University of Groningen Reprocessing of biometric data for law enforcement … · 2019-07-11 ·...

University of Groningen

Reprocessing of biometric data for law enforcement purposesJasserand-Breeman, Catherine

IMPORTANT NOTE: You are advised to consult the publisher's version (publisher's PDF) if you wish to cite fromit. Please check the document version below.

Document VersionPublisher's PDF, also known as Version of record

Publication date:2019

Link to publication in University of Groningen/UMCG research database

Citation for published version (APA):Jasserand-Breeman, C. (2019). Reprocessing of biometric data for law enforcement purposes: Individuals'safeguards caught at the Interface between the GDPR and the 'Police' directive?. [Groningen]: University ofGroningen.

CopyrightOther than for strictly personal use, it is not permitted to download or to forward/distribute the text or part of it without the consent of theauthor(s) and/or copyright holder(s), unless the work is under an open content license (like Creative Commons).

Take-down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.

Downloaded from the University of Groningen/UMCG research database (Pure): http://www.rug.nl/research/portal. For technical reasons thenumber of authors shown on this cover page is limited to 10 maximum.

Download date: 27-06-2020

https://www.rug.nl/research/portal/en/publications/reprocessing-of-biometric-data-for-law-enforcement-purposes(0716b849-4370-49f1-8572-7740c8920e5b).html



Reprocessing of Biometric Data for Law Enforcement Purposes

Individuals' Safeguards Caught at the Interface between the

GDPR and the 'Police' Directive?

PhDthesis

to obtain the degree of PhD at the University of Groningen on the authority of the

Rector Magnificus prof. E. Sterken and in accordance with

the decision by the College of Deans.

This thesis will be defended in public on

Thursday 11 July 2019 at 11.00 hours

by

CatherineAgnèsJasserand-Breeman

born on 3 March 1976 in Tassin La Demi-Lune, France

SupervisorsProf. G.P. Mifsud Bonnici

Prof. L.W. Gormley

AssessmentCommittee

Prof. J.A. Cannataci

Prof. Y. Poullet

Prof. F. Boehm

AcknowledgementsThis PhD dissertationwould not have been possiblewithout the help and support ofmany peoplewho surroundedme during this long journey.My first thanks go tomysupervisors,ProfessorJeanneMifsudBonniciandProfessorLaurenceGormley.Jeanne,Iwouldliketothankyoufortheflexibilitythatyouofferedmetoexploremanyresearchpaths and for your enthusiasm when I presented unconventional ideas. You had thepatience to listen to me while guiding me on the right track when I felt lost in myresearch.Laurence,Iamgratefulforyourcommitmenttoenablingmetoreachmygoalsandforyourattentiontodetail. IstillrememberthewarmwelcomethatyougavemethedayofmyjobinterviewattheUniversity.IalsothanktheFacultyofLawfor thearrangementtheyagreedonduringthePhD.AspecialthankstotheGraduateSchooland,inparticular,toMarjolijnBoth,AnitaKram,andProfessorPaulineWesterman for the fantastic job that youdo in supportingPhDstudents. Iamgrateful tomyassessmentcommittee,composedofProfessorFranziskaBoehm,ProfessorYvesPoullet,andProfessorJoeCannataci, forreadingmythesisandallowingmetodefendit.Besides, the researchwould not have been possiblewithout the funding provided byINGRESS,anEU-FP7projectonthedevelopmentoffingerprintsensors.Formorethanthreeyears, theprojectofferedmetheopportunity todiscussvarious technical issueslinkedtothedevelopmentofbiometrictechnologies.SpecialthankstoAurélieMoriceau,StéphaneRevelin,MarinaPouet,EgidijusAuksorius,MartinOlsen,KiranRaja,ProfessorChristopheChampod,ProfessorChristophBusch,AlexandreAnthonioz,BerkayTopcu,NenadMarjanovic,MarcSchnieper,SerenaPapi,AgnieszkaandWielsawBicz.Ihopetohavetheopportunitytopursuecross-disciplinaryresearchwithyouinthefuture.AspecialthankstoElsKindt.Els,youintroducedmetoyournetworkofprofessionalsinthebiometricfieldandrecommendedmeasaspeakerforseveralconferencesorganisedbytheEuropeanBiometricsAssociation.Thankyouforyourtrustandforsharingyourexpertise.Iamgratefultoseveralresearcherswhogavemeabitoftheirprecioustimetodiscussvarious issues and, in particular, to Peel Geelhoel whose knowledge on criminal lawhelpedmetothinkoutsidethe‘dataprotection’bubble,ProfessorArunRossforlengthydiscussionsonhowandwhetherwecouldbridge thegapsbetween the scientific andtechnical communities, and Professor Sébastien Marcel for exchange on facialrecognitiontechnologies.

