Luxembourg, 09/10/2015 (Agence Europe) - EU justice ministers reached a political agreement in principle in Luxembourg on Friday 9 October on the directive on the protection of personal data in criminal matters.
This directive forms the second chapter of the broad reform of personal data protection rules begun in 2012. In June of this year, ministers came to an agreement in principle on the regulation part of the reform which covers the commercial processing of data and processing of data by non-law enforcement public bodies (see EUROPE 11335).
Ministers adopted their position after a very short sitting. Luxembourg Justice Minister Félix Braz welcomed the agreement which will allow inter-institutional trialogue negotiations with the European Parliament and the Commission to begin, in the hope that the reform can be finalised by the end of 2015.
In concrete terms, the directive seeks to set out for member states' police and legal authorities minimum standards for the processing of personal data of people who are, for example, under investigation or have been convicted, when these authorities exchange the files, either transnationally or nationally, on those people. It sets general principles on the purpose of the processing of the data, how long they can be retained and the rights of the people concerned to information.
The text stipulates that personal data must be “processed lawfully and fairly, collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes”. The data must be “adequate, relevant, and not excessive in relation to the purposes for which they are processed”. They must be “accurate and, where necessary, kept up to date and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. Exceptions are, nonetheless, possible so as to allow the controller to use the data for other purposes.
“In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review”, the agreed text states. Member states should lay down appropriate safeguards for personal data stored for longer periods for archiving in the public interest, scientific, statistical or historical use.
“A natural person should have the right of access to data which has been collected concerning him or her, and to exercise this right easily and at reasonable intervals in order to be aware of and verify the lawfulness of the processing. Every data subject should therefore have the right to know about and obtain communication in particular of the purposes for which the data are processed, (…) for what period, and which recipients receive the data, including in third countries”, the text further states. Processing of sensitive data, on, for example, ethnicity or religion, is theoretically forbidden except where “strictly necessary” and “subject to appropriate safeguards for the rights and freedoms of the data subject”. Profiling, too, is theoretically not allowed by the directive.
Provision is also made for international transfer of data to law enforcement authorities in third countries. International transfers will be possible if the European Commission has previously decided that the third country ensures an adequate level of personal data protection similar to the European regime. It is precisely an adequacy decision that the Court of Justice invalidated in the Schrems case on Tuesday 6 October, though this related to the transfer of commercial data (see EUROPE 11404).
The European Parliament rapporteur on the personal data protection regulation, Jan-Philipp Albrecht (Greens/EFA, Germany) said he was disappointed by the Council text which delivers “almost no improvements on the current legal situation”. Regretting the ministers' “vague” commitments, he expresses his concern at the numerous exemptions with regard to the right to information.
Under the Council text, member states will, in certain instances, be able not to inform the people concerned of how their data will be used. A decision not to communicate minor infringements of the data protection rules to the person concerned may also be taken if the data protection controller has followed the procedures required in that instance and if it would excessively increase workload should such minor infringements be repeated. (Original version in French by Solenn Paulic)