Title: RE-USE OF PERSONAL DATA

The interconnection of databases raises the problem of the re-use of personal data originally collected for one purpose for a different one. The personal data can be obtained from other police databases either internal or external to the law enforcement bodies carrying out the investigation, or from private databases held by private companies (financial information, communication data, etc.). 

Principle 2 of the Recommendation R (87)15 states that the collection of personal data for police purposes should be limited to such an extent as is necessary for the prevention of a real danger or the suppression of a specific criminal offence. Furthermore, in accordance with Article 5 of the CoE personal data undergoing automatic processing shall be stored for specified and legitimate purposes and not used in a way incompatible with those purposes. In case the second purpose cannot be acknowledged as compatible, it will form a different processing from the original ones and should be grounded on a different, explicit and legitimate purpose. Derogations are foreseen when it constitutes a necessary measure in a democratic society in the interests of protecting State Security, public safety or the suppression of criminal offences (Article 9). These principles will apply in a different way depending on the source of the data and the purpose of the processing. 

Personal data obtained from other internal police databases 

The question which immediately pops up when discussing the re-use of personal data is whether personal data collected within one criminal investigation could be used in another. When, from the data collected within an investigation, there are enough indications to base a reasonable suspicion to investigate a new unrelated offence, the processing of such data will be deemed compatible .  

However, the question of the compatibility of further use of such personal data for the solution of possible future offences is more complicated and will depend highly on the balance made in each national legislation. When the personal data, e.g. fingerprints or photographs, relate to a suspect or a person who is convicted afterwards their conservation for possible future offences may be considered as compatible. The Council of Europe however notes that “there is however divergence with regard to the necessity of deleting such data in cases of acquittal by lack of evidence though the suspicion remains. But it is less questionable when somebody’s innocence has been established. The conservation of personal data related to persons other than the suspect or the convicted person should be deleted, their further use would be deemed incompatible, unless a legal basis exists to ground such conservation or processing.” 

In that sense, the Council of Europe has recommended that “any power to perform a general data surveillance check or matching for the purposes of the suppression of crime on the basis of police data gathered in the course of criminal investigations on the basis of vast amounts of persons possibly completely unrelated to any crime, be limited to specific cases described in the Code of Criminal Procedure and be granted on the basis of a specific mandate of the judiciary.” 

Personal data obtained from police databases held by law enforcement authorities from other Member States 

A different problem arises when the personal data are obtained from another law enforcement authority. The CoE Recommendation R (87) 15 already has set up rules for the communication of personal data between law enforcement authorities. However, in 2007, three different Council framework decisions regulating this topic have been approved or agreed on. 

The Framework decision on personal data in the third pillar first limits further processing of the data to compatible purposes provided that the law enforcement authority is entitled by a legal provisions to carry out such processing and finally that this processing is necessary and proportionate (Article 3). However, in the words of the European Data Protection Supervisor, “article 3 is far too broad and does not cover an appropriate limitation of the purposes for storage, also required by Article 5(b) of Convention 108, mentioned above. The general reference to the purposes of Title VI of the EU-Treaty can not be seen as specified and legitimate purposes. The purpose of police and judicial cooperation is not by nature legitimate, and certainly not specified. Article 3 does not contain any derogation as would be possible pursuant to Article 9 of Convention 108. However, Article 12 of the proposal lays down a very broad and not clearly defined series of derogations to the purpose limitation principle in the context of personal data received from or made available by another Member State. In particular, the condition that derogations shall be necessary is not explicitly laid down in the article.” Therefore, the EDPS stresses “that this broad and open derogation does not fulfil the basic requirements of adequate data protection and even contradicts the basic principles of Convention 108.” 

With regard to criminal intelligence data, the Council Framework Decision 2006/960/JHA of 18 December 2006, despite referring to the aforementioned Recommendation, specifies that information and intelligence provided under its provisions may be used by the competent law enforcement authorities of the Member State to which it has been provided solely for the purposes for which it has been supplied or for preventing an immediate and serious threat to public security. Processing for other purposes should be permitted solely with the prior authorisation of the communicating Member State and subject to the national law of the receiving Member State. Finally, when providing information and intelligence, the providing competent law enforcement authority may pursuant to its national law impose conditions on the use of the information and intelligence by the receiving competent law enforcement authority. The Decision on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime implements indirect access to the personal data through reference data. It contains similar provisions to the Decision 2006/960/JHA. Article 26(1) 1) allows processing for other purposes only if this is permitted under the national law of both the supplying and the receiving Member State. 

Personal data obtained from private companies 

As pointed out by the European Data Protection Supervisor, “there is now a trend to impose cooperation for law enforcement purposes on private actors on a systematic basis” (Opinion on the draft Proposal for a Council Framework Decision, EDPS, 20 December 2007). Several Directives foresee mandatory retention of specific data collected by the private sector in the course of its commercial activity to be used for law enforcement purposes. One of those directives, for instance, is the EC Directive 91/308/EEC, of 10 June 1991 on prevention of the use of the financial system for the purpose of preventing criminal offences, whose article 6 compels to the retention of certain financial data. These data are collected for the suppression of a specific category of crime, irrespective of the fact if the persons are subject of a reasonable suspicion of committing these crimes. These data should not be used for other purposes, unless explicitly permitted by the law. As highlighted by the Council of Europe, “for a specific area there is thus general data surveillance of the population for the purpose of the suppression of a specific form of crime according to specific criteria. The question to be answered is whether and to what extent the police have access to the data gathered”.

In that sense, the Council of Europe recommends these processing to be explicitly covered by legal provisions defining the criteria and the purposes .  

Storage of personal data

Now that we have explored the accuracy (section ) and the re-use (section ) of personal data, we turn to a final crucial issue with regard to the interconnection of police databases: the storage of personal data.

Personal data should be preserved in a form which permits the identification of the data subjects for no longer than is required for the purpose for which those data are stored. This obligation is difficult to apply in the specific case of criminal intelligence. An example which exemplifies this difficulty is to be found in the EU draft Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes (Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes, European Commission, 22 October 2007) which foresees the retention of the PNR data for a period of 13 years. This period is judged excessive by the European Data Protection Supervisor (Opinion on the draft Proposal for a Council Framework Decision, 20 December 2007).

The definition of the period of storage will depend on the purpose of the processing as well as on the status of the data subject (i.e., whether the data subject is a victim, a suspect, a convicted, a witness, etc.). The Council of Europe advocates for the deletion to occur after some years after the last time any relevant data has been added to the record. After this period a periodic review could be realised (as done in article 112 of the Schengen Agreement) and, if there are no reasonable grounds to justify further storage then deletion should be the rule. 

Another important issue resides in the relevance of the personal data processed. The Council of Europe pointed out the fact that “sometimes, the police, in order to do their work properly have to collect vast amounts of data either by downloading computers during searches in premises, by intercepting communications or by searching the emails of criminals. The storage can only be justified for the time needed to find out that they are really unrelated, unless other compatible use or other use explicitly permitted by law come in view” In the Campbell case, the European Court of Human Rights judged that ‘the existence of facts or information (should) satisfy an objective observer’ that there is reasonable cause to use such data for the purpose of combating crime (Campbell v. United Kingdom, European Court of Human Rights, 1992).