• Info BCSP

    • Sign up to receive our e-bulletin.
    • Find publications, analysis and documents in our unique resource base available to all visitors of BCSP web site.
      Advance search
          • Year: 2019
          • Personal Data Protection Defends Individual Freedom in the Era of Mass Surveillance

          • How security authorities need to protect the personal data they handle, why they need special rules, and why European regulations in this area are important for Serbia, BCSP researcher Jelena Pejic asked Juraj Sajfert, a lawyer and European expert in the area of personal data protection.

        • Mr. Sajfert participated in the creation of the so-called Police Directive or Law Enforcement Directive (LED), counterpart of the General Data Protection Regulation (GDPR) for the law enforcement authorities. The LED regulates the protection of personal data collected and processed by the competent authorities for the purpose of preventing, detecting and investigating criminal offenses, prosecuting offenders, as well as for the purpose of executing criminal sanctions. Sajfert is employed by the European Commission, but has given this interview in his personal capacity, so the views and opinions expressed in the interview do not in any way reflect the official opinion of the European Commission.


          As the European Union act itself has a name that is too long and is rarely mentioned in its entirety, the most commonly used term is the Police Directive. However, is it a fitting name, since the Directive neither covers every police action nor it is limited to the police alone?


          That is not the most appropriate term. It was often used when it was proposed as part of legislative negotiations. However, when the Directive was enacted and started to get transposed into national law, and has now been in force for a year after its transposition, most participants realized that it was better to use the term Law Enforcement Directive (LED) . Because it doesn't just cover the police. Of course, police are a big part of its application, but the Directive covers the prosecution, criminal courts and prisons, and some other bodies that, in certain situations, may be part of law enforcement because they have certain jobs of that type. So today the term Law Enforcement Directive (LED) is used more than the Police Directive, as it used to be.


          We are now waiting for the acronym LED to be incorporated, as is the case with GDPR, which is a much more familiar part of the EU's personal data protection package. Why are two separate regimes necessary for security authorities and for everyone else? Is it a consequence of different EU competences in the former first and third pillars, or are there also fundamental differences that explain why the rules are different?


          There is actually both reasons. The architecture of the two separate acts, GDPR and LED, carries certain problems and the distinction between them is not always clear. One is a regulation that is applied directly, the other is a directive that must be transposed into national law, so I don't think the best solution is to regulate the whole field this way.


          I think there are also many historical reasons. In the area covered by LED, which is the former third pillar - police and judicial cooperation in criminal matters, member states are used to having more autonomy, a more pronounced voice and stronger decision-making power, than in the area covered by GDPR, where the European parliament also has something to say. After the Treaty of Lisbon, when we no longer have these pillars, the differences disappear, but a historical sense of member states that they have more autonomy in this than in other areas remains. That is why I think LED was proposed, because it leaves more freedom to states to decide how will it be transposed, while GDPR doesn’t leave much space.


          From a legal point of view, the Treaty of Lisbon has Declaration 21, which states that the specifics of the rules on personal data protection in law enforcement should be taken into account. Law enforcement has its own characteristics that are reflected in the LED, but not in GDPR, which is the more specific part of the story. I think there is a combination of practical and legal reasons, on the one hand, and political and historical reasons, on the other.


          Private and State Mass Surveillance Are Equally Dangerous


          What is more dangerous, that huge companies have massive databases about us, or that the state has? I suspect that the state has a greater volume of diverse information about us, in different public authorities.


          That is a very good question, on which there are differing opinions. Some people think - I don't care what Facebook hashow has it profiled me, but I'm more concerned with what the state is doing. Others say - what the state is doing is fine, because I know that they will not do something that they should not, or use their authority inappropriately, so I do not care. I trust them, but I do not trust these large companies. Such opinions can often be found in Northern Europe. What people think depends a lot on the local context, historical circumstances, and whether there is a culture of trust or distrust towards the state, and this culture is different from state to state.


          Personally, I have a problem with both, so I can't draw a line what is more or less important. I have a problem with what is happening in the private sector, as well as with all the means that law enforcement can use under the guise of security, in order to put the population under mass control: the potential for misuse has especially increased after 2015, in the context of the fight against terrorism.


          Both can be mass surveillance, only for different purposes. State control can be carried out in order to control the population, and private for the purpose of directing the population towards products which can provide better earnings. I can’t establish a hierarchy of what's worse.


          Trends in the private sector lead to the confiscation of the free will of individuals and directing the individual to what they think they want - there is more and more manipulation.


          Law enforcement can also exert mass surveillance on the population, which ultimately leads to the loss of individual autonomy and freedom, as we have seen throughout history in some repressive regimes, such as East Germany. These are not new things, just new methods enabled by the technology of today.


          Individual Rights Are One of the Main Differences between GDPR and the LED


          What are the most significant differences between the GDPR and the LED, or the general regime of personal data protection and that of the security authorities?


