Strasbourg, 18 February 2014 T-PD(2013)11 CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA (T-PD) RECOMMENDATION R (87) 15 – TWENTY–FIVE YEARS DOWN THE LINE by Professor Joseph A. Cannataci and Dr. Mireille M. Caruana The views expressed in this report are those of the author and do not necessarily reflect the official position of the Council of Europe. DG I – Human Rights and Rule of Law Page | 1 Executive Summary Between the period 2011-2012, within the framework of the PUPIE project, the authors carried out a survey of the state of legislation in 30 out of the Council of Europe’s 47 member States in an effort to determine the impact of the Council of Europe’s Recommendation R(87)15 on data protection in the police sector over the 25 years since the adoption of the Recommendation in 1987. This final report from the PUPIE project finds that by and large the Recommendation has been widely adopted across Europe to an extent that many European states prima facie already regulate police use of personal data in a way comparable but not necessarily identical to that envisaged in the current draft of the European Commission’s proposal 25.1.2012 COM(2012) 10 final 2012/0010 (COD) for a “Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”. This general finding in no way obviates the need for urgent action on this sector. The Report identifies two overall findings and thirty-one provision-specific findings in relation to the provisions of R(87)15 and places these in the context of eight realities as at September 2013. In response to the overall findings of disparity of provisions and lack of harmonisation, the Report advocates that the time has come for a binding legal instrument which is capable of being deployed across sectors which have hitherto often been parallel worlds: that of law enforcement agencies (LEAs) and the other of Security & Intelligence Agencies (SIS). The Report takes into account the available evidence of utility of the EU’s 2006 Data Retention Directive as well as the significance of the Snowden revelations for privacy & data protection. These considerations reinforce the Report’s recommendations that the Council of Europe offers the right forum for one or more of at least three options which could produce a suitable new binding legal instrument: (1) an entirely new multi-lateral treaty or Convention which would contain mandatory provisions applicable to the LEA and SIS handling of personal data; (2) an additional protocol to the CoE’s Data Protection Convention (ETS 108) encapsulating the provisions envisaged in Option 1 and/or (3) an additional protocol to the CoE’s Cybercrime Convention (ETS 185) incorporating some of the provisions envisaged in Options 1 and 2. The Report finds that the urgency for and the onus upon the Council of Europe to take immediate action to produce a new binding instrument is compounded by the Snowden revelations and the possible chronic inadequacy of EU responses in the sphere of national security on account of exclusions of competence by Art 4 Section 2 of the EU Treaty. 25th September 2013 Page | 2 Table of Contents REPORT: RECOMMENDATION R (87) 15 – TWENTY–FIVE YEARS DOWN THE LINE: 5 The history of the PUPIE project 7 Part 1 – Overview 10 Part 2 – Detailed provisions 11 Scope and definitions 11 Definition of personal data “for police purposes” 11 The controller of police files 11 Only automated, or also manual processing? 11 Legal or only natural persons? 11 Only police or also state security? 12 Basic Principles 12 Principle 1 – Control and notification 12 General or security/police-specific ISA? 12 Privacy Impact Assessments or other reasonable measures 12 Consulting the ISA 13 Notification to ISA 14 Manual files – Notification to ISA and ancillary matters 14 Notification of ad hoc files 15 Principle 2 – Collection of data 15 Collection Limitation principle and Wider police powers 15 Informing the data subject 15 Data collection by automated means 16 Collection of sensitive data 17 Principle 3 – Storage of data 18 Data Quality Principle 18 Accuracy and reliability 18 Administrative purposes 18 Principle 4 – Use of data by the police (statement of the notion of finality) 18 Police data used for other purposes 18 Principle 5 – Communication of data 19 Exchange of data between police bodies 19 Legitimate interest? 