• Info BCSP

    • Sign up to receive our e-bulletin.
    • Find publications, analysis and documents in our unique resource base available to all visitors of BCSP web site.
      Advance search
          • Year: 2019
          • Paths and Sideways of the European Data Protection Revolution in Law Enforcement

          • How the EU revolutionized personal data protection in law enforcement, how to optimally transpose European standards into national legislation and what is the role of civil society in this process, find out in the second part of the interview BCSP researcher Jelena Pejić conducted with Juraj Sajfert, lawyer and European personal data protection expert.

        • Mr. Sajfert participated in the creation of the so-called Police Directive or Law Enforcement Directive (LED), counterpart of the General Data Protection Regulation (GDPR) for the law enforcement authorities. The LED regulates the protection of personal data collected and processed by the competent authorities for the purpose of preventing, detecting and investigating criminal offenses, prosecuting offenders, as well as for the purpose of executing criminal sanctions. Sajfert is employed by the European Commission, but has given this interview in his personal capacity,
          so the views and opinions expressed in the
          interview do not in any way reflect the official
          opinion of the European Commission.


          You took part in the drafting of the EU Law Enforcement Directive (LED) which was adopted in 2016. You have mentioned that, as opposed to the widely known EU General Data Protection Regulation (GDPR) that represents rather an evolution of European standards, this Directive is a true revolution in the personal data protection. What do you consider to be its greatest achievement compared to the former rules in this area?


          There are several. First great achievement is the fact that the Directive is a horizontal legal act, which means it contains rules for all kinds of data processing within the law enforcement sector. We had nothing like it before. There were different rules in force for different kinds of data processing. On the EU level we had the Framework Decision 2008/977/JHAwhich applied only to the personal data exchange between member states, while for other purposes there were no applicable EU-wide rules.


          There were different regulations on the national level, but solutions varied greatly. Some member states didn’t regulate national processing of personal data during investigations where there was no data exchange; other states had special legislation for this purpose, while some even expanded the application of the EU Personal Data Protection Directive 95/46/EC. That Directive referred only to the private sector, and to the administrative parts of the public sector, but those member states decided to apply them to the law enforcement as well.


          Furthermore, we had special personal data protection rules for each separate system created  at the European level. There were separate rules for the Schengen Information System(SIS), separate for Prümexchanges, separate for data exchange within the so called Swedish initiative. Altogether, it was a fragmented and totally illegible legal framework.


          Now we have a Directive which applies to all existing kinds of personal data processing. It is one set of rules, so it makes no difference whether the data are being transnationally exchanged or remain in the country, which law enforcement bodies are processing them, are they being used for European databases, etc. It is one major novelty and, in that sense, it is a revolution.


          The other achievement relates to the fact that all those former rules I’ve mentioned were very limited and subregulated. It wasn’t clear enough what they prescribed and their provisions were quite weak. On the other hand, the Law Enforcement Directive (LED) follows the structure of the General Data Protection Regulation (GDPR), so it entails a wide range of obligations, rights and responsibilities. I think that the Directive covers all aspects crucial to an effective personal data protection and accompanying oversight, which together provide for a quite enviable level of personal data protection, if applied correctly.


          Main issue of dispute: who and when should apply the Law Enforcement Directive


          Which were the most disputable issues in need of extensive negotiations during the drafting process? Do you think the final compromise on the text of the Directive left some of these issues unsolved?


          Yes, there are solutions in the Directive that leave much to be desired. Maybe the most important question in the whole Directive is its scope of application. So, when you read Article 1, para. 1 and recital 12, you won’t get the clear picture of who applies the Directive and when. The two basic questions regarding the Directive are its personal and material scope of application. 


          It most definitely was the greatest question during the negotiations between the European Commission, in the middle, and the European Parliament, on one side, and the Council, on the other. It was and still is a political question and most probably it will be up to the European Court in Luxembourg to solve it at one point.


