm AFSJ Action Programme enshrine data protection as a fundamental right in the EU Charter, making it binding for EU-institutions

The Stockholm Programme called for a new comprehensive legal framework in its chapter on the fundamental right of the citizen

Article 16 TFEU creates a general and horizontal basis for data protection

The strengthened role of the EU-institutions – Commission, Court and Parliament – will enhance checks and balances, also in data protection terms

http://www.google.nl/imgres?imgurl=http://business.fullerton.edu/resources/biometrics/images/art_illu_biometrics1.jpg&imgrefurl=http://business.fullerton.edu/resources/biometrics/fingerprint_identification.htm&usg=__G2wnACUzYhpV4ID81HJ3NT5RSy8=&h=190&w=285&sz=13&hl=nl&start=3&zoom=1&um=1&itbs=1&tbnid=JXsL_xwsL0Mc6M:&tbnh=77&tbnw=115&prev=/images%3Fq%3Dbiometrics%26um%3D1%26hl%3Dnl%26tbs%3Disch:1

Data Protection Concerns

Increased volume of data (proportionality) Use of data systems for newly arising policy objectives

(finality) The vast number of authorized users in an increasingly

multi-disciplinary environment (access & authorization) Interlinking massive data-bases (subsidiarity,

proportionality) The differentiation in data quality standards between the

Member States (quality control) The lack of judicial redress for the submission and handling

of individual complaints (procedural safeguards, fair trial)

Issues of proportionality and subsidiarity have been addressed in the proposed Data Protection Directive

Recommendations (I) Select before you collect -> change from information

quantity to information quality. Surveillance measures should only be used when

(externally) evaluated as effective -> proven effectiveness; avoidance of function creep

Sunset-clauses should be introduced for each new surveillance measure, allowing parliaments and civil oversight bodies (to propose) to withdraw the relevant measure -> proven effectiveness, efficiency and proportionality. Sunset-clauses may help to prevent mission-creep in the policy use of ICT-technology.

Encryption of personal data in networked environments -> data integrity in surveillance contexts

No interconnection between electronic databases -> interoperability only when categories of data are shielded.

Data should not migrate between authorities, services and data-bases without approval of the individual who is the owner of the data -> prior consent, informationelle Selbstbestimmung.

Retention of data should also be based on individual consent.

Recommendations (II) Information rights are pivotal. The EU should introduce an Information Charter, imposing norms

on public and private authorities in the EU Member States. Independent oversight: 9 March 2010 EU Court of Justice ruled on

criteria for the independence of data protection authorities under European Union law. This is one of the cornerstones of data protection.

Accountability procedures for the authority that performs the surveillance and judicial redress for individuals.

Professionals who are endowed with surveillance powers should receive ethics and data protection training at several stages throughout their career.

(Organisational) transparency about surveillance instruments and the processes employed for data-gathering; the decisions which are based on data-collection and data-analysis

Concluding Notes and Outlook Comprehensive legal framework proposed by the European

Commission; consultation rounds. New surveillance measure should be assessed and

scrutinized prior to its introduction -> pre-assessment check / impact assessments: prior checking by the EDPS

EP should require that a risk-impact assessment for all e-activities and R&D includes high specification technical provisions to safeguard privacy

The Stockholm Programme proposed a so-called certification scheme for privacy-aware technologies, products and services.

Governmental restraint (based on classic data protection principles finality, proportionality and subsidiarity) should be exercised in the mass collection of data

Public Debate!

The EU’s data protection for police and justice

Need for robust reform

Giovanni Buttarelli ERA, 5 November 2012

A new data protection framework

Reasons for a substantive reform

• Increased transnational flows of data to be facilitated while ensuring adequate protection

• Institutional changes: the Lisbon Treaty (Article 16/Declaration 21) and the Charter

• A fragmented legal framework at EU level: need for more

harmonisation and new coherent and uniformly applied EU rules

• Legal certainty

• Need for a change on processing of personal data for police and judicial co-operation

• Technological changes

The new Data Protection framework is a huge step forward for DP in the EU:

-Enhances harmonisation of data protection

-Reinforces position and rights of data subjects -Makes controllers more accountable

-Strengthens supervision and enforcement

General Assessment

Lack of comprehensiveness:

- The Regulation and the Directive taken

together do not create a comprehensive DP framework

New data protection framework

- The Chapeau Communication - The draft Regulation

- The draft Directive for law enforcement

Proposal for a DP

Directive for law enforcement purposes

Area of police and judicial cooperation in criminal matters requires:

- High level of protection due to intrusive nature and major impact on the individual’s life

- Equal protection for all data subjects in all MS

- That every departure from general DP rules is duly justified and based on proper balance

What we appreciate at the EDPS

• The objectives of the reform • COMM says that EU needs a more comprehensive approach • The scope of application of the Directive • Subsidiarity and proportionality tests • Transparency and data protection policies • Distinctions between categories of data subjects • Distinctions about categories of data • Rights of data subjects • Privacy by design and by default • The obligation to notify personal data breaches • The intervention of a supervisory authority in case of restrictions of

data subjects rights • Data Protection Officers

What we regret

• A Directive as a self standing legal instrument

• The global level of data protection

• Definitions and ambiguities

• Lack of clarity about rules applicable to transfers of data between LAB and other authorities or private entities

• No specific attention to the position of children

• Lack of comprehensiveness

• Specific acts on police/judicial co-operation in criminal matters remain unaffected

• absence of any obligation to demonstrate compliance with the Directive

DP instruments in Area FSJ:

– DPFD – Council Decision on Prüm + Implementing Decision – ‘Swedish’ Framework Decision – Europol-Decision – Eurojust-Decision – Criminal Records + ECRIS-System – PNR-Agreements, TFTP- Agreement – SIS, VIS, Eurodac – Data retention

New instruments announced:

• Action Plan Stockholm Programme, incl.

Information Management Strategy • EU PNR • EU TFTS • Entry-Exit, Registered Travellers • Law enforcement access to Eurodac • Revision data retention directive • Review Europol framework

A global framework ?

• Until Lisbon, only supervisory competence for First Pillar. • Now also ex 2nd + 3rd former pillars, but not replacing

specific bodies (JSBs) • Coordinated supervision for CIS, VIS, Eurodac and in

future SISII • Consultative role also in ex 2nd and 3rd former pillars • International aspects: Comprehensive protection, also in

relation with US: ‘General Agreement on its way.’

