A PROPOSAL FOR THE EU PRIVACY LAW SIMPLIFICATION, SUPPORTING DATA-DRIVEN RESEARCH IN THE LAW ENFORCEMENT FIELD

An article by Luca Bolognini* – l.bolognini@istitutoprivacy.it

*President of the Italian Institute for Privacy ANITA H2020 Project

I. DATA PROCESSING ISSUES IN THE LAW ENFORCEMENT RESEARCH

On the 10th of January, 2020, I have had the opportunity to participate to a very interesting workshop in Brussels, dedicated to share stakeholders’ reflections, views, opinions and best practices, concerning the main critical cases of legal restrictions potentially applicable to research data processing in fighting crime and terrorism. The workshop has been promoted and hosted by the European Commission – Migration And Home Affairs.

Many problems and ideas have been put on the table and discussed between participants; most of the points have been related to the data protection general principles compliance challenges (i.e. how to respect data minimisation or storage limitation principles, while training tools and piloting during a research project focusing on law enforcement). A new sectoral Code of Conduct, to be adopted according to Art. 40 of the Regulation 2016/679 (UE) (GDPR), has been proposed as a possible solution in order to strenghten legal certainty and standardise technical best practices for anonymisation, pseudonymisation and formats of datasets, and I agree with this view.

Anyway, looking closer at this matter, one can see several further open fronts and potential regulatory limitations to be addressed, in order to ensure a fair and lawful processing of personal data within such sensitive research projects: and we should keep in mind that not all the issues are directly raising from the European personal data protection framework: for instance, a violation of any applicable law – that is not only a data protection-specific law – could result in a domino-effect violation of the general principle of lawfulness ex Art. 5.1.a) of the GDPR and Art. 4.1.a) of the Police Directive 2016/680 UE, making the personal data processing unlawful (this could be the case of a lack of permissions to gather data from third parties, including ICT providers – such as social networks – infringing their terms of services and policies). Moreover, further restrictions could relate to non personal data or files too, and the game becomes more and more complicated.

I will not address all the issues and burdens, potentially limiting or slowing down a research data processing activity in the field of law enforcement. Rather, in the next few lines, I will try to share some ideas for a surgical, minor – but, I guess, relevant – legislative amendment, which could simplify at least one of the numerous critical passages that we discussed at the workshop and often experienced in our projects.

II. THE POSSIBLE AMENDMENT TO ARTICLE 9 PARAGRAPH 1 OF THE POLICE DIRECTIVE

Typically, research projects consortia, in the sector of law enforcement, have partners coming from the academia, the private industry and the LEAs: of course, acting as an autonomous data controller for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, a LEA would have much more room in order to gather personal and non personal data: important exemptions apply in favor of LEAs, both for personal data protection and for different disciplines (think about Intellectual Property Rights). But this exceptional room is extremely reduced when a LEA collects data just for research purposes, as it also normally happens in case of controllers other than LEAs.

Paragraphs 1[*] and 2[**] of Article 9 of the Police Directive (Directive 2016/680 UE) set general restrictions in terms of legal grounds and lawfulness conditions for personal data processing in different scenarios (falling under paragraph 1 and/or 2).

It is quite clear that paragraph 2 of Article 9 will often apply to processing activities that are carried out, from the origin, for purposes other than those of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties: this case appears to be a little bit less complicated, in terms of compliance, because it mainly requires a prior legal basis-check concerning the fact that, according to the specific Member States law, competent authorities are entrusted with the performance of tasks other than those performed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

Once (and if) found in the National law and/or in the statutes of the LEAs such possibility to perform tasks other than those of law enforcement (like the research activity), the challenge will consist in complying with the GDPR. This means that also the legal ground of personal data processing for research purposes will follow the GDPR rules.

More interesting and potentially useful, but complicated, seems the case, certainly falling under paragraph 1 of Article 9, of a LEA aiming to re-use an already collected personal dataset (originally processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties) for research purposes. In this case, the Directive 2016/680 presents a further clear restriction, providing that such data processing must be authorised by Union or Member State law. So, a LEA would not only be required to find, enshrined in the Member States law or in the LEA’s statute adopted according to the National law, the general possibility for LEAs to carry out tasks other than the law enforcement task (like the research activity), but, in addition, it should also be authorised by a EU or MS legislative act to process such personal data (previously collected for law enforcement purposes) for other research purposes. Today, this legislative authorisation is missing at the EU level and at the National levels too.

And to make matters worse a third, implicit set of restrictions will apply to this case, falling under paragraph 1: indeed, there could be some Member State criminal laws restricting processing and transfer of data/files for research purposes (due to investigation secret, confidentiality, etc.).

Three levels of possible restrictions risk to make the Horizon research activities, involving LEAs, more and more challenging and, sometimes, almost impossibile to be effectively and successfully completed. This is particularly true when the research concerns AI, machine learning and Big data-driven tools development.

In this sense, paragraph 1 of Article 9 of the Police Directive appears to result too strict, while it should be reasonably simplified in relation to the specific research activity in the field of law enforcement. At least one of the three stages of legal complication could be eliminated following this suggestion, generally authorising, by default and at the European level, the lawful further use by competent autorities of personal data (previously collected for law enforcement purposes) for scientific or historical research and statistical purposes.

A possible amendment could consist in the surgical addition of the following sentence, after the first sentence of Article 9 paragraph 1 of the Directive 2016/680: “Personal data collected by competent authorities for the purposes set out in Article 1(1) can be processed and shared for scientific or historical research purposes or statistical purposes, unless the processing of such data for scientific or historical research purposes or statistical purposes is explicitly forbidden or restricted by Member State law”.

This amendment would reverse the approach, a contrario, significantly simplifying the rules from a European perspective: only in case of explicit Member State law prohibitions or restrictions, specific to such possible personal data re-use by LEAs, the “switch” of purposes (from law enforcement to research) might be considered as not allowed and, then, unlawful.

Brussels, 10 January 2020

[*] Art. 9.1 Directive 2016/680 UE – Personal data collected by competent authorities for the purposes set out in Article 1(1) shall not be processed for purposes other than those set out in Article 1(1) unless such processing is authorised by Union or Member State law. Where personal data are processed for such other purposes, Regulation (EU) 2016/679 shall apply unless the processing is carried out in an activity which falls outside the scope of Union law.

[**] Art. 9.2 Directive 2016/680 UE – Where competent authorities are entrusted by Member State law with the performance of tasks other than those performed for the purposes set out in Article 1(1), Regulation (EU) 2016/679 shall apply to processing for such purposes, including for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, unless the processing is carried out in an activity which falls outside the scope of Union law.