Seminar 11+12 - Data protection in the context of police and criminal justice

Question 1

What are the relevant provisions?

Answer 1

GDPR Art. 2: Scope
LED art. 1(1): Subject-matter
LED art. 2: Scope
LED art. 4: Principles
LED art. 8: Lawful grounds for processing
LED art. 10: Processing of special categories of personal data
LED art. 12-18: Rights of the data subject
LED art. 19: Obligations of the controller
LED art. 20: Data protection by design and by default

Question 2

Is GDPR Art. 2(2)(d): GDPR applicable by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences?

Answer 2

No. That is instead governed by LED Directive 2016/680 (recital 19).

Question 3

What is the main difference between GDPR and LED?

Answer 3

Whereas GDPR is a regulation and therefore has general application (is binding in its entirety and directly applicable in all Member States), the LED is a directive which has to be implemented in individual MS.

Question 4

What is the purpose of the LED?

Answer 4

The LED deals with the processing of personal data by data controllers for ‘law enforcement purposes’.

Question 5

Who is the compentent authority under LED?

Answer 5

Any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties

Question 6

When does LED not apply?

Answer 6

○ a) outside the scope of Union law or

○ b) Union institutions and bodies

Question 7

Does the LED contain the principle of transparency?

Answer 7

No, The directive does not contain the principle of transparency and the principles of data minimization and purpose limitation needs to be applied flexibly in security-related processing.

Question 8

What are the grounds of Processing of personal data? (LED)

Answer 8

● Art. 8: Processing is lawful only when it occurs to the extent necessary to perform the relevant task (one option in LED, six options in GDPR)

Question 9

What are the grounds of Processing of sensitive data? (LED)

Answer 9

● Art. 10: If sensitive personal data, it must be strictly necessary (three options in LED, ten options in GDPR)

Question 10

What is the difference with regards ti consent in LED vs. GDPR?

Answer 10

Personal data cannot be processed on the basis of a consent (contrary to GDPR) – the legal basis must be found in LED art. 8 or 10

Question 11

What is different with controllers in LED vs. GDPR?

Answer 11

Data controllers are competent public authorities (contrary to GDPR, where “everyone” can be a controller).

Question 12

What is EU-US Umbrella Agreement?

Answer 12

● It covers all processing of personal data necessary for the prevention, investigation, detection, and prosecution of criminal offences, including terrorism.

Question 13

What does the e-Privacy Directive apply to?

Answer 13

○ i) telecommunication operators,
○ ii) who transmit electronic communication between communicating parties and who are able to store and process data regarding this communication

Question 14

Data Retention Directive was declared invalid under what case?

Answer 14

DRI case

Question 15

In the absence of specific legislation on data retention, as an exception to the confidentiality of telecommunications data under Directive 2002/58/EC (E-Privacy Directive), telecommunications data can be retained, but must be solely for the purpose of what?

Answer 15

fighting serious crime, cf. E-Privacy Directive art. 15.

Question 16

What is the DRI case about?

Answer 16

(data retention directive invalidated).

The European Court of Justice (ECJ) held that a European Union directive requiring Internet Service Providers (ISPs) to store telecommunications data in order to facilitate the prevention and prosecution of crime was found to be invalid under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

○ The ECJ deemed the directive was legitimate in its aims of fighting serious crime, but did not pass the proportionality test applied to evaluate the appropriateness of the measures undertaken to achieve the goal.

Question 17

How fast should the controller notify the supervisory authority if a personal data breach occurs?

Answer 17

If a personal data breach does occur, then controllers must notify the supervisory authority within three days

Question 18

How fast should the controller notify the data subject if a personal data breach occurs?

Answer 18

The personal data breach must also be communicated to the data subject “without undue delay” where the breach is likely to result in a high risk to his or her rights and freedoms.

Question 19

What is the The Prüm Decision?

Answer 19

The Prüm Decision aims to help signatory Member States improve information shar- ing for the purpose of preventing and combating crime in three fields: terrorism, cross-border crime and illegal migration.

Question 20

What was the Tele 2 case about?

Answer 20

Tele2 raised the question of whether the mere retention of traffic and location data, as seen in the
legislation concerned in the Swedish case, complied with Article 15(1) of the e-Privacy Directive read in light of
Articles 7, 8, 11, and 52 of the Charter, irrespective of the existence of sufficient safeguards surrounding
access to the retained data.

In sum, pursuant to Article 15(1) of the e-Privacy Directive, Member States may adopt national data retention provisions only in so far as they are strictly necessary and proportionate.

Given the seriousness of the interference, only the objective of fighting serious crime is capable of justifying it.

Question 21

Does the DPD contain the principle on transparency? And why?

Answer 21

No, The directive therefore does not contain the principle of transparency.

For instance, providing data subjects with the same level of protection in terms of rights to information, access to, or deletion of their personal data as under the General Data Protection Regulation could mean that any surveillance operation carried out for law enforcement purposes would become ineffective in the context of law enforcement

Question 22

What is the role of the DPO?

Answer 22

1. Monitors compliance with the directive
2. Provides information and advises employees who carry out data processing of their obligations under data protection legislation.
3. Contact point for the supervisory authority.

Question 23

Joint information systems that have been established at the EU level for cross-border information exchanges between the competent police and judicial authorities.

Name 3 of them?

Answer 23

Important examples are:

1) the Schengen Information System II (SIS II),
2) the Visa Information System (VIS)
3) Eurodac, a centralised system containing the fingerprint data of third-country nationals and stateless persons applying for asylum in one of the EU Member States.

Question 24

Does the e-Privacy Directive cover both the retention of data and access to that data?

Answer 24

Yes. The e-Privacy Directive covers both the retention of data and access to that data

Question 25

What is The purpose of the e-Privacy Directive?

Answer 25

To regulate the right to privacy and confidentiality in the electronic communications sector, as well as the activities of providers of electronic communications services.