Other issues to be discussed

• A reform as a package. Timing • The notion of ‘competent authority’ • The purpose limitation principle • Provisions on special categories of data • Unduly limited powers of supervisory authorities • Supervision on judicial authorities • Recipients in third countries • EU institutions and bodies • Delegated acts and implementing acts

• Increase the level of data protection

• More clarity on definitions and on all substantive principles • Ensure that controllers demonstrate compliance for each processing

operation • Improve evaluation mechanisms for assessments on necessity and

proportionality • Better define and apply limitations and exceptions to fundamental

rights • Data quality: storage periods and periodic reviews • Better align powers of supervisory authorities in the Regulation and

in the Directive. DPAs are to be better consulted • A stricter deadline to amend existing legal instruments

What we encourage

Conclusion

The proposed rules for data protection in the law enforcement area are unacceptably weak.

In many instances there is no justification whatsoever for departing from the rules provided in the proposed Regulation.

The law enforcement area requires some specific rules, but not a general lowering of the level of data protection.

Thank you for your attention

Status and scope of implementation

of FD 2008/977/JHA

ERA, Trier, 5 November 2012

Thomas Zerdick, LL.M. EU Commission, DG Justice

1. Status of implementation

Fully implemented

Partially implemented

Not implemented

14 MS 9 MS 4 MS

2

• Deadline for implementation: 27 November 2010 • Situation on 9 November 2011:

2. Scope of implementation

4

• General data protection legislation: Most MS

• + Criminal Procedure Act: 13 MS

• + Police (Data) Act: 7 MS

• + Specific legislation to implement FD: 3 MS

• Distinction: domestic vs. cross-border?

(Source: MS)

3. More info

5

• Commission’s report on implementation of the FD: • COM(2012) 12 final

• Annex: Commission Staff Working Document: • SEC(2012) 75 final

Thank you for your attention! http://ec.europa.eu/justice/data-protection/minisite/index.html

November 12, 2012 1

ERA – Data Protection in the Area of European Criminal Justice Today

Trier, 5-6 November 2012

The new features of the

draft Directive

Prof. Dr. Paul De Hert

12 November 2012 2

Presentation overview

Overview of the Directive

Comparison with the 2008 Framework Decision

Comparison with the 2012 Draft Regulation

Conclusions

Overview of the Directive

• 64 Articles, 54 p.

• Chapter 1: Scope of application

• Chapter 2: Principles of processing

• Chapter 3: Rights of the data subject

• Chapter 4, 6 & 7, 8: Enforcement mechanisms & provisions on remedies, liabilities and sanctions

• Chapter 5: Data transfers

November 12, 2012 3

Comparison with the 2008

Framework Decision

November 12, 2012 4

More streamlining

• FW Decision: no streamlining with the instruments already in place (Schengen, Europol etc)

• Article 59 Draft Directive: no hierarchy, previously adopted acts within its subject-matter remain unaffected, BUT

-Article 60 Directive asks Member States to amend bilateral agreements as per its provisions

-Article 61 evaluation 3 years (cf. Buttarelli)

• => differentiations from principles and regulations of the Directive increasingly hard to justify

November 12, 2012 5

Data protection principles become the rule

• FW Decision: exemptions from almost every data protection principle

• Draft Directive: more balanced approach: although specialized conditions of processing are acknowledged (e.g. Articles 5 and 6), general rules and principles of data protection – rather than exceptions to them – continue to apply

• Remark: wisdom since development towards exchange between LEA and private actors warrants system that resembles Regulation

November 12, 2012 6

A chapter on liabilities

• Chapter 8: provisions on remedies, liabilities and sanctions

• Taken from Regulation

• Is new; FD leaves this to MS

November 12, 2012 7

Supervisory bodies

• FW Decision: no supervisory body => the data protection principles featured in the instrument have not been incorporated into EU policy-making.

• Draft Directive: enforcement mechanisms

-supervisory authorities at Member State level

-European Data Protection Board (art. 49)

November 12, 2012 8

Broader scope of application

• Domestic processing (contrary to FD Cf. CofJ O. Rundfunk)

• Important additions refer to terms of ‘personal data breach’, ‘genetic’ and ‘biometric’ data Cf. Regulation

• Profiling (next slide): this goes beyond processing of personal data, is regulating an investigating tool

• But: nothing on private-LEA exchange (see Buttarelli & den Boer) this contrary to Europol Decision

November 12, 2012 9

Profiling (tbc)

• Basis of several EU law enforcement processing activities e.g. VIS or PNR

• BUT: no mention of data protection safeguards for the protection of individuals

• E.g. EU ‘Proposal for a Directive on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime’: single article on data protection (Article 11) says nothing on conditions for ‘assessment of passengers’ procedures as basis of relevant processing

November 12, 2012 10

Profiling (tbc)

• FW Decision: no explicit reference to profiling, incidental reference in Articles 7 and 15 by way of automated-decisions on individuals

• Draft Directive also applies to profiling (Articles 9, 11): significant improvement for current regulatory framework

• Draft Directive allows it but under certain conditions (next slide)


Profiling: conditions

• not for sensitive data!

• requires a special law to regulate such processing, to be evaluated against the Directive’s provisions – individual right to data protection acknowledged in

the EU Treaty (Art. 16 TFEU)

– potential accession of the EU to ECHR

• Also Article 6°2 distinction personal data based on facts v. personal data based on assessements


Profiling: definitions

• Attempt to provide definition of profiling in Art. 9: ‘automated processing of personal data intended to evaluate certain personal aspects relating to the data subject’.

• Good definition?

• Differences with art. 20 Regulation


Transparency (tbc)

• Draft Directive: guiding principle in article 4, but only reference in article 10

• Would imply processing by data controllers in easily identifiable and controllable way

• Would imply processing to be open and accessible to the individuals concerned as well as to the data protection authorities and to any third party with an interest in inquiring into its operation and effectiveness

Context: cf. den Boer networked security environment


Transparency: are we there?

• Art. 10 using clear language

• Art. 5 categories of data subjects (Cf. Europol & Recomm. of CoE

• Requirement for data controllers to engage in prior consultation with supervisory authorities (Art. 26)

• Rules as to data breach notifications (Art. 28 & 29 taken from Art. 30 Regulation)

• Introduction of Data Protection Officers (Art. 30)


Comparison with the 2012

Draft Regulation


Principle

• ‘Detailed explanation’: Draft Directive follows, whenever possible, the provisions of the General Data Protection Regulation and the 1995 Directive

• => positive contribution to the individual right to data protection, finally affording data subjects means to protect their rights effectively.