          If we go through both texts that have the same structure, we can see already in the section on principles that we have significant differences between GDPR and LED. The LED does not know the principle of transparency, and the GDPR places great emphasis on this principle. The principle of minimizing the data is much stricter in GDPR than in the LED, which leaves more freedom in deciding what information to collect, retain etc.


          There are specific provisions in the LED that we will not find equivalent to in the GDPR. For example, there is an obligation to keep data on different categories of persons separate, and to prescribe time periods for data retention or for periodic review of whether data should be retained further. The LED also prescribes the obligation to keep records, the so-called logs, which means that all databases of personal data maintained by law enforcement must be accompanied by logs showing when and why someone consulted those databases, and whether they have further shared those data.


          There is a significant difference in the rights of persons that the data relates to. For example, the right to information as the obligation of the data handler in GDPR is much stronger than in the LED. Some rights from GDPR do not exist in the LED, but the LED, on the other hand, has a mechanism for indirectly exercising the rights of the persons concerned through a supervisory authority, which does not exist in GDPR. It is also one institute that only the LED recognizes. Basically, there are significant differences in the rights of the data subject.


          And there are also big differences in the transfer of data to third states. As a rule, law enforcement can only send data to their equivalents in third states, and the whole architecture is different.


          Can it then be stated clearly that the data protection standards are higher or lower in the LED, or are they just different from the GDPR?


          I would say that, in principle, the level of protection is lower and the degree of flexibility for operators is higher in the LED than in GDPR. But there are some elements where the standards are higher in the LED. There is an indirect exercise of the rights of the persons concerned through the supervisory authority, which does not exist in GDPR, for example. This provides one additional safeguard that GDPR doesn’t recognize.


          Is there a danger that the scope of the LED is being interpreted too broadly, to the detriment of GDPR?


          Yes, and that is something that will be a big topic in the coming years. Often this does not depend at all on the legislative text of a member state, but on how that text is interpreted. Of course, there are legal solutions that are dubious in themselves. The problem of demarcation, namely the too broad field of application of the LED, occurs in the interpretation of national law that transposes the LED - what it is applied to, when it is applied and in which situations.


          The LED is intended to be an instrument applied only by classic law enforcement bodies such as the police, prosecution, criminal courts and prisons, and only for the purpose of preventing, investigating and prosecuting criminal offenses. That is the intended scope of the LED, and everything else should be regulated by the GDPR. However, many states want to make it easier for the police, and then they try to interpret the law so that everything the police do is regulated by a single law on personal data protection.


          Another problem is that in some states, too many authorities are considered to be repressive, which then fall under the scope of the LED rather than GDPR. It’s is quite an important issue, but it is more practical than it concerns the text of the law that transposes the LED.


          Synchronization Is Important for Serbia because of EU Accession and Effective Data Exchange


          The LED is an act of the European Union. Why should non-member states, and especially those aspiring to EU membership like Serbia, be familiar with the standards of this directive?


          I think for Serbia, the so-called LED is important for two reasons. One is to align Serbia's legislation with European regulations within the accession process, and to bring Serbia's legislative framework and practice closer to what exists in Europe. The second reason is, I suppose, the interest of the Serbian law enforcement in cooperation and exchange of personal data with European equivalents. In order for this exchange to flow smoothly, it is essential that rules, levels of protection and supervisory mechanisms are similar to those existing in the European Union.


          Police and other law enforcement authorities in Serbia are already exchanging information with authorities within the European Union. On what basis is this exchange made? Does this mean that Serbia is sufficiently aligned with EU regulations in the field of personal data protection?


          I think that the most are relying on the provision of Article 37 of the LED, which allows law enforcement authorities in the EU to carry out self-assessment of whether there are sufficient safeguards that data can be exchanged on a regular basis in Serbia.


          I believe that the majority of bodies that regularly exchange information with Serbia are familiar with the legislation in the field of data protection. So they were able to conclude that Serbia is a member of the Convention 108 of the Council of Europe, that it has a legislative framework that includes law enforcement authorities, that there is a new law that has yet to start being enacted, that the supervisory authority has some powers over law enforcement, that there is no discrimination whether the data subject is a Serbian citizen or not. On that basis it could be concluded that there are certain safeguard mechanisms that allow for regular data exchange. I suppose that most of them rely on this.


          Is this a satisfactory solution? What would make the transfer even faster and easier?


          It would be best for Serbia to get Adequacy decision of the European Commission, because then for all data transfers Serbia would be treated as if it were a member state. Then the data flow could  be completely free. However, that decision is hard to acquire. I don’t know if the legislative framework and practice in Serbia are at that level. I think that Serbia should certainly express interest in this decision and start negotiations with the Commission, considering that a number of conditions exist, at least on paper.


          Read soon what are the main points of dispute in the design and implementation of the so-called Law Enforcement Directive of the EU, what provisions have to be substantially specified in national laws, and what are good examples of laws of EU Member States, in the next part of the interview.


          The interview was conducted as a part of the project “Defending the Right of Access to Information,” which is supported by the Open Society Foundation in Serbia.

        • Tags:
    • Post a comment

    • See all comments