Title: SCOPE OF APPLICATION OF THE DIFFERENT DATA PROTECTION INSTRUMENTS

In the last decade there has been a lot of debate on the processing of personal data processed in the framework of police and judicial cooperation in criminal matters. The Council of Europe recommended already in 1998 to adopt an additional instrument with regard to data collected and processed for the purpose of suppressing criminal offences. Since then several legislative developments have been taking place within the European Union. A Council Framework Decision on the exchange of information and intelligence between law enforcement authorities of the Member States was approved in 2006 (Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union). In 2007, two political agreements were reached on the integration of the Prüm Treaty to the European Union framework (Initiative of the Federal Republic of Germany on the stepping up of cross-border cooperation, 9 November 2007) and on a general framework on data protection in the third pillar (Proposal for a Council Framework Decision on the protection of personal data processed in the third pillar, 11 December 2007). However, the multitude of initiatives increases the level of complexity of the legislation and the risk of creating loopholes in the protection. The different level and nature of crime in the different countries as well as the varying pressing social needs result in substantial differences in European countries in the dividing lines between data protection, criminal procedure and rules organising the police (Stepping up of cross-border cooperation, procedure file on the Prüm Treaty, 2007) hindering the approval of uniform rules at international level. In the remainder of this section we will take a closer look at the legislative instruments for data protection in the third pillar.

Criminal data as personal data

This chapter focuses on criminal data, i.e., data which are collected and processed for the purpose of suppressing criminal offences. This includes not only the data gathered in the course of a criminal investigation where there are reasonable grounds for suspicion against an individual but also data collected for purposes of criminal intelligence. 

Data protection legislation will only apply to processing that involves the analysis of personal data. This concept refers to any information relating to an identified or identifiable natural person (the so-called, “data subject”). According to the EC Directive on Data Protection (Directive 95/46/EC) an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical; physiological, mental, economic, cultural or social identity. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person (Recital 26). It follows that ‘what is of legal importance is the capability or potentiality of identification rather than the actual achievement of identification.’  

Especially in the case of forensic data matching techniques it might quite frequently be the case that it is unclear if the data involved could be qualified as personal data. Such retrospective profiling will often involve evidence not related to individuals from the crime scene which could consist in digital footprints, photographs of the scene, etc. However, according to the interpretation of the Working Party 29, when the data processing only makes sense if it allows the identification of specific individuals and treatment of them in a certain way, it should then qualify as processing of personal data. All forensic profiling would thus fall under the scope of application of data protection legislations. 

Data protection instruments applicable to forensic profiling

Directive 95/46/EC, the so-called “data protection directive”, exclusively applies to Community Law, i.e. it excludes processing operations concerning public safety, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law. It follows that police files will be excluded from its scope of application. However, criminal data processed by private companies or other public authorities will be included. This will be particularly the case when legal provisions mandates the retention of specific data for law enforcement purposes, e.g. the retention obligation of communication data by Internet Service Providers made by the Data Retention Directive (Directive 2006/24/EC) before they are being transferred to law enforcement authorities.  

Police files are not however left without any protection as long as both Article 8 of the European Convention of Human Rights (hereinafter referred to as of “ECHR”) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS n°108 hereinafter termed ‘CoE Convention’) remain fully applicable. The legitimacy of intrusions in the right to privacy will be assessed against the criteria set up by Article 8 ECHR and the jurisprudence of the European Court of Human Rights. Such intrusion should be in accordance with the law and necessary in a democratic society in the interests of, amongst others, national security, public safety or for the prevention of disorder or crime. This CoE Convention establishes a series of data protection principles which have inspired most of European data protection systems, including the Data Protection Directive. The convention gives clear and precise indications on the purpose to be achieved by each principle, but leaves to each Party the definition of the best way to implement its principles into national law.  

In application of this Convention, the Council of Europe has adopted a specific recommendation on the use of police data (Council of Europe, Recommendation nº R (87) 15, 17 September 1987) which translates the general principles set up by the Convention into more specific guidelines applicable to processing with law enforcement purposes. Both norms are referred to by other instruments regulating law enforcement activities and constitute the frame of reference. 

Finally, three Council Framework Decisions more specifically related to the exchange of personal data within EU member States should be mentioned: 

-    The Council framework Decision 2006/960/JHA of 18 of December 2006 aims at regulating the exchange of information and intelligence between law enforcement authorities of the Member States. It covers any type of information or data which is held by law enforcement authorities and by public authorities or by private entities and which is available to law enforcement authorities without taking coercive measures. It however does not contain specific provisions on data protection but relies on the existing national legislation, transposing the CoE Convention and the Recommendation R (87) 15 and the principle of mutual recognition.

-    The Council reached a political agreement in June 2006 on a Decision on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime. This Decision contains provisions based on the essential parts of the Prüm Treaty and is designed to improve the exchange of information between authorities responsible for the prevention and investigation of criminal offences. To this end, the Decision contains rules in the following areas:

1. On the conditions and procedure for the automated transfer of DNA profiles, dactyloscopic data and certain national vehicle registration data. 

2. On the conditions for the supply of data in connection with major events with a cross-border dimension; 

3. On the conditions for the supply of information in order to prevent terrorist offences, and on the conditions and procedure for stepping up cross-border police cooperation through various measures (Stepping up of cross-border cooperation, procedure file on the Prüm Treaty).  

The decisions refer to the CoE Convention and the Recommendation R (87) 15 and complement this framework by sector specific rules. 

-     The draft framework decision on data protection in the third pillar (Proposal for a Council Framework Decision on the protection of personal data processed in the third pillar, 11 December 2007) intends to regulate the exchange of personal data between European law enforcement authorities, setting up a series of data protection principles applicable to third pillar activities. However, it fails to provide a comprehensive set of rules applicable to third pillar activities in the same way as the Data protection directive did in the first pillar and contains major derogations to data protection principles. Furthermore, the Working Party on Police and Justice recently stressed “that for certain aspects the current text of the proposal does not provide for the same level of protection as defined in Convention 108. This certainly seems to be the case with the provision on the further use of data received from a Member State (Articles 3 and 12) and the right of access (Article 17)”.