          Second important question is the question of Article 39, that is - in which situations law enforcement bodies covered by the Directive are allowed to transfer data in third countries to private persons. So, not to their equivalent bodies but to private recipients, such as big companies in the U.S. The question of Article 39 has announced great debates currently lead in the EU, as well as between the EU and the U.S.


          We are dealing here with assymetric transfers of personal data. Instead of a classical, now allegedly obsolete, or at least sluggish, mechanism of international legal cooperation, we are witnessing a growing direct cooperation between law enforcement bodies in one state and private companies in another state, in or outside the EU.


          And not only cooperation, but also coercion, which is totally unacceptable from the classical criminal law perspective, i.e. that law enforcement bodies in one state have the means to coerce companies in other states, outside of their jurisdiction. That is currently in progress, allegedly due to the Internet and cyber crime, where issues of territorial jurisdiction are very fluid.


          The third difficult question refers to the corrective powers of the supervisory authorities. It is the Article 47, para. 2 of the Directive. So, what corrective powers are necessary for supervisory autorities to have towards the law enforcement bodies? You’ll see that the Directive is very open about it, and only offers some examples of what those corrective powers might be. However, it doesn’t demand from states to have specific corrective powers, it only demands these powersbe effective. The Directive doesn’t say what powers are those exactly, as the GDPR does, which entails a list of corrective powers independent supervisory authorities must have.


          Corrective powers are the most important powers of the supervisory authorities. That means - I order you to delete this database, not to send these data to a third country, to turn this server off and not do this anymore. And then I charge you with a fine of 20 million euros because you did this and that. So, this is a big deal, but the Directive leaves it quite undefined.


          National solutions largely differ regarding powers of the supervisory body


          Unlike the (General) Regulation, the Directive doesn’t apply directly, but has to be transposed by national legislation into the legal systems of member states. To what point this transposition requires additional specification? Which provisions are especially loose or weak, open for adjustment to national circumstances?


          We have to make difference between theory and practice. Having in mind that most states have transposed the Directive, we can have two perspectives. In theory, some provisions in the Directive are quite open. For example, the provision on time-limits for data storage is pretty open and weak, and the provision on corrective measures of a supervisory authority against the data controller leaves a lot of space for free interpretation.


          On the other hand, having seen how the Directive was in fact transposed, I don’t see big differences between member states. For some reason, the states haven’t deviated from the Directive’s provisions as much as they could have, so in the end there are no greater differences between national solutions. Most of them follow the idea of the Directive without insisting on different interpretations.


          In practice, I have noticed differences from one state to another in only two areas - powers of the supervisory authorities, where there are really great differences, and penalties for data controller violating the national legislation transposing the Directive. There are other open provisions in the Directive; however, in practice there is no greater variety in member states’ national solutions.


          Twenty-four EU member states have already adopted national laws transposing the Directive into the domestic legal system. The deadline was actually last year, but some states hadn’t made it. What main difficulties have arisen during the transposition of the Directive?


          The transposition was really demanding. It was a very complicated process in each state, requiring a lot of effort, since it included various consultations with the police, prosecutors, courts, ministries of justice and internal affairs in most states. Then doubts were raised about independence of certain bodies and the possibility of regulating them at all in a certain manner. Some supervisory authorities are not used to oversee this area because they mostly conduct oversight of the private sector, or other parts of the public sector, but not law enforcement authorities. So, they must now learn to use these new authority and powers in this sector too.


          The procedure is very cumbersome in great majority of cases in member states, with series of consultations, conversations and analyses. That explains why a good part of member states had delays in LED’s transposition, but the European Commission was very active in initiating infringement procedures against all such states, so it did more or less succeed in enforcing the transposition. Out of the remaining four states only two have actually made no substantial efforts, and the other two have yet to complete the process.  

          GDPR and LED provisions are best transposed by separate laws


          Which national law would you distinguish as exemplary?


          There are very good examples of laws where you can see how much effort had been invested and which can serve as models. However, one should differentiate between two possibilities for transposition. The states have chosen one or another based on various reasons.


