(*) The full study for the European Parliament LIBE Committee can be downloaded HERE
By Professor PAUL DE HERT
EXECUTIVE SUMMARY
From a data protection perspective, fragmentation is the main characteristic of the legal framework in place in the agencies in the EU criminal justice and law enforcement area .
A multitude of EU agencies operates under their own individual legal framework with little regard for harmonization , consistency or even compatibility among their personal data processing , while the basic text that would supposedly set the common standard in the field , the Data Protection Framework Decision, expressly excuses itself from assuming this role.
Each one of the EU bodies and agencies operating within the EU criminal justice and law enforcement area is until today governed by its own legal constituting text (s) that customarily address data protection issues but however does so in a piecemeal and introverted way: supervision of data protection practices is vested upon each agency’s internal mechanisms and management. This architecture, that reflects the pre-Lisbon third pillar environment, has been preserved until today, despite of the fact that in the meantime interagency cooperation has proliferated: not only have formal bilateral cooperation agreements been entered among all EU agencies but also cooperation takes place outside EU borders as well , through chartered, or unchartered, personal data exchanges with third countries and international organisations.
Adequate data protection supervision, in the sense of a single, coordinated monitoring authority, is emphatically missing from all such exchanges.
The ratification of the Treaty of Lisbon is a milestone that affected the EU criminal justice and law enforcement area in more than one way. Among others, the culmination of a standalone individual right to data protection and the involvement of the European Parliament in any decision – making in the field are crucial factors that enabled an, admittedly much needed, change. Such change came in the form of a series of Commission proposals that were released over the past couple of years and which, if implemented, will completely restructure the current EU data protection architecture in the criminal justice and law enforcement area.
The Commission proposals originate from Article 16 TFEU, which introduces a new right to data protection and requires new rules on the personal data processing by EU agencies , as well as independent monitoring, but also from Declaration 21, which allows f or “specific rules” in the field.
To this end, the Commission introduced both general and agency-specific texts.
At a general level, a Police and Criminal Justice Data Protection Directive is intended to replace the Data Protection Framework Decision. At agency-specific level, the Europol and Eurojust draft Regulations are intended to replace the respective Decisions in force today; at the same time a new Regulation is aimed at introducing the European Public Prosecutor’s Office (EPPO) while work has been promised by the Commission also on amending Regulation 45/2001.
Such law-making process entails herculean efforts by all the bodies involved in it (the Commission, the Parliament and the Council) in order to keep the overhaul of data protection rules in force today (in the EU criminal justice and law enforcement field) synchronized and coordinated .
Although none of the above legislative proposals is yet finalized (in fact, only one has reached “trilogue” stage), the Commission’s preferred data protection architecture has become by now evident: the draft Directive is to replace the Framework Decision but not to affect any agency – specific personal data processing. This task will be undertaken by Regulation 45/2001 (or its successor) and the European Data Protection Supervisor (EDPS).
This architecture is basically taken for granted for the purposes of this analysis: regardless of its merits or drawbacks, other than the Commission also the Parliament has shown no substantial objection to it.
Therefore, the interplay of the instruments involved (the Police and Criminal Justice Data Protection Directive, Regulation 45/2001 or its successor, the Europol, Eurojust and EPPO Regulations) has been attempted to be sketched in the six different scenarios that follow , each in turn assessed in terms of legal and pragmatic plausibility under the current environment:
• A “unified model” scenario, under which the Police and Criminal Justice Data Protection Directive would regulate all the EU criminal justice and law enforcement area (including therefore the EU agencies operating therein);
• A “segregated model” scenario, whereby the Police and Criminal Justice Data Protection Directive would leave EU agencies’ personal data processing outside of its scope (as is currently the situation under the Data Protection Framework Decision ) ;
• An “interim segregated model” scenario, under which the above segregated approach would only last for a few years, after which EU agencies would have to bring their personal data processing under the Police and Criminal Justice Data Protection Directive;
• An “alternative unified model” scenario, that, as originally suggested by the Commission, would use Regulation 45/2001 as a common standard – setting text for all EU agencies, whose individual constituting legal instruments would subsequently supplement and further specify its provisions;
• A scenario whereby the current architecture is preserved and consequently neither the Police and Criminal Justice Data Protection Directive nor Regulation 45/2001 (or its successor) affect in any way the agency – specific (revised) texts, and
• An, unfortunately likely for the immediate future, scenario, whereby Regulation 45/2001 is not amended in time and all of Europol, Eurojust and EPPO Regulations , when adopted, will supplement and further specify its provisions, which are outdated and unsuitable for the criminal justice and law enforcement area.
European Area of Freedom Security & Justice 