Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Privacy watchdog sets out expectations on law enforcement bodies' data sharing


Law enforcement agencies must not in general share personal information they hold with partner authorities in other EU member states unless requests for that disclosure set out the "specified, explicit and legitimate purposes" partner authorities wish to carry out, an EU privacy watchdog has said. Those agencies must also "check" that the partnering authorities involved will process the shared data only for those identified purposes, the body also said. 

The Article 29 Working Party highlighted the requirement in a letter to the Council of Europe (5-page / 478KB PDF), a body that promotes collaborative legal standards in the areas of human rights between 47 European countries. The Council of Europe is not an EU institution.

The Working Party, which is made up of representatives from data protection authorities based across all 28 EU countries, sent the letter in response to concerns about data sharing practices by law enforcement bodies that had been raised at a cyber crime conference held by the Council of Europe last year.

The Working Party identified three scenarios in which law enforcement agencies can transfer personal data to partner authorities in other countries, including the "general principle" which it said demands that the disclosures occur in line with "national criminal law procedures and bilateral or multilateral treaties on cooperation in criminal matters".

"Before they access or transmit personal data, law enforcement authorities have to make sure that the interference in the right of EU residents to the protection of their personal data is necessary and proportionate, corresponds to the purpose pursued and that the powers exercised by the law enforcement authorities of both parties are explicitly laid down by law," the Working Party said. "Compliance with these rules should also be subject to the control of an independent authority."

The Working Party outlined a checklist of things law enforcement authorities co-ordinating on cyber crime matters should refer to before exchanging personal data.

Among its recommendations, it said the authorities transmitting the data should check that the personal data processing is lawful, that the request for the data they have received "is made for specified, explicit and legitimate purposes and that the data will be processed only for the purpose mentioned in the cooperation agreement" and that the data they are passing on is "accurate, complete and updated, as well as adequate, relevant and not excessive in relation to this purpose is transmitted".

Further checks should be made to ensure that the authority receiving the data will not retain it for "longer than necessary for the purpose pursued", that the information being processed is secure and that "any further processing for a different purpose, transmission to another authority, agency or body, is authorised by the sending [country] and subject to strict conditions". The Working Party also said there must be oversight of the actions of both the transmitting and receiving law enforcement body.

The watchdog said there is a case for existing international treaties on cross-border data sharing to be "recast" and improved.

"We consider that criminal justice treaties must be compliant with fundamental rights and, therefore, with data protection requirements," the Working Party said. "Considering that most of these treaties do not seem to already include data protection requirements, we also recall our availability to help advise European governments improving or inserting data protection clauses in mutual legal assistance agreements to ensure that minimum data protection safeguards are complied with when exchanging personal data between law enforcement authorities."

The Working Party said that there are exceptional cases where EU businesses can legitimately share personal data they store with law enforcement agencies based outside of the trading bloc. "Direct transfers" of such data to third countries can be legitimate in "situations of particular urgency and where there is a question of life or death, providing there is a legal basis for such transfers under national laws or a treaty between the countries where the data is being sent and received.

A new cyber security information regime is envisaged under the proposed new EU Network and Information Security (NIS) Directive.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.