In this third blog post of my exploration into the matter based on an upcoming publication for CRC Press, part of the Online Terrorist Propaganda, Recruitment, And Radicalization Book Project that I wrote together with Dr. Milda Macenaite, I will specifically explore the legal data protection framework.

The primary legal instrument in the EU regulating personal data processing in the law enforcement, i.e., in the area of police and criminal justice, is Directive 2016/680 . The Directive was adopted in December 2015 as part of the data protection reform package together with the GDPR.

The GDPR sets forth the general rules for public and private personal data processing and thus can be viewed as lex generalis and the Directive 2016/680 takes into account the particular nature of the law enforcement sector and operates as lex specialis.

The Directive sets forth the principles relating to the processing of personal data, establishes the rights of the data subjects and the obligations of the controllers and processors, regulates the transfers of personal data to third countries and international organizations and the powers and tasks of the independent supervisory authorities, foresees the remedies, liability and penalties and reflects the GDPR in terms of notions, principles and even in terms of structure (see Paul de Hert, Vagelis Papakonstantinou, The New Police and Criminal Justice
Data Protection Directive: A First Analysis, New Journal of European Criminal Law 7.1, pp. 7-19, 2016.).

There is however, the need for  precise delineation between Directive 2016/680 and the GDPR with respect to the personal scope of application of Directive 2016/680 and the processing of personal data by competent authorities.

In order to be under the scope of the Directive, data processing should be carried
out by competent authorities which include authorities traditional public law enforcement authorities such as police, national courts, and other judicial authorities, prosecution, customs and border guards, as well as other specialized agencies having investigatory powers in specific domains, for example, Financial Intelligence Units (FIUs) in countries where they are law enforcement authorities.

In expanding the definition of these authorities to  include other bodies and entities which can be private or public-private in nature, security companies with extended executive powers contracted for sporting events or private prisons in the UK may be included.

To what extent does the processing of data generated by ISPs, social media service providers and other private entities providing online services fall under the Directive 2016/680?
Without any doubt the GDPR applies to such private entities providing services online
when they collect personal data from their users for their own commercial purposes. Such
data can be further processed in order to comply with a legal obligation to which they
might be subject and consequently transferred to the competent authority requesting them.

Processing of the same data by the competent authorities then becomes subjected to the data protection requirements Directive 2016/680 and the relevant national law implementing it. The question remains, however, whether data processing such as storing on the part of Internet service and platform providers for the purposes of the Directive could be considered as being ‘on behalf of’ law enforcement authorities qualifying them as ‘data processors’ under the Directive 2016/680 (see Mireille M. Caruana, The reform of the EU data protection framework in thecontext of the police and criminal justice sector: harmonisation, scope, oversight
and enforcement, International Review of Law, Computers & Technology 5, 2017). This does not seem to be the case, as ISPs, social media service providers and other private entities providing online services process personal data according to the GDPR to comply with a legal obligation imposed by national data retention laws rather than on request of the competent authorities.

The material scope of the Directive 2016/680 covers the processing of data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Articles 2(1) and 1(1)) and data processing for national security purposes is explicitly excluded from the scope of Directive 2016/680. The threat of terrorism, however, may fall under both national security and law and order domains, and could therefore limit the competences and the ways of information exchange between intelligence and law enforcement authorities in different countries.

The Directive is not applicable to personal data processing in the context of
criminal court proceedings.

One of the main actors in fighting terrorist propaganda on the internet is the EU internet referral unit at Europol. Europol, the EU agency that supports Member States’ competent authorities action and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime affecting two or more Member States, has a separate legal instrument regulating its activities, including personal data processing. This legal
instrument is the Regulation 2016/794 (Europol Regulation).

While the GDPR and the Directive 2016/680 and Regulation 2016/794 share some similarities, there are differences between the two legal frameworks. Certain principles, such as data subject
rights and data controller’s obligations in Directive 2016/680 and Regulation 2016/794
are framed less strictly compared to the GDPR and therefore provide more leeway for law
enforcement and accommodate their specific needs when carrying out their activities
(As De Hert and Sajfert note, the differences are ‘particularly visible in Chapters II
(principles) and III (rights of the data subject) of the Police Directive’. P de Hert
and J Sajfert, ‘The Role of the Data Protection Authorities in Supervising Police
and Criminal Justice Authorities Processing Personal Data’ in C Brie`re and A
Weyembergh (eds), The Needed Balances in EU Criminal Law: Past Present and
Future, Hart Publishing, 2017).

It should also be noted that data collected for a specific case sometimes have to be used to resolve other criminal offences or to make links between different crimes detected, making a strict application of the purpose limitation principle difficult. Directive 2016/680 thus permits the use of data for purposes other than that for which they have been collected as long as the purpose is in line with the general purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the controller is authorized to process such data by law and the processing is necessary and proportionate (Article 4(2)). Similarly, Regulation 2016/794 allows further processing of personal data for another operational analysis project insofar as it is necessary and proportionate and the processing is compatible with the required safeguards (Article 18).

Finally, the exercise of the rights of data subjects to information and access to their data might be prejudicial to surveillance of suspects or under some circumstances obstruct criminal investigations and prosecutions. The right to rectification would not be sensible in specific circumstances, such as for the content of a witness testimony and the right to deletion in cases when personal data has to be maintained for evidentiary purposes
(Recital 47 of the Directive 2016/680). National laws of EU Member States can therefore
impose partial or complete restriction on these rights and data controllers are allowed to
deny these rights under specific circumstances. In addition to national laws, Directive 2016/680 itself already restricts the amount of information to be made available to data subjects under Article 13(1) and (2) with respect to the GDPR: information on data recipients and international data transfers should be given only in specific cases and the provision of
information related to automated decision-making or intent to further process personal
data for different purposes is not required under Directive 2016/680.

With the purpose of countering flexibility in the processing personal data afforded to law
enforcement authorities in relation to the principles, rights and obligations, data
processing by law enforcement authorities is subject to strict legal requirements (see Nadezhda Purtova, Between the GDPR and the Police Directive: navigating
through the maze of information sharing in public–private partnerships,
International Data Privacy Law 8(1), pp. 52–68, 2018). Directive 2016/680 clearly sets forth that data can be processed only in the law enforcement context, on the grounds and for the purposes set forth by law, according to special processing conditions. For example, while the GDPR allows data controllers to rely on one or more of six general grounds for personal data processing (Article 6 GDPR), competent authorities under the Directive can only use the ground of lawfulness, i.e., the necessity “for the performance of a task carried out by a competent authority” for law enforcement purposes when that task is based on national or Union law (Article 8(1) Directive 2016/680) where the law specifies “at least the objectives of processing, the personal data to be processed and the purposes of the processing” (Article 8(2)). As a result, only national laws that confer the task of law enforcement can provide the legal
basis for data processing and should do so by specifying both the overall objectives of a
certain legislative act and the specific purposes of the processing operation (Recital 33,
Article 8(2)).