• BUT (next slides)


Data protection impact assessments

• Draft Regulation: Chapter 4, Section 3

• Draft Directive: lacking


Transparency

• Draft Regulation: central in Chapter III, Section I ‘Transparency and modalities’

• Draft Directive: only reference in article 10

• Art. 14 indirect right to access could be better (Buttarelli): never once and for all

Ideas missed

-right to notification Cf. Information Charter den Boer Comp. art. 11°1 but vague

-Prior consent when data is exchanged or in case of interoperability


Burden of proof

• Draft Regulation: reversal of the burden of proof is not included in Article 22 but is found in various other provisions in its text (for instance, in Articles 7, 12 or even 19).

• Draft Directive: lacking


Conclusions

• Acknowledgment of grave risks for individual data protection created by the networking and profiling societies. See Buttarelli list of 13 bullets ‘What we appreciate at the EDPS”

• Positive measures (regardless whether adequate or not) are taken to address them

• A balanced text that caters to the needs of all its recipients, data controllers (security agencies) and data subjects alike

• More alignment with Draft Regulation is welcome See Buttarelli list of 7 bullets ‘What we do not appreciate at the EDPS”


OLAF's transfers to third

countries and international

organisations: what would

change?

Laraine Laudati, DPO

European Anti-Fraud Office (OLAF)

November 2012

Outline of presentation

1. Overview of OLAF and its cooperation partners

2. OLAF's implementation of DP Rules governing

transfers to 3C/IO

3. What would change under the proposed regulation?

Présentation Powerpoint

11/12/2012

2

1. Overview of OLAF

and its cooperation

partners


11/12/2012

4

What is OLAF?

The “Office Europeen de Lutte Anti-Fraude”

(European Anti-Fraud Office)

A service of the European Commission

Created in 1999

Conducts administrative investigations

Produces reports, often with recommendations


11/12/2012

5

OLAF’s independence

Independent in investigative activities

Director nominated by Commission after

consulting with European Parliament and Council

Director decides on opening/closing investigations

Director may not receive instructions

Supervisory Committee reinforces independence

Oversight by European Parliament and

Commission

OLAF appoints own DPO


11/12/2012

6

OLAF staff

+/-480 persons

85% working on investigative activities

Many with law enforcement background

Investigators/auditors

Police/customs/tax officials

Intelligence analysts

Forensic examiners

Magistrates


11/12/2012

7

OLAF’s partners

Who are OLAF’s partners?

EU institutions, bodies

MS authorities

3C authorities

International organisations

How do they help OLAF?

inform OLAF of matters giving rise to suspicions

cooperate in investigations

receive and (hopefully) implement OLAF

recommendations


11/12/2012

8

Typical cases involving 3C, IO partners

Agriculture

Customs

Direct expenditure

External aid

Location of OLAF's 3C partners

Agriculture/

Customs

Direct

Expenditure

Pre-accession

funds

External Aid

Asia Malaysia, Thailand, Vietnam

India, Pakistan, Vietnam

Africa Egypt, Morocco Burundi, Cameroon, DR Congo, Ghana, Ivory Coast, Lesotho, Morocco

Eastern Europe Croatia Albania , Croatia, Serbia,, Macedonia

Middle East Jordan, Turkey, UAR Turkey Israel, Palestine,

Tacis countries Azerbaijan, Belarus, Kazakhstan, Ukraine

Azerbaijan, Georgia, Kazakhstan, Russia, Ukraine

South/Central

America

Bolivia, Brazil, Paraguay, Venezuela

Bolivia, Nicaragua, Honduras


11/12/2012

9


11/12/2012

10

Why must OLAF cooperate with

3C/IO partners?

OLAF must investigate in 3Cs, IOs

OLAF has no jurisdiction or coercive powers in 3Cs, IOs

OLAF depends on partners for exchange of information

If investigation reveals wrongdoing, results must be passed to

local prosecutors for implementation of its recommendations


11/12/2012

11

Why transfers of PD are made to

partners

During active case:

Request assistance from an authority

Reply to a request for assistance from an

authority

For use in legal proceedings of recipient

At completion of investigation

For implementation of OLAF recommendations


11/12/2012

12

What type of PD is transferred?

Categories of PD transferred:

Identification data

Professional data

Case involvement data

PD included in:

Interview records

Mission reports

Final case reports

2. OLAF's

implementation of DP

Rules governing

transfers to 3C/IO


11/12/2012

14

OLAF must apply

Article 9 of Regulation 45/2001

3 possibilities:

Adequate level of protection ensured by

recipient in 3C or IO

Adequate safeguards authorised by EDPS

Exceptionally, derogation


11/12/2012

15

Commission findings on adequacy

1. Andorra

2. Argentina

3. Australia

4. Canada

5. Switzerland

6. Faeroe Islands

7. Guernsey

8. State of Israel

9. Isle of Man

10.Jersey

11.United States – PNR data;

American enterprises that have

signed up to Safe Harbour

• Adequacy decisions taken by Commission

following consultation with MS reps

• Commission’s adequacy decisions from 1995-

2012:

• These are not very helpful to OLAF, which has

few transfers to these countries.

OLAF's first consultation with EDPS

of 3C/IO transfers

2005: OLAF memo to EDPS on 3C/IO transfers in its

cases

2006: EDPS working document with recommendations

2006: OLAF response to recommendations

EDPS found to provide a good basis for establishing

adequate safeguards


11/12/2012

16

OLAF's second consultation with EDPS

concerning 3C/IO transfers

January 2012: OLAF submitted consultation on

revised model DP contractual clauses to be used in

administrative cooperation arrangements

April 2012: EDPS reply with recommendations

June 2012: OLAF's proposal to implement

recommendations

July 2012: EDPS final reply with further

recommendations


11/12/2012

17

OLAF's model DP contractual clauses

Model DP contractual clauses attached to OLAF's Administrative

Cooperation Arrangements (ACAs)

Main provisions:

Definitions

Joint obligations

OLAF obligations

Partner obligations

Resolution of disputes with DS/EDPS

Suspension and termination

Text available at OLAF internet site

(http://ec.europa.eu/anti_fraud/policy/international-

cooperation/index_en.htm


11/12/2012

18

http://ec.europa.eu/anti_fraud/policy/international-cooperation/index_en.htm



Legal status of OLAF DP contractual

clauses

OLAF has no legal personality; no standing to enter

legally binding agreements

Art. 9(7) states that "safeguards may in particular

result from appropriate contractual clauses": Does

this mean legally binding?