          Some states decided to transpose both LED and certain provisions of GDPR in one legislative act. The GDPR is directly applicable, but some of its provisions require further specification in national legislation, when it comes to establishment of supervisory authorities, as well as regarding other issues. For example, how to protect some types of sensitive data or how to balance the right to data protection with the right to access information or freedom of speech.


          So, some states decided to adopt one law, and others decided - no, it is better to have everything regarding implementation of GDPR in one act, and transposition of the Directive in another act. In my opinion, it is better to have a separate law for LED and separate it from everything regarding GDPR. Good examples of the second option are Swedish and Finnish laws, surprisingly also Cypriot law, and the Dutch law.


          In my opinion, it is more difficult to carry out the all-in-one option. This solution carries complications on its own and could never be as good as the second option. However, there is one good example, to which only few remarks could be made. That is the Irish law. For those who choose one comprehensive law, the Irish one is probably the best. Slovak law is also good.


          Are there any laws or some aspects of national laws which are particularly problematic, in the sense that they transposed certain provisions of the Directive incorrectly?


          Absolutely. There are examples of incorrectly transposed Directive and this will have to be corrected over time. There are mechanisms through which the European Commission can force Member States to correct the flaws, and I think the Commission should make use of those mechanisms because it is important to correct them.


          What I have noticed as an incorrect transposition is, for example, the use of consent as the legal basis for data collection and processing. In this case, consent cannot be freely given, so it should not be used as a legal basis. However, some states provide this option. In my opinion this is a big mistake.


          We often find too much discretion left to data controllers in setting deadlines for data storage or in determining how and when to restrict the rights of data subjects - for example, when they will refuse such a person's request for access. It also happens that, unlike in the area covered by GDPR, the powers of the supervisory authority are too weak, and this is a problematic issue. These are some of the major problems that came up.


          The civil society contributes greatly to the level of personal data protection in law enforcement


          In your opinion, how can civil society help to ensure that the standards of the Law Enforcement Directive are adequately applied in Serbia as well? What contribution are we expected to make?


          I think the civil society plays a major role. First of all, not much attention is paid to this topic in public. If you can raise awareness for these topics in the public debate, this is already a big deal. There is a lot of talk now about personal data protection, but mostly about GDPR and what happens in relations between individuals and large companies whose services they use. Most of the debate is focused on that - on Facebook, WhatsApp, Google.


          These are some topics that intrigue the public, although ultimately most individuals look at what is the easiest option for them and do not think enough about the consequences. More work needs to be done, but at least people talk about it. There is little talk about the LED in the European public, and I suppose in the Serbian one too, so I think that raising awareness is very important and the civil society can make a big contribution.


          Another thing the civilian sector could do is to get involved in strategic litigation. This means that there are certain individuals who serve as “test cases.” There is a case where one person sought access to his or her data and was refused, with an unclear justification. Then one should try to use all these safeguards, or even start a targeted lawsuit against known systemic violations, against which no one takes action.


          The third way in which the civilian sector can contribute is to put pressure on the supervisory authorities. Because supervisory bodies, depending on their composition, capacity and management, often shy away from being more involved in what is going on in the police or other law enforcement bodies, as they feel weaker towards them. Then they are reluctant to conduct a true oversight and to use corrective measures against those bodies.


          It is much easier for the supervisory authority to go to a private company, carry out an inspection and impose safeguards or sanctions, rather than going to the police. The civil society has an important role to play - to point to the reluctance and weakness of supervisory bodies and thus pressure them to become more engaged in that part of their work.


          In Serbia, on the other hand, oversight bodies have been willing, at least thus far, to conduct oversight, criticize problems, as well as to take necessary measures  and propose solutions. However, the institutions subject to oversight have denied them access to information.


          In the first part of the interview read how the law enforcement authorities should protect personal data they control, why they require specific rules, and why is European legislation in this area important for Serbia.


        • Tags: personal data protection, police directive, eu, police cooperation, Jelena Pejic Nikic
    • Post a comment

    • See all comments