Title: ADEQUATE REMEDIES

The aforementioned article 20 of the Framework decision on data protection in the third pillar stipulates that the data subject must have the right to seek judicial remedy for any breach of the rights guaranteed to him by the applicable national law. The data subject should be compensated for the damages resulting from an unlawful processing operation or any act incompatible with the national provisions adopted pursuant to the framework decision.  

The definition of appropriate remedies and compensation are let to the domestic legislations. Such remedies should complement the protection granted to the data subject against automated decisions with harmful consequences, such as the possibility to contest the decision, i.e., its result, its logic, the accuracy of the data used for the processing. Indeed, even if this specific safeguards introduced by article 15 of Directive 95/46/EC is not translated to article 8 of the Framework Decision, it participates from the principle of transparency, empowering the data subject to exercise his scrutiny upon the processing of personal data, principle at the core of any data protection legislation. It thus appears important to define the ways how these guarantees could be implemented in the specific field of risk profiling. 

Adequate judicial remedies may be of particular importance against abusive use of Passenger Name Record (PNR) for law enforcement purposes as foreseen by the Proposal for a Council Framework Decision. The use of the PNR is not meant for the identification of individuals but to “contribute to carrying out risk assessment of persons, obtaining intelligence and making associations between known and unknown people” (Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes, European Commission, 22 October 2007). The purpose is “to identify persons who are or may be involved in a terrorist or organised crime offence, as well as their associates” (article 3(5)). Recital 9 of the proposal states explicitly that data must be kept for a sufficiently long period as to fulfil the purpose of developing risk indicators and establishing patterns of travel and behaviour 

This proposal excludes the possibility of enforcement actions taken by the automated processing of PNR data or by reason of a person’s race or ethnic origin, religious or philosophical belief, political opinion or sexual orientation. However, it does not exclude the automated filtering of individuals according to standard profiles, nor does it prevent the automated constitution of lists of suspected persons and the taking of measures such as extended surveillance (Opinion on the draft Proposal for a Council Framework Decision, EDPS, 20 December 2007).

It will thus be necessary to implement adequate and efficient legal remedies to prevent data subjects becoming the victim of mistakes or abuses in such situations. In that sense, Steinbock argues for an elaborate system which would keep a balance between opaqueness and transparency. Instruments in such a system would be not only independent oversight but also e.g. summary hearings, post-deprivation correction rights and compensatory damages .

Instead of Due Process: Due Processing

As was made clear above the difficulty of regulating forensic risk profiling in a way which is in accordance with the requirements of a constitution democracy, is that it is a technique which is almost intrinsically opaque (or even completely invisible) for the data subject who is subjected to it. This makes it hard for the data subject to contest the rightfulness of the processing of his data in court.

An alternative approach might be to acknowledge the specific character of forensic risk profiling – a practice somewhere in between ‘a regulative policy’ and ‘a step within an investigative process subjected to control by the judicial system’ –and the impossibility to address it in a classical due process way because it requires an active, knowing citizen and the possibility of a transparent trial. Next to rights aimed at the individual (due process) legislation could be made in order to have some democratic control on those techniques while they are constructed and applied (due processing):

“…information technology review boards that provide opportunities for stakeholders and public at large to comment on a system’s design and testing. One might imagine information technology consultants working on behalf of advocacy groups who would ensure that testing and audit trails employed by contractors comported with best practices. Such boards also could check the accuracy of information stored in databases [….]. Although finding the ideal makeup and duties of such boards would require some experimentation, they would secure opportunities for interested groups to comment on the construction of automated systems that will have an enormous impact on their communities once operational.”  

Such legislation on due “processing” would provide a democratic control mechanism for forensic risk profiling, without destroying the opaqueness which is needed by the technique to function properly. Independent controlling bodies concerned with such due processing could potentially also stand up for the rights of individual data subject – making due process with respect to forensic risk profiling indirectly a realistic possibility again.

Values guiding the Due Processing: Legitimacy and Proportionality

Post 9/11 has seen greater interest in preventing crime, in contrast to the traditional practice of deterrence by reacting to past acts of antisocial behaviour through the criminal process or otherwise. Some data matching or forensic risk profiling results are now being used not only as a reason to begin or intensify investigation but also as the sole basis for decision.  

The dangers for the individual citizen stem from the fact that “risk is an invention based on imagined fears and on imaginative technologies for dealing with them. (…) In risk society, policing is not just a matter of repressive, punitive, deterrent measures to control those who are morally wrong. It is also a matter of surveillance, producing knowledge of populations that is useful for administrating them. The focus is on knowledge that allows selection of thresholds that define acceptable risks and on forms of inclusion and exclusion based on this knowledge. (…) Everyone and everything is to be made knowable through surveillance mechanisms. Everyone is presumed guilty until the risk profile proves otherwise” (The United Kingdom Parliament, Home Affairs, Third report, 24 May 2007).  

With the help of an independent board such dangers could possibly be lessened. Such a board would need to overlook that the processing is done in accordance with the rights of individual citizens: e.g., the integrity of the data and the strict respect of the purpose principle to guarantee the accuracy, accountability and legitimacy of the processing. However, the evaluation process of such a board could also involve more normative control to assess the legitimacy of the processing. 

The principle of proportionality is a common and constant requirement to ground the validity of any measure restrictive of fundamental rights. To assess the legitimacy of the processing against fundamental data protection principles, the processing should pass the proportionality test: it should be adequate to achieve the goal foreseen (adequacy test), not being possibly replaced by other less intrusive means at least equally efficient (necessity test) and finally to provide sufficient benefits to overcome the negative impact it has on fundamental rights (proportionality test stricto sensu). With regard to this last requirement, as indicated by P. Breyer, “the positive and the negative effects of the measure on individuals and society as a whole must be balanced against each other. This cannot be achieved by means of general considerations on the interests and rights in question, since it is impossible to establish an absolute order or ranking of interests and rights. Instead, it is necessary to determine how useful the measure will actually be, and what harmful effects it will actually have” . The more severe the infringement of privacy, the more important the legitimate objective in each case will need to be. In most cases, the interference will be judged against whether it meets a pressing social need, and the extent to which an alternative, less intrusive interference would achieve the same result.

The legitimacy of risk forensic profiling practices and uses should be clearly defined by a law, as established by article 8 of the Framework Decision. However, this article does provide more indications regarding the safeguards to be implemented to ensure such legitimacy. It lets the difficult tasks to Member States to balance the interests at stake. This may result in important disparities in the protection granted to individuals.  

However, additional safeguards may be put in place in order to ensure an effective application of the principle of proportionality, as it is already taking place in other fields where traditional data protection safeguards seems to struggle to ensure an efficient protection. A possibility thus consists in increasing the role of Data Protection Authorities in the assessment of the legitimacy of the processing as it is already proposed or even installed in other fields, namely processing involving the use of biometric data or originating by video surveillance techniques. Data Protection Authorities may be associated to the implementation of the risk profiling processing controlling its legitimacy, i.e. its conformity with data protection principles, in particular its compliance with the principle of proportionality. Such procedure has already been put in place in Italy with regards to biometrics and video surveillance processing via a voluntary procedure of prior checking.