Practical solution: OLAF's DP contractual clauses,

annexed to ACAs, not legally binding

Perhaps still under derogation 9(6)(d), but with

maximum protection OLAF can offer


11/12/2012

19

OLAF's ACAs

Africa Americas Asia Europe IOs

Pre-2006

2006-2011 with earlier version of DP clauses

Benin IG; Congo Brazaville anti-corruption commision; Djibouti IG; Senegal IG; South Africa IG

US ATF Macedonia prosecutor

2006-2011 without DP clauses

Congo Brazaville IG; Morocco customs; Morocco IG

Taiwan Customs

2006-2011 with adequacy

Argentina FIA

2012 with new DP clauses

Uganda IG World Bank Integrity Vice Presidency


11/12/2012

20

OLAF's ACAs in the planning stage

Africa Middle East Americas Europe Asia/Ocenia IOs

Angola IG; Burundi prosecutor; Cameroon CCCS; Congo Kinshasa IG and Prosecutor; Ivory Coast CCCS; Kenya ACC; Tunisia CC; Uganda prosecutor and AG; Zambia DEC/ACC

Occupied Palestinian Territories ACC; Syria EC projects AFU

Costa Rica CG; Honduras TSC; Paraguay FGE; UD DoJ and FBI

Georgia IS; Moldova Customs; Russian Ministry of Interior; Russian Customs; Serbian National Bank; Ukraine SCSU;

Afghanistan ACO; Bangladesh EPB; Chinese State Tobacco Monopoly; Kazakhstan AFECC; Australian Customs

African Union Commission; African Development Bank; Council of Europe Development Bank; EBRD; EXIM Bank; Global Fund; Interpol; OSCE; UNDP


11/12/2012

21

OLAF's transfers by derogation

Where no ACA, transfer by derogation

OLAF relies on derogation listed in Art. 9(6)(d):

"The transfer is necessary or legally required on

important public interest grounds, or for the

establishment, exercise or defence of legal claims"

OLAF includes "data protection safeguards" in all

transfers based on derogation (but no agreement

from recipient)


11/12/2012

22

OLAF standard workforms

Three different workforms for transfers to 3C, IO,

with different DP transfer clauses

To recipient in 3C/IO with adequacy: limits on use

of PD transferred

To recipient in 3C/IO with ACA: limits on use of PD

transferred + reference to DP contractual clause

requirements

To recipient in 3C/IO with no ACA: limits on use of

PD transferred + list of DP safeguards to be

observed


11/12/2012

23

OLAF's register of transfers

OLAF maintains register of all transfers to 3C/IO in

DP module of CMS

Meta data registered for each transfer:

Recipient type (EU institution/body, MS, 3C, IO)

Name of recipient

Organisation

Address

Means (written, oral, e-mail), with document

attached

Necessity of transfer

DSs to which transfer relates Présentation Powerpoint

11/12/2012

24

How many transfers to 3C/IO are made

by OLAF?

DP module report indicates for cases initiated after

1.1.2009:

27 transfers in internal cases

23 transfers involving external aid

2 involving new financial instruments

2 involving customs


11/12/2012

25

3. What would change

under the proposed

regulation?

More adequacy decisions?

Adequacy (Art. 41):

Requires adequacy decision of the Commission

(comitology: examination procedure)

Finding may apply only to a territory or

processing sector within a 3C

New elements specified for assessing adequacy

Adequacy decisions will also apply to police

cooperation and criminal justice


11/12/2012

27

Appropriate safeguards (Art. 42)

Provided in "legally binding instrument", which may be

Standard DP clauses adopted by Commission (comitology:

examination procedure)

Standard DP clauses adopted by a supervisory authority

(consistency mechanism), validated by Commission

(comitology: examination procedure)

DP contractual clauses with prior authorisation by a

supervisory authority (possible consistency mechanism)

Provided in an instrument which is not legally binding:

DP contractual clauses with prior authorisation by a

supervisory authority (possible consistency mechanism)


11/12/2012

28

Derogations (Art.44)

In the absence of adequacy or appropriate

safeguards, a transfer or set of transfers may take

place on condition that (inter alia):

The transfer is necessary on important grounds of

public interest recognised in EU or MS law;

Commission may further specify (comitology)

The transfer is necessary for the establishment,

exercise or defence of legal claims


11/12/2012

29

New OLAF Regulation

Final compromise text approved in October 2012

Article 10b provides

administrative arrangements may be agreed

between OLAF and competent authorities in 3C

and IO, including exchange of operational

information

OLAF shall keep a record of all transmissions of

PD, including the grounds for the transmission


11/12/2012

30

Thanks for listening!

THE PROPOSED DIRECTIVE ON DATA PROTECTION IN THE AREA OF POLICE AND

JUSTICE: A CLOSER LOOK

The omission of Europol and Eurojust from the draft Directive

Diana Alonso Blas, LL.M. Head of the DP Service/Data Protection Officer

5 November 2012

ERA conference: Data Protection in the Area of European Criminal Justice Today

Data Protection is crucial Eurojust

• Need to receive, store and further process personal data to deal with the cases referred by national authorities

• Very sensitive information on persons subject of a criminal investigation or prosecution, witnesses and victims + persons having been convicted

• Both EJ and the JSB EJ have taken a great interest in this matter which is of crucial importance for the proper protection of the rights of individuals but also for the operation of the organisation.

• Processing personal data is inherent to the core business of Eurojust.


Data Protection after Lisbon Treaty I

•Article 16 of Lisbon Treaty – not only one legal instrument on DP.

•Article 16 of Lisbon Treaty talks about RULES (plural) and about independent supervisory AUTHORITIES (also plural).

•As WP 29 and WP on Police & Justice said, the specific rules in place are there not only because of different legal grounds before Lisbon but also because of the specific content needs.

•This is acknowledged in declaration 21 of Lisbon Treaty!


Data Protection after Lisbon Treaty II

•It is fundamental that the various existing instruments are consistent with each other and offer an equally high level of protection.

•It should by all means not be an exception to the general protection regime.

•The core aspects need to be consistent with the general principles, the obligations and responsibilities of controllers and rights of the data subjects, even where limitations exist.


