Europe’s current data protection proposals come in two parts: the General Data Protection Regulation (GDPR) which primarily affects the relationship between business and personal data, and a separate directive affecting the relationship between law enforcement and personal data. The European Data Protection Supervisor (EDPS) has always expressed a preference for a single regime based on the GDPR so that law enforcement would be bound by the same legal construct as business in order to avoid the possibility of contradiction between the two regimes.
This has not happened. Under a directive individual nations states can implement the EC’s requirements in their own way. Europol, the EU Agency for Law Enforcement and Training, is different since it is a European rather than national agency. As such, its regulations are set centrally by the Commission rather than by individual member states. The EDPS yesterday published his official ‘Opinion’ on the Commission’s proposal for a new legal framework for Europol.
The danger for data protection principles is that law enforcement is all about gathering and analyzing personal information. Where a transnational agency is concerned, the requirement becomes one of amalgamating data from multiple databases from multiple law enforcement sources; and the potential for an abuse of personal data becomes that much greater. While his Opinion includes numerous recommendations designed to further strengthen the EC’s existing proposals, EDPS Peter Hustinx stresses that this will improve rather than hamper the work of Europol. “A strong framework of data protection is important not only for those under suspicion or involved in an investigation,” he says, “but also contributes to the success of police and judicial cooperation.”
His argument is that the validity of criminal investigations relies on the quality and integrity of the data collected. Respecting data protection principles can therefore help reinforce the reliability of such evidence, making a successful conclusion to the investigation more likely while simultaneously affording more protection to the innocent. To achieve this, he suggests, “in practice this means that Europol should collate personal information for specific investigations only... [and] the effective supervision of Europol is needed to ensure that it operates in full compliance with the stringent case law of the EU Court.”
If this principal were applied at a national level, it would imply disapproval of the UK’s draft Communications Data Bill which intends to collect all communications traffic data at all times; without the need for a court order and therefore not necessarily related to any specific investigation. (The future of the Bill is uncertain following its rejection by the Deputy Prime Minister and leader of the Lib-Dems Nick Clegg; but it is commonly believed that the Conservative Party is unwilling to abandon it.) The UK government has claimed that traffic data is different to content, suggesting that it is not so personal. It is noticeable, however, that the EDPS specifically says, “details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.”
This is an example of why he would prefer a single Regulation across Europe for all data protection: since national law enforcement proposals are a Directive that can be implemented according to national conditions, there is a potential for conflict between different rules – in this case, UK law enforcement agencies would not be bound by the same rules that bind Europol.
The EC’s proposals are that the EDPS is to supervise Europol’s compliance with the data protection rules. This Opinion is the EDPS’ attempt to fine tune those rules to avoid the need to supervise something he doesn’t believe to be sufficiently stringent. He is particularly concerned that the rules for Europol are “at least as high as that which is prescribed in the current data protection framework” – echoing a growing concern that the new wider data protection proposals could ultimately weaken rather than strengthen existing data protection in Europe.