The way some of your most sensitive data which, if processed carelessly, could lead to the most serious consequences for you, is being dealt with almost no attention of the media and the general public. Outside the spotlight of the General Data Protection Regulation (GDPR), the Directive for Law enforcement agencies (LEDP) seems not to have for some the charisma of the Regulation.
However, the Directive contains numerous loopholes which, if not carefully addressed, will undermine the already fragile data protection regime. The Council of the European Union version of the text (the so-called “general approach” text) was published on 9 October 2015, and the (always opaque) trilogue negotiations are now underway. The goal of the trilogues is to reach an agreement at the end of December 2015, in line with the foreseen calendar for the GDPR.
The Directive’s original goal was the protection of personal data in the context of the use by “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”. That was the scope until the Council added to its version a mention “safeguarding against and the prevention of the threats to public security”. Although this wider scope could be positive in the sense that it could fill some gaps provided by the exceptions in the GDPR, it is not clear what types of activities will be covered, within the limited EU legal competences in this matter. For example, it is not clear whether or how it will relate to any activities of intelligence agencies that fall outside of EU legal competence, but where the EU itself, for example through Europol, is increasing its activities. If these activities performed by intelligence agencies will be covered to any extent by the Directive, the question that follows is what the consequence would be for the data gathered pro-actively and/or in bulk on people who are not linked to any criminal activity, contrary to the protection of fair trial rights in Art. 6 ECHR and Art. 47 of the Charter of Fundamental Rights of the European Union. The Directive gives no hint to solve this, or other similar questions.
One of the most worrying aspects is that current articles on lawful processing (7 and 7a) could allow massive transfer of data from law enforcement agencies in the Member States (inside the Directive’s scope) to the respective national security agencies (outside the Directive’s scope). Bearing in mind that some national agencies have a tendency to engage in international data transfer practices with other agencies both inside and outside the EU, the alarms should be ringing already in the heads to those involved in the trilogue negotiations. As the European Parliament (EP) stated in its resolution on the surveillance of EU citizens that was passed on 29 October 2015, the Commission must “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”. These precautions need to be inserted in the Directive.
The recitals and the definitions do not bring the clarification that the text requires. For example, Recital 16 includes a reference to “data rendered anonymous in such a way that the data subject is no longer identifiable”, which by definition would not be personal data and therefore (obviously) would fall outside the Directive and the Regulation. Later on, in the definitions, health status relates in some parts of the Directive only to the current health status (Article 3), while in another part (recital 17) it relates to “past, current or future” health of the individual. More worryingly, the “national security” lacks the definition called for in the aforementioned resolution of the Parliament. Furthermore, the distinction between activities related to “public security” and “national security” should be clarified in the recital.
In line with what is happening in the Regulation, profiling protections are also weakened in the Directive. Although there is a general prohibition of using sensitive data when doing profiling, the provision lacks sufficient safeguards, and profiling is only covered under the Directive when this is done in a fully automated process. Anything that is not “fully” automated falls outside the protection of this safeguard.
The Directive, as it stands today, has a significant list of worrysome aspects that need to be re-defined and clarified. The negotiators in the trilogues need to decide now if they want to aim for a Directive that includes loopholes which could weaken the new data protection regime, or to strive for the data protection regime which is needed to guarantee the fundamental right to privacy in Europe.
EDRi analysis of the European Commission’s original proposal for the Directive
EDRi: General Data Protection Regulation: Document Pool
EDRi: The Data Protection Archive
Mass surveillance: EU citizens’ rights still in danger, says Parliament (29.10.2015)
(Contribution by Diego Naranjo, EDRi)