The Data Protection Regime of Eurojust : robust, effective and tailored-made

Eurojust

Eurojust Decision contains detailed

provisions on data protection

(Articles 14-25)

Rules of Procedure on the processing and protection of

personal data (adopted unanimously by College of Eurojust

in October 2004 and by Council in February 2005)

Other European instruments: - Treaty of the EU (Article 6)

- ECHR (Article 8)

- CoE Convention 108

- Charter EU (Articles 7-8)

- Article 16 Treaty of Lisbon

Art.14: Processing of personal data

Art.15: Restrictions on the processing of

personal data

Art.16: CMS, index and temporary work files

Art. 16a: Functioning of temporary work files

and index

Article 16b: Access to the CMS at national level

Art.17: Data Protection Officer

Art.18: Authorised access to personal data

Art.19: Right of access to personal data

Art.20: Correction and deletion of personal data

Art.21: Time limits for the storage of personal

data

Art.22: Data Security

Art.23: Joint Supervisory Body

Art.24:Liability for unauthorised or incorrect

processing of data

Art.25: Confidentiality

New Eurojust Decision of 16 December 2008

reinforces the DP system, defining more

precisely provisions and introducing some

principles of DP RoP in the text .

Title I: Definitions

Title II: Scope of application and structure

Title III: Principles of general application to Eurojust

Title IV: Rules for case-related processing operations

Title V: Rules for non-case-related processing operations

Additional Rules of the Rules of

Procedure to non-case-related operations

(Decision of College of June 2006)

The ongoing DP reform and Eurojust I

•The proposed directive constitutes an improvement but is rather general.

•Eurojust: - complies with all the same general principles; - due to specific nature of its activities, the EJ’s legal system is much more detailed and precise; - offers much more legal certainty to data subjects; - EJ rules contains additional safeguards for victims and witnesses with strict conditions and time limits for processing of such data; - defined rules on possible access to the information; - system of data retention with regular review of compliance; - obligations to keep the data updated, relevant and not excessive.

•All those rules have been technically implemented in CMS - a good example of “privacy by design”.

•EJ’s rules offer a much higher level of protection than what is proposed by the Commission.

•Legal certainty is key in this field. Specific (not different) rules offer more protection!


The ongoing DP reform and Eurojust II

•Rights of the individuals – specificity of the activities (ongoing investigations or prosecutions)

•Every request is dealt on a case by case basis and takes into account all interests at stake and makes efforts to provide information whenever possible.

•In a recent Court case, the General Court has praised the way EJ was dealing with data subject requests (judgment of 25 November 2010 in case T-277/10AJ K v Eurojust):

The General Court of the European Union evaluated very positively the fact that Eurojust had provided the individual information as to the fact that no personal data on him had been processed. The Court found that Eurojust not only duly met the requirements of Article 19(7) of the Eurojust Decision but even exceeded them, since it provided a detailed answer to the applicant’s allegations revealing that no personal data concerning him was processed by Eurojust.

•This is also an example of the fact that data subjects are not deprived of their rights to have judicial review of the decisions taken by EJ.


Need for specific and effective supervision

•EJ has a robust DP system in place, tailor made to the mandate and tasks of EJ and closely monitored by DPO and JSB.

•The Lisbon treaty refers to independent DP authorities (plural).

•The supervision of processing operations carried out by judicial authorities cooperating in ongoing judicial investigations or prosecutions is often excluded at national level from the scope of the DPAs and, at EU level, the EDPS is also not competent to supervise the ECJ acting in its judicial capacity.

•The proposed Directive excludes as well these activities generally from its scope.

•At Eurojust such activities are not excluded from supervision. On the contrary, they are fully monitored by the JSB while respecting the specificity of the judicial powers.


Specialised supervision

•EJ’s present system of specialised supervision works well:

- necessary expertise (judges and DPAs combination, fully independent); - effective: 3 elected members, meeting regularly (4-5 times a year) at EJ; - costs about forty thousands euros a year (all in); - in appeal cases appointees of involved MS are called in to join. It offers a quick and not cumbersome appeal procedure for individuals; - carries out on the spot supervision: frequent inspections with direct involvement of national DPAs (3 days x five persons inspections); - full transparency: webpage with regular updates, appeal decisions and reports published and distributed and so forth; - decisions of JSB are final and binding on Eurojust: quasi judicial nature.

•Data processed by EJ comes from MS and go back to MS. So it makes sense that national DPAs must be involved in supervision and this is ensured by the JSB appointees.


Conclusions

•Legal certainty is key in this field. Specific (not

different) rules offer more protection!

•The JSB is working well, is effective, understands the business of EJ and ensures real compliance with rules in practice, which offer high protection for individuals and increased legal certainty.

•Let’s not mend what is not broken! Should the EC consider any changes: need to evaluate effectiveness and working of existing schemes and discussion with all involved parties needed.


Thanks for your attention!

Questions? Comments?

Diana ALONSO BLAS, LL.M.

Data Protection Officer

Eurojust

Maanweg 174

NL-2516 AB The Hague

Tel: +31 70 412 5510

Fax: + 31 70 412 5505

[email protected]

www.eurojust.europa.eu


INTERPOL For official use only

Accessing

Private Sector Data

ERA Conference

Trier, 5-6 November 2012

The need for a common regulation for the police


Overview

A. Accessing private sector data

1. Increase in co-operation

2. Examples of existing co-operation

3. Why useful for investigations?

4. Data protection principles & requirements

for legitimate data transfers

B. Need for common regulation for the police

1. Why a need for regulation?

2. Basis in existing guidelines

3. Common regulation


A. Accessing

Private Sector Data


1. Increase in Co-

operation

• Threat of terrorism & fundamentalism

• Threat of nuclear & biological weapons, as well as cyber attacks

• Increase in cross-border criminality


2 . Examples of existing

co-operation


Example: Cybercrime

• Evidence needed by the police is often

held by the private sector & often in

other jurisdictions.

Cross-border & cross-sector investigations: efficient

co-operation is necessary

Private sector is often the victim,

so willingness to co-operate

Privacy obligations towards

customers

Balance: benefits vs. costs


Example: Cybercrime

The Microsoft Digital Crimes Unit (DCU) aims at

disrupting cybercrime through co-operation

across industry, law enforcement, academia,

government & NGOs worldwide

Case: Zeus botnets


Example: Online Child

Abuse Material

• Private data from ISPs and the financial

sector can help reduce available

material online and save child victims

across the world


Example: Online Child

Abuse Material

The Financial Coalition Against Child Pornography is

an example of a public-private partnership with the

financial sector

PayPal, for example, is a member and works closely with

US Immigration and Customs Enforcement, the FBI and

other regulatory bodies

Results:

Fewer commercial sites

reported

Higher subscription

prices


Example: Camera

Surveillance

• Images from private camera surveillance

are often transmitted by private sector

companies to LEAs for the investigation

and prosecution of criminal offences


Example: Camera

Surveillance

Case: Minsk metro bombing

Images of the suspects captured by private camera

surveillance in the metro station was transferred to

LEAs & made public for assistance identifying suspects

INTERPOL For official use only INTERPOL For official use only

3. Why useful for law

enforcement

investigation?


