“The adoption of this proposal would mean a considerable step
forwards for the protection of personal data,” wrote Peter Hustinx,
the current EDPS, in his 35-page opinion.
Hustinx's job is to monitor the processing of personal data by
the Community institutions and bodies. His latest opinion examines
a Council of Ministers Framework Decision that was published in
October.
Existing rules for the processing of personal data are found in
the 1995 Data Protection Directive. But that Directive does not
apply either to the processing of personal data within the
framework of police and judicial cooperation in criminal matters,
or to the processing of personal data in the course of an activity
which falls outside the scope of Community law, including
operations concerning public security, defence, and the activities
of the State in areas of criminal law.
These areas are left to Member States to deal with or, on a
European level, to the Council of Ministers. So the Council of
Ministers' Framework Decision attempts to harmonise Member States'
approaches to the exchange of data, including fingerprints, DNA
profiles and telephone numbers.
An enormous increase in the volume of personal data being
circulated is expected as Member States co-operate more and more in
fighting crime and terrorism. Hustinx says this adds to the need
for the Framework Decision.
"The Framework Decision will be one of the three central pieces
of European legislation in the field of data protection," said
Hustinx. "Common standards that are applicable to all processing
are very much needed and I generally support the proposal which can
constitute a considerable step forward."
But he added: “Good law enforcement and good data protection
reinforce each other – so it is in the interest of everyone that
the proposal is even further improved before it is adopted".
Hustinx set out a number of improvements that should be made to
the Framework Decision, including:
- A requirement that the main data protection rules cover all
police and judicial data – not only data exchanged between member
states, but also data used within one country.
- A requirement that data on different categories of persons –
suspects, convicted persons, victims, witnesses, contacts – are
processed with different, appropriate conditions and
safeguards.
- The need for the principles of necessity and proportionality
set out in the proposal to fully reflect the case law of the
European Court on Human Rights.
- A careful assessment of the quality of data received from a
third country – in the light of human rights and data protection
standards – before they are used.
- The introduction of specific provisions on automated individual
decisions – similar to those in the Data Protection Directive.
Automated individual decisions are currently not covered by the
proposal at all, despite that fact that enforcement authorities
increasingly use this process to assess individuals.