19 Communication to other public bodies 20 Legal authorisation or obligation to communicate data to other public bodies 21 Authorisation to communicate data to other public bodies 21 Communication to private parties 22 Communication to Foreign Authorities 24 Law regulating communication 24 Oversight mechanisms 25 Information required by countries 25 Verification and completeness of data 25 Safeguards and purpose 26 Page | 3 Interconnection of files 26 Secure on-line systems 27 Legal direct access to a file 27 Principle 6 – Publicity, right of access to police files, right of rectification and right of appeal 28 Transparency 28 Publicity vs. ad hoc 28 Access to police data 28 Register of requests 28 Rectification or erasure of data 29 Follow-up action 29 Refusing access, rectification and erasure 29 Right of appeal 30 Appeals to independent supervisory authority 31 Principle 7 – Length of storage and updating of data 31 Time-limitation principle 31 Data quality principle 32 Principle 8 – Data security 32 Physical and logical security 32 R(87)15 – From findings to the future - Where do we go from here? 33 Key findings – Thirty-three points to ponder 33 Overall findings 33 Provision-specific findings 33 Utility and Futility – some reflections on the way forward 36 At least three possible options for the way forward 40 New provisions on private sector data in the new binding instrument 43 Epilogue for the post-Snowden era 47 Annex A: Text of questionnaire 55 Annex B: Table of legislation 91 Annex C: Tables 107 Page | 4 Report: Recommendation R (87) 15 – Twenty–five years down the line: By Prof Joseph A. Cannataci Chair in European Information Policy & Technology Law, Co-Director STeP - Security, Technology & e-Privacy Research Group, Department of European and Economic Law, Faculty of Law, University of Groningen, The Netherlands Head of Department of Information Policy and Governance, Faculty of Media and Knowledge Sciences, University of Malta, Adjunct Professor, Security Research Centre, School for Computer & Security Science at Edith Cowan University, Australia, Associate, Cyber Security Center, Longwood University, USA & Dr Mireille M. Caruana, Centre for IT & Law, University of Bristol Department of Information Policy & Governance, University of Malta. CoE Recommendation No. R(87)15 regulating the use of Personal Data in the Police Sector (R(87)15) was developed by the CoE’s Project Group on Data Protection (CJ-PD) in Strasbourg between 1984 – 1986. CJ-PD was characterised by the strong leadership of Germany’s Spiros Simitis, later involved in incorporating data protection into the EU Charter of Fundamental Rights: he was succeeded by Peter Hustinx, today EU Data Protection Commissioner (“EDPS”). The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) had created ambiguity by including an exclusion from its provisions for security purposes.1 R(87)15 resolved this by explicitly subjecting police data to the same data protection regime as other personal data. R(87)15 was also a significant victory for a key principle of data protection: “purpose specification”, in other words, that data controllers should process data according to legitimate, specified and explicit purposes announced at the time of collection, and only use these data for purposes compatible with the original purposes of the collection.2 This key principle was not easily won. Many CJ-PD members were accompanied by national police and/or security forces representatives who were seeking “general purpose” collection, rather than the CJ-PD’s preferred option of “purpose specification” (per Convention 108). Only as a result of strenuous negotiations was a consensual basis for the eventual text arrived at. The drafters of R(87)15 thus succeeded in entrenching the notion of requiring a distinct purpose for collection and processing of data, even for police use. Although R(87)15 was never popular with the police in Western Europe, it was greeted as a model for democratic policing and often cited, especially during the 1989 – 1992 period, in Central and Eastern Europe. In that post-1989 ‘democratic surge’, the Recommendation was referred to in two international agreements: Art.115, para.1, Schengen Agreement3 states that control by the supervisory authority should take account of the Recommendation; the Treaty of 1 CETS No.: 108, Art.9. 2 Convention 108, in particular Art.5b; R(87)15 – in particular Principle 2.1, 2.3, 2.4 and 3.1. 3 OJ 2000, L 239/19. Page | 5 Amsterdam incorporated the Schengen Agreement into the EU Treaty. Likewise, Art.14, para.1, Europol Convention4 provides that processing of police data should take account of Recommendation R(87)15. These two references mean that legally R(87)15 cannot be avoided. Meanwhile, in its Recommendation 1181 (1992) 1 on police co-operation and protection of personal data in the police sector, the CoE Parliamentary Assembly recommended that the Committee of Ministers draw up a convention enshrining the principles laid down in R(87)15. In 1993 the CoE Committee of Ministers requested that the CJ-PD evaluate the relevance of R(87)15 notably whether its text required revision, especially its scope and Principle 5.4 (international communication), and considering the principles set out in Assembly Recommendation 1181 (1992).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages174 Page
-
File Size-