Why useful for

investigation?

• Criminal activity increasingly organized and

carried out in the digital environment

• Mass amounts of digital data already

generated, collected and stored

• Mainly by private sector parties (ISPs, e-mail

providers, SNS,…)

• LEA budget and human resources can be

allocated to other purposes


4. Data Protection

Principles

General Framework

• Fair & lawfull processing

• Purpose specification

! No incompatible use

• Adequacy &

proportionality

• Accuracy

• No longer than necessary

• Subject’s rights

• No onward transfer

without ALP

Transfer to Police

• Transfer to LEA

incompatible use

• Accuracy to be verified,

if data accessed from

private sector

• Consent not always

possible!

• Onward transfer:

internat. treaties & MLA


Requirements for

Legitimate Data Transfer

• Required by law

• Court order or warrant

issued

• Consent data subject

obtained

• Vital interest data subject or 3rd person

• Legitimate interest or public interest

= Task LEA?

Transfer needs to be assessed on a

case-by-case basis


Case-by-case

Assessment

• Legitimate or public interest balanced against

fundamental rights data subject

• Best performed by an independent, third party, such as

a judge Need for efficient & immediate authorization

• Judge can issue a warrant = legitimate data transfer

• Higher chance of evidence being admissible in a court

case


Interoperability?

• No independent assessment

= legitimacy can be questioned

• Does not preclude interoperability for systems

with built-in privacy & security rules

Access limitation: specify legal authorization for

certain data types

Data minimization & anonymization

Allows anonymous analysis of databases to track

suspicious links or transfers

Audit trails


B. Need for a common

regulation for the

police


1. Why a need for

Regulation?

• Need for common regulation for police

agencies, even more so as criminality is

increasingly cross-border & online

Facilitation of police co-operation

Increase of legitimacy data transfers

• Good basis can be found in:

Human rights guidelines for Internet Service

Providers - CoE & EuroISPA

Guidelines for cooperation between law enforcement

and internet service providers against cybercrime –

CoE


2. Existing Basis:

Human Rights

Guidelines

• Identity of users & communication, content and

traffic data accessed by them

no transfer, unless legal duty or following orders

from competent public authority in accordance

with the law

• Requests from abroad

through competent

authorities of your

own country


Existing basis:

Co-operation guidelines

• Procedural requirements requests

• Requirements to determine competent

authorities & types of data they can acess

• Requirement verifiability source of request

• Requirement specific and accurate requests

• Requests in writing: documentary trail for

audits

Transparency & proof: data legitimately

obtained and lawfully processed


3. Common Regulation

• Include requirement of case-by-case

assessment by an impartial third party when no

other legitimate ground for transfer

Warrant: need for efficient & rapid authorization

Increase of admissibility evidence

• Include requirement of interoperable systems

to have built-in privacy and security safeguards


Common Regulation

• Evaluation of the reliability of a private sector

party

Private sector data can also be evaluated and

labelled or scored according to its accuracy and

relevancy, for example with the 4X4 system

Increase of data accuracy and data quality in

general, especially since data subject of an on-going

investigation can rarely access or correct personal

information

INTERPOL For official use only INTERPOL For official use only

Thank you!

Law enforcement access to Eurodac: the Commission’s

proposal adopted on 30 May 2012

Priscilla de Locht ERA conference

6 November 2012

1. What is EURODAC?

2. History of EURODAC recast

3. The 2012 proposal from a data

protection perspective

4. Provisions on law enforcement access and data protection safeguards

1. What is Eurodac?

• Large DB of fingerprints

• Asylum Purpose

• Central DB + communication infrastructure

• Three categories of individuals

• Hit/no hit system

2. History

• December 2008 : higher degree of harmonisation and

better standards of protection for the CEAS

• September 2009: bridging clause to allow access for LE

purposes and proposal for a Council Decision spelling out the modalities of such access

• October 2010: removal of LE access • May 2012: new proposal

3. The current proposal: A Data Protection perspective

a) Lack of a new critical impact assessment

b) Need to first implement and evaluate existing instruments

c) Risk of stigmatization of a vulnerable group of people

d) Worrisome trends of “function creep”

• Impact assessment of 2008 and 2009 still valid?

• Two reasons why not:

1. results not relevant (2008) or convincing (2009) 2. out of date

• No fundamental rights impact assessment

3.a) Lack of new critical impact assessment

3.b) Need to first implement and evaluate existing instruments

3.c) Risk of stigmatization of a vulnerable group of people 3.d) Worrisome trends of “function creep”

Terrorists?

4. Provisions on LE access and DP safeguards

MS law enforcement authorities access if: - Prior check under Prüm

- Necessary for the prevention, detection or

investigation of a terrorist or other serious criminal offences

- In a specific case (no systematic comparison)

- Reasonable grounds

• EUROPOL access if :

- Necessary for the performance of its tasks

- Necessary for the purposes of a specific analysis or an analysis of a general nature and of a strategic type

• Designated and verifying authorities

Need for more effective safeguards, eg:

• clear indication that the perpetrator has applied for asylum

• Verification truly independent; preferably a judicial authority • Same conditions of access for EUROPOL as for MS

Conclusion • Eurodac : large database of fingerprints of

asylum applicants and illegal immigrants

• Amendments to Eurodac Regulation are not new

• The 2012 Commission’s proposal: truly necessary and proportionate?

• Should the necessity and proportionality be demonstrated, more effective safeguards are needed.

Thank you for your attention

www.edps.europa.eu

@EU_EDPS

http://www.edps.europa.eu/

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or

Trier 5-6 November 2012

Revising the data retention Directive:

Just do it and do it now!

Herke Kranenborg

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


What is the problem?

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


I. Data retention as such II. Data retention as laid down in the Data

Retention Directive

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


I. Data retention as such

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


EDPS 3-12-2010 (www.edps.europa.eu)

The most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it

affects.


Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or



This needs profound justification. The evaluation should be used to prove the strict necessity of the measure.


Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or



The evaluation is the “moment of truth”

for the Data Retention Directive!


Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


3-12-2010 (through rapid)

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or



Data retention is here to stay!

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or



There is no evidence that it has led to serious abuse in any concrete cases.

