Data sharing by EU law enforcement: beware of mission creep

The purpose of the Communication is to look at existing mechanisms for the exchange of data, specifically for law enforcement and migration management purposes, between EU member states; and to make recommendations on how they might be improved. The EDPS accepts the principle, and "acknowledges that a better exchange of information is an essential policy goal for the European Union in the area of freedom, security and justice." He also welcomes a general commitment to uphold the European data protection principles, and is particularly pleased that the proposals do not foresee a requirement for any new databases, but basically more efficient use of what is already available.

He does, however, make one very clear warning that is worth considering in detail:

“There is a general and growing tendency to grant law enforcement authorities access to available data which were, are or will be initially collected and processed for purposes that are not related to the combat of crimes and which concern individuals who in principle are not suspected of committing any crime...

"The availability of an increasing amount of information outside the law enforcement area as well as the use of new powerful IT tools by law enforcement authorities contribute - to a certain extent - to the current ongoing shift from a surveillance of individuals that are suspected of having committed or having taken part in a criminal offence or regarding whom there are reasonable grounds based on factual indications that they will commit criminal offences to a more general surveillance where all individuals may be considered a priori as potential law breakers, and for that reason subjected to surveillance."

This is a general warning that clearly goes beyond the scope of the current Communication since he describes an 'ongoing shift' from targeted surveillance to general surveillance of everyone: he’s effectively talking about the use of big data analytics across multiple databases whether they are law enforcement’s own databases or publicly available social network databases, even though this contravenes the data protection principles of proportionality and limited purpose. 

It is noticeable that he makes a strong case on the danger of this potential mission creep even though he ‘appreciates’ that, “the Communication also recalls that necessity tests and purpose limitation are essential.”

The parallels between the EDPS warning and the the UK’s Communications Data Bill – now in limbo following the deputy prime minister’s threatened veto, but not officially dead – will not be missed in the UK. In fact, the Communications Data Bill could be viewed as the effect of what concerns the EDPS: law enforcement surveillance mission creep. Coincidentally, just a couple of days before his Opinion, the Open Rights Group published a separate report: Digital surveillance – Why the Snoopers’ Charter is the wrong approach.

The content resonates with the EDPS warning. “Some of the information about our connected lives is not legally available to law enforcement,” It concludes. “Through mistakes or abuse, the use of such information can lead to anything from wrongful suspicion through to the settling of scores... Just because information is useful to law enforcement does not mean that the state, or law enforcement agencies, or public bodies should be able to order its collection or have access to it.”

The message from the EDPS Opinion is that intra-Union data sharing is good and useful, but should not expand into general unwarranted population surveillance – presumably of the type envisaged by the Communications Data Bill.

What’s hot on Infosecurity Magazine?