IalsothankmypastandpresentcolleaguesatSTeP,whotookthetimetochat,exchangeideas,sharetheiroffice,orgooutfordinnerseachtimeIwasinGroningen.ThankyouAukje, Melania, Oskar, Frank, Bo, Evgeni, Jonida, Carolin, Gerard (also for kindlytranslatingthesummariesinDutch!),Nynke,Trix,Karen,Lauren,Nati,Styliana,Warsha,Bettina,andJoe.ColleaguesfromtheEuropeanLawDepartmentalsobelongtothislist:Karien (a special thanks for your help, kindness, and patience), Matthijs, Martin,Laurenzo, Hans, and Peter. Dimitry, with your sense of humour, the intellectualdiscussionsthatyoulikedtoprovoke,andyourcolourfulties,younaturallyhaveaplaceinthislist.Ialsohaveinmindmyex-colleaguesfromIViR,whereIstartedresearchseveralyearsago.EstherandBart,Imissourlunchdates.Ana,Christina,andJoãoPedro,thankyouforyouradvice,suggestions,andkindwords. Finally,Iwanttothankmyfamily-in-law,Ans,Dolf,andIlsefortheirprecioushelpeachtimeIneededtotraveltoGroningenorotherplacesforconferences.This dissertation is alsodedicated tomyparentschéris, Françoise and Jean-Paul,whohave alwayspushedus tobe intellectually curious.Tomybrothers, Patrick and Jean-Philippe(withCarine,Hippolyte,Maxence,andCallixte),andmysister,Laëticia, thankyouforhelpingmekeepmyfeetontheground.ToRaphaëlandTim,mysweetboyswhohadenoughpatiencewithmethroughouttheyearsandwhoremindedme that thereismoretolifethanbooks. Lastbutnot least, tomyhusband,Dirk-Jan,forhislogisticandmentalsupport,aswellasforthefaiththathehadinmefromthestartoftheproject.Thankyou,thisdissertationwouldhaveneverseenthelightofdaywithoutyou!

TableofContents

Chapter1:FramingtheTopicandtheResearchQuestions....................................9 Introduction............................................................................................................................10 ResearchQuestions...........................................................................................................13 Methodology.......................................................................................................................151. InterdisciplinaryComponent......................................................................................................152. LegalAnalysis.....................................................................................................................................17 TheoreticalFramework..................................................................................................18 ConceptsandTheories...................................................................................................................18a. TheEURighttoDataProtectionasaFundamentalRight..........................................................18b. TheConceptof‘LawEnforcement’......................................................................................................20c. TheNotionof‘BiometricData’...............................................................................................................21d. TheConceptof‘Safeguards’....................................................................................................................22 LegalFramework..............................................................................................................................23a. EUPrimarySources....................................................................................................................................23b. EUSecondaryLegislation.........................................................................................................................25c. CaseLawandSoft-LawInstruments...................................................................................................26

Structure................................................................................................................................27

Chapter2:AvoidingTerminologicalConfusionbetweentheNotionsof‘Biometrics’and‘BiometricData’.................................................................................31

Introduction...........................................................................................................................32 ‘Biometrics’:aCatchallNotion?.....................................................................................36 UsesoftheTerm‘Biometrics’intheEuropeanDataProtectionContext................37a. ‘Biometrics’UsedasaSynonymof‘BiometricData’....................................................................37b. ‘Biometrics’UsedasaSynonymof‘BiometricTechnologies’..................................................39 Definitionsof‘Biometrics’bytheScientificCommunity.................................................40a. SeveralScientificDisciplines,SeveralMeanings............................................................................41b. TowardsaHarmonisedDefinitionoftheTerm‘Biometrics’inISO/IEC2382-37..........42

BiometricData:aTechnicalandaLegalNotion.....................................................44 NotionDefinedbytheBiometricCommunity......................................................................44 NotionDefinedbytheLegalCommunityintheDataProtectionand

PrivacyContext................................................................................................................................46a. QualificationasPersonalData................................................................................................................47b. FromBiometricCharacteristicsto‘Datarelatingto’BiometricCharacteristics..............49c. Uniqueness......................................................................................................................................................51d. LinktotheBiometricProcessingoftheData,MissingCriterion?..........................................52

Conclusions.........................................................................................................................55

Chapter3:LegalNatureofBiometricData:From‘Generic’PersonalDatatoSensitiveData......................................................................................................................57

Introduction...........................................................................................................................58 TheSlowIntroductionoftheNotionofBiometricDataintheEUData