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


18 April 2011: Evaluation report of the Commission ‘Most Member States take the view that EU rules

on data retention remain necessary as a tool for law enforcement.’

31 May 2011: EDPS Opinion on the report ‘the necessity of data retention as provided for in

the Data Retention Directive has not sufficiently be demonstrated’

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


II. Data retention as laid down in the Data Retention

Directive

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• Data retention is an exception:

– See Article 15(1) of the ePrivacy Directive • This exception is harmonised with the

Data Retention Directive

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


However

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• Only the obligation to retain data has been (more or less) harmonised and the legitimate aim has been (sort of) indicated.

• Commission report: – ‘The responsibility for ensuring [the right to privacy

and the right to data protection] are upheld lies with the Member States’.

• This is problematic: how to assess whether

the measure is proportionate?

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• The safeguards are to be put in place at national level

• Member States cannot choose not to retain data

• And: Member States can even decide to use this data for another purpose!

– The ‘legal loophole’

– See the Evaluation Report of the Commission and the CJEU

ruling in Bonnier Audio of 19 April 2012 (C-461/10)

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• EDPS Opinion of 2011:

‘The Data Retention Directive lacks foreseeability’.

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• So, that’s what is wrong with the Directive…

• Moreover: the evaluation report makes clear the instrument failed from an internal market perspective!

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


What is the solution?

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• Demonstrate necessity of data retention as such!

• If demonstrated: any revised Directive should be – complete and – exhaustive

• Cover and clarify all aspects of the measure

and close the legal loophole

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


What is the problem?

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


• Why is the revision postponed?

• Article 15 ePrivacy and the reform process…

• Two cases before the court might change the ‘default setting’

– C-293/12 (DRI) and C-329/12 (Com/Germany)

Eu

rop

ea

n D

ata

Pro

tecti

on

Su

pe

rvis

or


Any questions?

Thanks for your attention!

EDPS website: www.edps.europa.eu

https://twitter.com/#!/EU_EDPS

Herke Kranenborg

[email protected]


https://twitter.com/

mailto:[email protected]

ERA Conference on Data Protection

in the Area of European Criminal

Justice


SUBJECT: STATE OF PLAY OF THE DATA RETENTION DIRECTIVE

The Commission adopted on 18 April 2011 a report on the evaluation of the Data Retention Directive (Directive 2006/24/EC). In the light of this report, the Commission said that it would propose a revision of the current data retention framework. In its Action Plan implementing the Stockholm Programme, the Commission announced a revision proposal for 2012.

In the Commission's evaluation report evidence provided by Member States and Europol so far has vindicated the value of the measure for combating serious crime. The Commission has continued to press Member States to provide credible and comparable statistics and case studies to demonstrate this. Law enforcement and judicial authorities throughout the EU have repeated emphasised the importance of this guarantee that data will be available if there is a need.

Also in the report, the Commission indicated that a number of aspects of the data retention framework needed improvement to address, in particular, some of the concerns about proportionality and safeguards for the rights to privacy and protection of personal data, and the burden it placed on economic operators.

These aspects, set out clearly in the evaluation report, have been further examined since: for instance, a reduced and more harmonised data retention period; a scope which is clear and exhaustive in terms of the types of data to be retained and the purposes for which data may be used; clear and consistent minimum standards for access and use of the data; better accountability on the part of authorities for the data which they access, and the statistics that they provide to demonstrate why accessing those data were necessary; a consistent approach to reimbursing operators' costs.

Furthermore, there needs to be coherence between the obligation to require data retention - in the Data Retention Directive – and the possibility for Member States to require or to allow data retention – which is provided for by the e-Privacy Directive. A proper reform proposal needs to ensure that data retained in application of the Data Retention Directive cannot be cannot be used for other purposes than those provided for in the Data Retention Directive. Currently Member States have this option pursuant to the e-Privacy Directive.

Since the evaluation, the Commission has consulted stakeholders in law enforcement, the judiciary, industry, data protection authorities, consumer groups, NGOs and Member States on possible options for amending the framework. Several workshops were held in 2011, and a set of questions were published on the DG

2

Home Affairs website.1 Discussions have also taken place in Council working groups and in the Commission's expert group on data retention.2

As has been pointed out during those workshops by stakeholders in industry and the data protection community, as well as numerous NGOs campaigning for the protection of privacy and concerned professional groups including journalists and lawyers, data retention has a significant impact on the right to privacy and the protection of personal data, and is burdensome for service providers especially SMEs.

Opinions about the need for data retention in principle and the effectiveness of the Data Retention Directive specifically are starkly divided. Most if not all Member States, and all police and judiciary consulted, appear to support the current framework and to oppose any reform on the grounds that it would weaken their capability to investigate and prosecute serious crime. Industry stakeholders seek at least limited changes, while the current situation is strongly criticised by data protection stakeholders, and by privacy advocates some of whom believe that data retention should be prohibited altogether.

The Commission has been consistent on data retention, ever since it tabled its original proposal for a directive in 2005. In that proposal, the Commission acknowledged that telecommunications data were an integral part of evidence gathering in investigations and prosecutions of very serious crimes, and that such data could be crucial in serving the needs of justice and protecting victims against harm.

It was, and remains necessary to guarantee that, within the bounds of proportionality and subject to appropriate controls and safeguards, these data will be available for a limited period of time if police and prosecutors need to access them. The limitations and procedures for data retention should be as harmonised as possible to minimise the negative impact on the internal market, while at the same time respecting the legitimate and varying requirements of national circumstances.

Although the Commission continues to believe that data retention is a necessary measure for combating serious crime, it also acknowledges that there are considerable concerns that have been raised by a number of stakeholders to which the adequate solution is to reform the Directive.

Besides those mentioned earlier (a need for a reduced and more harmonised data retention period, for a clearer, exhaustive scope of the types of data to be retained and the purposes for which data may be used, and for consistent minimum standards for access and use of the data) there is also a need to address the possibility, under Directive 2002/58/EC (the 'e-Privacy Directive'), for Member States to apply data retention in ways and for purposes which go beyond those regulated by the Data Retention Directive. The Commission has already announced that it will analyse the need to review the e-Privacy Directive once the new general data protection framework is stable.

1 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-

retention/index_en.htm 2 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-retention/experts-

group/index_en.htm

http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-retention/index_en.htm

http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-retention/index_en.htm

http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-retention/experts-group/index_en.htm

http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/data-retention/experts-group/index_en.htm

3

Amendment of the e-Privacy Directive thus is only likely to take place once there is greater clarity as to the outcome of deliberations within and between the Parliament and the Council on the Commission's proposal for reforming the data protection framework. Therefore, the Commission intends to present a coherent reform, for which at present there is no precise timetable. So the reform will not be for this year as announced in its Action Plan implementing the Stockholm Programme.

