This position paper is also available for downloading in .pdf format.
GENERAL ASSESSMENT OF THE PROPOSED DIRECTIVE
The current situation for the data protection in the law-enforcement sector is unsatisfactory. Even though the proposed Directive takes some steps to ameliorate certain aspects of the current framework and would also cover domestic processing, EDRi points out that the proposed rules are too weak in many aspects:
- data subject rights are unduly restricted;
- obligations on controllers are too limited;
- data protection authorities do not have all necessary powers;
- specific rules on the relation with controllers in the private sector are missing;
- safeguards for data transfers to third countries are insufficient;
- the transition periods for adapting current legislation are too long, prolonging the current, unsatisfactory, situation.
The current Framework Decision 2008/977/JHA only sets out weak rules for transfers between competent authorities in the Member States and excludes domestic processing. Additionally, there are a number of specialised instruments regulating specific exchanges. This patchwork is non-transparent and provides insufficient protection. With the entry into force of the Lisbon Treaty, Article 16 of the Treaty offered the possibility to have horizontal rules regulating data protection across all sectors, including law-enforcement, which could help overcome the current fragmentation. However, the Commission decided to propose two separate instruments: the General Data Protection Regulation for the private and most of the public sector, and a Directive for the law-enforcement sector. The choice of a Directive as legal instrument for the law enforcement sector seems to be a reflection of political realities in the Council, where Member States are reluctant regarding greater harmonisation.
Nonetheless, a Directive still offers the potential to improve the status quo by setting out rules not only for transfers, but also for domestic processing, and by overcoming the current patchwork. However, the proposed Directive falls far short of these aims and suffers from many problems.
While EDRi welcomes that the scope of the proposed Directive shall also cover domestic processing, this improvement is mostly formal: in many instances, the rules in the proposed Directive are less precise and offer less protection to individuals than those in the proposed Regulation. So while there would be comparable rules throughout Europe, they would be weak.
Examples for this are data subject rights, the obligations on controllers, and the competences of supervisory authorities. Compared to the Regulation, less information will be given to data subjects, controllers do not have explicit time limits for replying to access requests, the rules on profiling are too weak, and there are no specific rules on the processing of children’s data. Controllers also do not have to demonstrate compliance with data protection rules, as they obliged to under the Regulation. Finally, the competences of supervisory authorities are weaker than under the Regulation. Each of these aspects is further developed in separate position papers.
Given that the Directive deals with processing of very sensitive data and can have grave impacts on data subjects’ fundamental rights, having such weak protection rules is unacceptable. Of course, there are situations in which (temporary) limitations can be justified, but the core of the rules must be strong and consistent with the Regulation, the EU Charter of Fundamental Rights and the European Convention on Human Rights. There appears to be a real danger that the Directive’s rules with regard to domestic processing would be weaker than current rules in the countries which have the strictest standards. As a result the Directive could lower data protection standards in certain Member States, which cannot be accepted. The European Commission should provide a detailed assessment of its proposed harmonisation through the Directive to guarantee that the Directive does not result in lowering privacy and data protection safeguards.
Failing to have strict standards that are equivalent to the proposed Regulation would not only undermine the protection of the fundamental rights to data protection and private life, but would also lead to additional inconsistencies. There are notable differences between how Member States define the activities of their authorities, for example in matters such as customs, immigration, and environmental affairs. Sometimes these are labelled as law-enforcement, and sometimes as administrative proceedings. This can lead to situations in which the same activity would be covered by the (national legislation implementing the) Directive in one Member State, and by the Regulation in another.
Not only between Member States, but also between sectors, problems remain: one of the most important developments in the law-enforcement sector in the recent past is its increasing reliance on data held by private actors, be it traffic data from telecoms providers, data stored by web hosting providers, or any other data. The rules on how to access such data need to be clear and strict. Yet, such rules are mostly absent from both the Regulation and the Directive. Similarly strong rules are needed for transfers from law-enforcement authorities to other recipients.
Increased transfers to third countries are another important development. Here, the rules proposed in the Directive are not strict enough – for example, they do not specify that data should only be transferred to competent authorities in third countries, opening a loophole for transfers to private controllers – and offer excessive room for derogations.
Even if all these problems were fixed, the Directive would still not comprehensively deal with the current patchwork of data protection rules in law-enforcement matters: Article 59 states that existing instruments in the area should remain unaffected by the Directive, while Article 61 obliges the Commission to evaluate these prior acts within three years of the entry into force of the proposed Directive, and where necessary, make proposals for amendments. International agreements in this area are supposed to be amended, where necessary, within five years of entry into force of the Directive. These grandfathering clauses significantly delay any possible improvements of data protection framework. In both cases, these periods should be shorter.
As it currently stands, the proposed Directive is mostly a missed opportunity. EDRi provides further analysis of the Directive’s shortcomings and proposes concrete amendments to address them in a series of position papers.