The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework

The data protection regime applying to the inter-agency cooperation and future architecture of the EU criminal justice and law enforcement area, European Parliament, Committee on Civil Liberties, Justice and Home Affairs

Abstract: This study aims, first, at identifying data protection shortcomings in the inter-agency cooperation regime in the EU criminal justice and law enforcement area and, second, at outlining, under six possible scenarios, the interplay among the data protection legal instruments in the law-making process today in field, as well as, the response each could provide to such shortcomings.

Privacy impact assessment in large-scale digital forensic investigations

Abstract: The large increase in the collection of location, communication, health data etc. from seized digital devices like mobile phones, tablets, IoT devices, laptops etc. often poses serious privacy risks. To measure privacy risks, privacy impact assessments (PIA) are substantially useful tools and the Directive EU 2016/80 (Police Directive) requires their use. While much has been said about PIA methods pursuant to the Regulation EU 2016/679 (GDPR), less has been said about PIA methods pursuant to the Police Directive. Yet, little research has been done to explore and measure privacy risks that are specific to law enforcement activities which necessitate the processing of large amounts of data. This study tries to fill this gap by conducting a PIA on a big data forensic platform as a case study. This study also answers the question how a PIA should be carried out for large-scale digital forensic operations and describes the privacy risks, threats we learned from conducting it. Finally, it articulates concrete privacy measures to demonstrate compliance with the Police Directive.

Implementation of Information Security in the EU Information Systems

Abstract: In this paper we present the findings of a case-study on IT system security in the area of EU internal security and justice. We have analyzed the implementation of information security for the EU information systems EURODAC, SIS II and VIS in case of Estonia. The analysis comes in a situation, where there are multiple regulations, directives, guidelines; but it lacks a unified standard for the implementation of the member states subsystems. The main finding is that a separate standard is not necessary; however, there is a need for setting minimum requirements, ensuring security of the information systems, that come with appropriate guidelines that help the member states to achieve the minimum requirements. The second finding is that there is a need for greater cooperation and an increased knowledge exchange of the methods used in the member states. Following defined guidelines and exchanging knowledge would help to strengthen the level of security for the entire system.

The Achilles Heel of EU data protection in a law enforcement context: international transfers under appropriate safeguards in the law enforcement directive

Abstract: In May 2018, EU data protection rules were not only reformed by the General Data Protection Regulation (GDPR) but also by the Law Enforcement Directive (LED). While the LED is often overshadowed by the GDPR, it nevertheless did introduce a number of crucial reforms to data protection in a law enforcement context in the EU including harmonized rules on how personal data in a law enforcement context can be transferred to other law enforcement authorities in third countries. Formally the LED rules on international transfers of personal data to third countries aim at guaranteeing that the level of protection for personal data in a law enforcement context within the EU is not undermined as soon as personal data leaves EU territory. Taking a closer look however reveals major issues with the rules foreseen for transfers in the LED as they often come down to law enforcement authorities self-assessing whether a third country would offer adequate protection within the meaning of the standard of essential equivalence as established by the Court of Justice of the European Union (CJEU) in Schrems. In this paper, I show, by relying on EU fundamental rights law and the case law of the CJEU, how due to the absence of LED adequacy decisions, personal data transfers to law enforcement authorities in third countries often occur without the appropriate scrutiny and safeguards due to system the LED establishes. Using the recent reference to the CJEU by a German Court regarding information exchanges with Interpol, I demonstrate how the created legal uncertainty can affect both the work of law enforcement authorities and the fundamental rights of individuals. I conclude that the current system for international personal data transfers within the LED is deeply flawed and potentially undermining EU personal data protection in a law enforcement context.

The Local Provision of Restorative Justice in Scotland: an Exploratory Empirical Study

Abstract: This article presents the results of the first empirical qualitative research on the provision of restorative justice (RJ) in Scotland, based on interviews with 14 practitioners. In Scotland, RJ has attracted the attention of penal reformers and practitioners since the late 1980s, offering an alternative to criminal justice practices based on retribution and/or rehabilitation whilst promising to reduce reoffending and heal people harmed by crime. In 2017, the Scottish Government has fully recognized the existence of RJ by issuing the first national ‘Guidance’ for the delivery of this process, followed by an ambitious ‘Action Plan’. In spite of such a long-lasting interest and recent policy recognition, there is a lack of knowledge regarding the organization and actual delivery of RJ in Scotland. In fact, research on this subject is scant, anecdotal and dated. This article addresses this knowledge gap by presenting original data on the provision of RJ within Scottish local authorities. The findings show similar understandings of RJ, context-specific organizational models and common systemic challenges characterizing RJ providers, generating evidence to critically assess recent Scottish policy on RJ, whilst drawing implications with relevance for the development of RJ across Europe.

Citizens’ Perceptions of Data Protection and Privacy in Europe

Abstract: Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.

Information Sharing and Data Protection in the Area of Freedom, Security and Justice: Towards Harmonised Data Protection Principles for Information Exchange at EU-level

Abstract: Introduction.- Data Protection Standard in the AFSJ.- AFSJ Actors in the Light of the European Data Protection Standard.- Cooperation and Data Exchange of the AFSJ Actors and Their Compliance with the European Data Protection Standard.- Perspectives and Suggestions for Improvement.- Concluding Remarks.

The European data protection framework for the twenty-first century

Abstract: This article sets out some of the key elements of the Commission's EU data protection reform proposals and highlights a number of the main changes compared to the current situation. † The new legislative instruments contain import- ant changes to the current acquis, relating in particular to

The Upcoming Data Protection Reform for the European Union

Abstract: The protection of personal data is one of the basic values in Europe, for the Member States of the EU, and for the EU institutions. EU legal rules on data protection do not discriminate between EU citizens and foreigners—the fundamental right to personal data protection is guaranteed to ‘every person’ in Europe, citizens and non-citizens alike. As Vice-President of the Commission and Commissioner for Justice, Fundamental Rights and Citizenship, I want to make sure that this right is promoted in all our actions.