The Commission will therefore continue working towards a reform of the Data Retention Directive, to be presented at the same time as a future revision of the e-Privacy Directive, if the latter is opened for review. In bringing this work forward, the Commission will take full account of the ongoing discussions on the general data protection reform.

The Commission will also continue to focus on implementation of the Directive. All but two Member States have now transposed the Directive following a number of infringement cases.

Given the technical and legal complexity and political sensitivity of data retention, and the early stage of discussions on the draft Data Protection Regulation, it is likely to take some time before the Commission is in a position to make such proposals.

4

Scheme of the Data Retention Directive

Participants may find it helpful to have an explanation of the scheme of Directive 2006/24, in particular in the light of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

Directive 95/46 lays down rules relating to the processing of personal data in order to protect the rights of individuals in that respect, while at the same time ensuring the free movement of those data in the European Union. However, it provides in Article 3(2) that it does not apply to the processing of personal data "in the course of an activity which falls outside the scope of EU law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case the processing operations concerning public security, defence, State security…and the activities of the State in areas of criminal law".

Article 13 of Directive 95/46/EC allows for the exemption from certain data protection provisions for reasons of national security, defence and public security and prevention, investigation, detection and prosecution of criminal offences.

Directive 2002/58 was adopted with a view to supplementing Directive 95/46 by provisions specific to the telecommunications sector. It is expressed to particularise and complement Directive 95/46 and, like that Directive, does not apply to activities falling outside the scope of the Treaty, in particular the activities of the State in areas of criminal law (Article 1).

Article 15 of Directive 2002/58/EC allows for the exemption from certain data protection provisions for reasons of national security, defence and public security and prevention, investigation, detection and prosecution of criminal offences.

Article 5(1) inter alia requires Member States to ensure the confidentiality communications and related traffic data. In particular, it requires Member States to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and related traffic data except when legally authorised to do so in accordance with Article 15(1).

Article 15(1) of Directive 2002/58 provides for a derogation in that it permits Member States to restrict certain rights and obligations in Articles 5, 6, 8 and 9 of the Directive inter alia when such a restriction is a necessary, appropriate and proportionate measure for the "prevention, investigation, detection and prosecution of criminal offences".

As is recorded in recitals 5 to 11 of the preamble to Directive 2006/24, several Member States had adopted legislation in reliance on Article 15 of Directive 2002/58, providing for the retention of data by service providers for the prevention, investigation, detection and prosecution of criminal offences; such provisions varied considerably, which in turn caused obstacles to the internal market for electronic communications, as the Court itself acknowledged in Case C-301/06, Ireland v European Parliament and Council3. At the same time, the Conclusions of the Justice and Home Affairs Council of 19 December 2002 underlined that data relating to the use of electronic communications were a valuable tool in the prevention,

3 2009 ECR I-593, in particular at paragraphs 63-72.

5

investigation, detection and prosecution of criminal offences, in particular organised crime4.

Article 1 of Directive 2006/24 specifies that its aim is to harmonise Member States' provisions concerning providers' obligations with regard to the retention of data for the purpose of the investigation, detection and prosecution of serious crime.

Article 3 provides a derogation from Articles 5, 6 and 9 of Directive 2002/58 by requiring Member States to ensure that certain categories of data (specified in Article 5 of Directive 2006/24) are retained by service providers.

Article 5 specifies the categories of fixed line and mobile telephony and internet-related data that are to be retained. The Directive does not authorise retention of data revealing the content of the communication (Article 5(2)).

Article 6 requires Member States to ensure that the data are retained for not less than 6 months and not more than two years from the date of the communication.

Article 11 makes a consequential amendment to Article 15 of Directive 2002/58 in that it disapplies paragraph 1 thereof to data specifically required by Directive 2006/24 to be retained.

Like Directive 2002/58, Directive 2006/24 is based on Article 95 EC (now Article 114 TFEU) and is thus to be seen predominantly as an internal market measure. A challenge to the choice of the legal basis was dismissed by the European Court of Justice in Ireland v Parliament and Council, in which the Court held as follows:

80. In that connection, the provisions of Directive 2006/24 are essentially limited to the activities of service providers and do not govern access to data or the use thereof by the police or judicial authorities of the Member States.

81. More specifically, the provisions of Directive 2006/24 are designed to harmonise national laws on the obligation to retain data (Article 3), the categories of data to be retained (Article 5), the periods of retention of data (Article 6), data protection and data security (Article 7) and the conditions for data storage (Article 8).

82. By contrast, the measures provided for by Directive 2006/24 do not, in themselves, involve intervention by the police or law-enforcement authorities of the Member States. Thus, as is clear in particular from Article 3 of the directive, it is provided that service providers are to retain only data that are generated or processed in the course of the provision of the relevant communication services. Those data are solely those which are closely linked to the exercise of the commercial activity of the service providers.

83. Directive 2006/24 thus regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities. Those matters, which fall, in principle, within the area covered by Title VI of the EU Treaty, have been excluded from the provisions of that directive, as is stated, in particular, in recital 25 in the preamble to, and Article 4 of, Directive 2006/24.

4 On the background to Directive 2004/24, see generally the judgment in Ireland v European Parliament

and Council, supra, in particular at paragraphs 7-11.

6

84. It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of service providers in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty.

Thus to summarise, Directive 2006/24 primarily provides for a solution to the internal market problem caused by divergent utilisation by the Member States of the derogation facility in Article 15 of Directive 2002/58 by providing for minimum harmonisation of the periods during which the data set out in Article 5 must be retained. At the same time, it aims to ensure, for the purposes of law enforcement in the Member States, that data are retained in all Member States and that they are made available to law enforcement authorities for a certain period5.

Directive 2006/24 simply requires the Member States to adopt measures to ensure that the data specified in Article 5 thereof are retained for a minimum period of six months and a maximum of two years. By contrast, the Directive does not authorise retention of data revealing the content of the communication. Nor does it contain any provisions regarding access to those data, other than to stipulate they are "available for the purpose of the investigation, detection and prosecution of serious crime" (Article 1(1) and that the procedures and conditions relating to access are regulated by national law, including where relevant, other EU law provisions and international law (Article 4).

5 Recital 9 of the preamble.

speakers’ contributions - vrije universiteit brussel · the eu’s current data protection...

Documents