Letter of support on data protection in the framework of police and judicial cooperation in criminal matters to the European Data Protection Supervisor Peter Hustinx


1. Background 

On November 27, 2008, the Council of the European Union adopted, three years after the initial Commission proposal [1], the Framework Decision on the protection of personal data processed in the procedures of police and judicial cooperation in criminal matters. [2] The Framework Decision contains the first general data protection instrument for police and judicial co-operation in criminal matters. Negotiations on this very important piece of legislation took long because of severe criticisms by the European Parliament, the European Data Protection Supervisor, the Article 29 Working Party on data protection, and civil society. Initially the European Council did not seem to pay enough attention to these criticisms. [3]

Letter of support on data protection 1There is a close connection between the general personal data protection instrument and the proposal for a Framework Decision on the exchange of information under the principle of availability. [4] The principle of availability was introduced by the so-called “Hague Programme” and simply means that information that is available to law enforcement authorities in one EU Member State should also be open to equivalent authorities in other EU Member States. Information needed for the fight against crime should cross the internal borders of the European Union without obstacles. The information must be exchanged as swiftly and easily as possible between the authorities of the EU Member States and preferably by allowing direct on-line access. The availability principle, however, could not have been implemented before the general data protection instrument was in place.

The European guardian of personal data protection, the European Data Protection Supervisor (EDPS) Peter Hustinx sees the adoption of the data protection framework for police and judicial cooperation only as a first step towards a complete data protection regime in the field of police and judicial co-operation. [5] The EDPS issued three opinions as well as comments on the general data protection framework for police and judicial cooperation. [6] He specifically warned against a dilution of data protection standards.

2. Concerns 

Letter of support on data protection 2CEPIS supports the concerns expressed by the EDPS with regard to the general data protection framework for police and judicial cooperation. [5] The EDPS claims that the level of data protection achieved in the final text of the Framework Decision on the protection of personal data in the framework of police and judicial cooperation in criminal matters is not fully satisfactory. He regrets, among other things, that only police and judicial data exchanged among EU Member States authorities and systems are covered. Respective domestic data are not taken care of. Supporting the EDPS, CEPIS therefore urges the Council of the European Union to take further steps to increase the level of protection provided by the new legal instrument.

3. Recommendations

With full credit to the outstanding work of the EDPS, CEPIS would like to support the encouragement of the EDPS for the EU institutions to take part in the reflections on further improvements of the framework for data protection in law enforcement where attention should be paid to the following main issues:

1. Inclusion of domestic data into the scope of the framework decision; given the heterogeneous national legislations on data protection, some domestic legislations are far stricter and more protective than the one established by the framework decision. Consequently, an exception seems reasonable on the application of the framework decision when the domestic legislation is stricter than the framework decision.

2. Need to distinguish between different categories of data on subjects, such as suspects, criminals, witnesses, and victims, to ensure that respective data are processed with more appropriate safeguards.

3. Ensuring an adequate level of protection for exchange of personal data with third countries under common EU rules.

4. Providing consistency with the first pillar's Data Protection Directive 95/46/EC, in particular by limiting the purposes for which personal data may be further processed. [7]

 

References

[1] Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters {SEC (2005) 1241} (presented by the Commission), Brussels,4.10.2005, COM (2005) 475 final, 2005/0202 (CNS).

[2] Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, Official Journal L 350, 30/12/2008, p. 0060 – 0071.

[3] See for an overview of this controversy: Statewatch: Observatory on data protection in the EU, the protection of personal data in police and judicial matters, full-text documentation on all the secret discussions in the Council, updated 24 September 2008; http://www.statewatch.org/eu-dp.htm; about the third pillar, see European Data Protection Supervisor: “A Framework in Development: Third Pillar and Data Protection", May 12, 2006; http://www.edps.europa.eu

[4] See the initial Proposal for a Council Framework Decision on the exchange of information under the principle of availability (presented by the Commission) {SEC (2005) 1270}, Brussels, 12.10.2005, COM (2005) 490 final, 2005/0207 (CNS). See also: European Data Protection Supervisor: Opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the exchange of information under the principle of availability (COM (2005) 490 final), February 28, 2006; Press release, The availability principle: EDPS wants the exchange of police information to be introduced more cautiously, EDPS/06/02, March 1, 2006; http://www.edps.europa.eu.

[5] See European Data Protection Supervisor: Press Release, EDPS sees adoption of Data Protection Framework for police and judicial cooperation only as a first step, November 28, 2008; http://www.edps.europa.eu

[6] See European Data Protection Supervisor: Comments of the European Data Protection Supervisor on the recent developments with respect to the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, October 31, 2007; Press Release, Data Protection Framework Decision: EDPS concerned about dilution of Data Protection standards, September 20, 2007; Press Release, Third pillar data protection: EDPS strongly advises Council not to adopt current proposal without significant improvements, April 30, 2007; Third opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters, April 27, 2007 (2007/C 139/01); Press Release, EDPS: Making the Treaty of Prüm applicable to the whole EU requires a proper general data protection framework, April 11, 2007; Second opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters (2007/C 91/02), November 29, 2006; Press Release, EDPS warns Council not to lower EU citizen’s rights in third pillar data protection, November 29, 2006; European Data Protection Authorities insist on high data protection standard in Third Pillar, November 2, 2006; Opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (COM (2005) 475 final) (2006/C 47/12), December 19, 2005; Press Release 'A considerable step forward': EDPS Opinion on the proposal for a framework decision for data protection in the third pillar, December 15, 2005; http://www.edps.europa.eu

[7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, p. 0031-0050; http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

 

Click here to download the full letter