The reform of the EU data protection framework in the context of the police and criminal justice sector: harmonisation, scope, oversight and enforcement

ABSTRACT

This paper considers select emergent issues arising from the reform of the EU data protection framework, and how these might impact upon data processing in the law enforcement and criminal justice sectors. It analyses those aspects of the recently enacted Directive 2016/680 on data protection in the police and criminal justice sectors that will be determinative of its effective and consistent application in practice. It considers the extent to which the Principles laid down in Council of Europe Recommendation R(87)15 regulating the use of personal data in the police sector have been retained, adapted, strengthened, weakened or abandoned in Directive 2016/680. Certain problems arising from the Directive, not to mention the very medium of a Directive, separate from the General Regulation, as the instrument of choice, could be said to have been ‘writing on the wall’, as evidenced by the on-going discussions in the Commission expert group on the Regulation 2016/679 and Directive 2016/680 (E03461) on, for example, the complicated matter of delimitation between Directive 2016/680 and the General Data Protection Regulation (2016/679), oversight and enforcement; in particular, ensuring control by independent Supervisory Authorities, and international transfers and transfers to private parties.

KEYWORDS:

• Data protection
• police and criminal justice
• Directive 2016/680

Disclosure statement

No potential conflict of interest was reported by the author.

ORCID

Mireille M. Caruana http://orcid.org/0000-0002-1943-5413

Notes

1. For a comprehensive (if dated) analysis of data protection in the context of activities that typically fall within the Area of Freedom, Security and Justice, see Boehm (2012).

2. Directive 2016/680, Art.3(7).

3. cf. Recital (55) ‘The carrying-out of processing by a processor should be governed by a legal act including a contract binding the processor to the controller and stipulating, in particular, that the processor should act only on instructions from the controller [ … ]’

4. cf. Fourth AML Directive (2015/849) Art.40(1):

Member States shall require obliged entities to retain [ … ] documents and information in accordance with national law for the purpose of preventing, detecting and investigating, by the FIU or by other competent authorities, possible money laundering or terrorist financing [ … ]. (Author’s emphasis)

5. See note 4. Art.2(3)(b) and Art.60.

6. See note 4. Art.2(3)(a).

7. Resolution of the European Parliament of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs.

8. Directive 2016/680, Art.18.

9. The GDPR provides for mandatory cooperation between DPAs, and sets up a consistency mechanism at EU level to ensure coherent application of the rules, which combines an advisory role for the EDPB and a role for the Commission.

10. Directive 2016/680, Art.36(2)(a)–(c).

11. Directive 2016/680, Art.38.