ProtectionField...........................................................................................................................62 DeconstructionoftheLegalConceptofBiometricData......................................64 PersonalData.....................................................................................................................................65 ResultingfromaSpecificTechnicalProcessing..................................................................66a. TechnicalStepsofBiometricRecognition.........................................................................................66b. BiometricFormatsResultingfromtheTechnicalProcessing..................................................67 RelatingtothePhysical,PhysiologicalorBehaviouralCharacteristicsofaNatural

Person.............................................................................................................................................................68

AllowingorConfirmingtheUniqueIdentificationofthatIndividual........................69a. TheDifferentMeaningsofIdentification...........................................................................................69b. FunctionsofBiometricData(“AllowingorConfirming”)..........................................................70c. UniqueIdentification..................................................................................................................................70 FacialImagesandDactyloscopicDataasExamples..........................................................72

TheRegimeforSensitiveDataApplicabletotheProcessingofBiometricData.............................................................................................................................731. DebatebeforetheAdoptionoftheDataProtectionReformPackage.......................742. PurposeofProcessingasaNewConditiontoApplytheRegimeofSensitive Data.........................................................................................................................................................75

a. PurposeofBiometricDataProcessing...............................................................................................76b. SensitiveDatabyReasonoftheirNature..........................................................................................77

Conclusions...........................................................................................................................78Chapter4:LawEnforcementAccesstoPersonalDataOriginallyCollectedbyPrivateParties.....................................................................................................................81

Introduction...........................................................................................................................82 ApplicableLegalInstrument:theGDPRorthe‘Police’Directive?....................85 PositionsoftheEUInstitutions:BetweenHesitationandDivergence.....................85 TwoSetsofRulesGovernedbyTwoDifferentInstruments.........................................87 Existenceof‘SubstantiveandProcedural’Safeguardsin

Directive2016/680?........................................................................................................89 PreliminaryRemarksontheUseofDigitalRightsIrelandandTele2SverigeasBenchmark..........................................................................................................................................89

TheBenchmarksetbyDigitalRightsIrelandandTele2Sverige..................................91 ApplicationoftheRulingstoDirective2016/680.............................................................94a. ObjectiveCriteriatoDetermineLawEnforcementAccess........................................................94b. OversightMechanism:IndependentReviewoftheRequestforAccess?............................95c. TheRighttoInformationasaDutyofNotification?.....................................................................97

SafeguardsagainstAbuses:ThePrincipleofPurposeLimitation?..................98 NotionofPurposeLimitation......................................................................................................99 ApplicationofthePrinciple:TestofCompatibilityversusDerogation....................99

Conclusions..........................................................................................................................102

Chapter5:SubsequentUseofGDPRDataforaLawEnforcementPurpose105 Introduction..........................................................................................................................106 Background.........................................................................................................................109 OriginofthePrincipleofPurposeLimitation....................................................................109 RelationshipbetweentheGDPRandDirective2016/680...........................................110 RegimeofPurposeLimitationunderDirective2016/680...............................112 ComparisonwiththeGDPRRegime......................................................................................112 ScopeoftheInitialProcessing.................................................................................................113 Article4(2)ofDirective2016/680asDerogationfromthePrincipleofPurposeLimitation?........................................................................................................................................114

a. LowerStandardofProtection?...........................................................................................................115b. InterpretationoftheDerogation.......................................................................................................116

FurtherProcessingofGDPRDataFallingwithintheScopeofArticle4(2)ofDirective2016/680........................................................................................................118 FocusontheRegulationofDataUseinsteadofDataCollection?.............................118 InterpretationofArticle4(2)toEncompassSubsequentUsesofGDPRData....119a. ‘InAccordancewiththeLaw’...............................................................................................................120b. ‘NecessarytothatOtherPurpose’.....................................................................................................121

c. ‘ProportionatetothatOtherPurpose’.............................................................................................122d. MissingCriterion:RespectoftheEssenceoftheFundamentalRighttoData

Protection?..................................................................................................................................................123 AccountabilityofLawEnforcementAuthoritiesasAdditionalSafeguard?.........123

Shortcomings:ConsequencesofSubsequentUsesofGDPRDataoutsidetheScopeofArticle4(2)ofDirective2016/680...........................................................124 SubsequentUseofGDPRDataas‘InitialProcessing’undertheDirective?.........124 ConsequencesonDataSubjects’Rights...............................................................................126

Conclusions.......................................................................................................................127Chapter6:AccountabilityandMitigationofRisks................................................131

Introduction.........................................................................................................................132 DataProtectionbyDesignandDataProtectionbyDefault:Overarching

Obligations..........................................................................................................................134 BuildingontheConceptofPrivacybyDesign?................................................................135a. PrivacybyDesign......................................................................................................................................135b. TheConceptinEUDataProtectionLegislation...........................................................................136c. InspiredbybutdifferentfromPrivacybyDesign.......................................................................137 NotallDataProtectionPrinciplesareTechnicallyEmbeddable..............................138a. DataProtectionPrinciples....................................................................................................................139b. OrganisationalandTechnicalMeasures.........................................................................................139c. PrincipleofPurposeLimitation..........................................................................................................140

DPIA:AComplementaryRisk-ManagementTool................................................142 InitialAssessment:RiskAnalysis...........................................................................................143a. High-RiskProcessing...............................................................................................................................143b. Factors...........................................................................................................................................................145 ElementsofaDPIA........................................................................................................................145a. Scope:SingleProcessingoraSeriesofProcessingOperations?..........................................146b. FeaturesofaDPIA....................................................................................................................................146c. RiskMitigation...........................................................................................................................................146

LawEnforcementReprocessingofGDPRBiometricData.................................147 PreliminaryAssessment.............................................................................................................148a. ProcessingofBiometricData:HighRiskProcessing?...............................................................148b. TypesofLawEnforcementPurposes..............................................................................................149c. MatchingorCombiningDifferentDatasets....................................................................................149d. DatanotObtainedDirectlyfromIndividuals...............................................................................149e. ExceptionstotheExerciseofIndividuals’Rights.......................................................................150f. UseofNewTechnologies......................................................................................................................150 ElementsoftheDPIA...................................................................................................................151a. DescriptionoftheProcessing..............................................................................................................151b. Risks...............................................................................................................................................................152c. SafeguardsandSolutions.......................................................................................................................152

Conclusions.........................................................................................................................153Chapter7:ConclusionsandSuggestionsforFutureResearch..........................155

Bibliography......................................................................................................................167

AllowingorConfirmingtheUniqueIdentificationofthatIndividual........................69a. TheDifferentMeaningsofIdentification...........................................................................................69b. FunctionsofBiometricData(“AllowingorConfirming”)..........................................................70c. UniqueIdentification..................................................................................................................................70 FacialImagesandDactyloscopicDataasExamples..........................................................72

TheRegimeforSensitiveDataApplicabletotheProcessingofBiometricData.............................................................................................................................731. DebatebeforetheAdoptionoftheDataProtectionReformPackage.......................742. PurposeofProcessingasaNewConditiontoApplytheRegimeofSensitive Data.........................................................................................................................................................75

a. PurposeofBiometricDataProcessing...............................................................................................76b. SensitiveDatabyReasonoftheirNature..........................................................................................77

Conclusions...........................................................................................................................78Chapter4:LawEnforcementAccesstoPersonalDataOriginallyCollectedbyPrivateParties.....................................................................................................................81

Introduction...........................................................................................................................82 ApplicableLegalInstrument:theGDPRorthe‘Police’Directive?....................85 PositionsoftheEUInstitutions:BetweenHesitationandDivergence.....................85 TwoSetsofRulesGovernedbyTwoDifferentInstruments.........................................87 Existenceof‘SubstantiveandProcedural’Safeguardsin

Directive2016/680?........................................................................................................89 PreliminaryRemarksontheUseofDigitalRightsIrelandandTele2SverigeasBenchmark..........................................................................................................................................89

TheBenchmarksetbyDigitalRightsIrelandandTele2Sverige..................................91 ApplicationoftheRulingstoDirective2016/680.............................................................94a. ObjectiveCriteriatoDetermineLawEnforcementAccess........................................................94b. OversightMechanism:IndependentReviewoftheRequestforAccess?............................95c. TheRighttoInformationasaDutyofNotification?.....................................................................97

SafeguardsagainstAbuses:ThePrincipleofPurposeLimitation?..................98 NotionofPurposeLimitation......................................................................................................99 ApplicationofthePrinciple:TestofCompatibilityversusDerogation....................99

Conclusions..........................................................................................................................102

Chapter5:SubsequentUseofGDPRDataforaLawEnforcementPurpose105 Introduction..........................................................................................................................106 Background.........................................................................................................................109 OriginofthePrincipleofPurposeLimitation....................................................................109 RelationshipbetweentheGDPRandDirective2016/680...........................................110 RegimeofPurposeLimitationunderDirective2016/680...............................112 ComparisonwiththeGDPRRegime......................................................................................112 ScopeoftheInitialProcessing.................................................................................................113 Article4(2)ofDirective2016/680asDerogationfromthePrincipleofPurposeLimitation?........................................................................................................................................114

a. LowerStandardofProtection?...........................................................................................................115b. InterpretationoftheDerogation.......................................................................................................116

FurtherProcessingofGDPRDataFallingwithintheScopeofArticle4(2)ofDirective2016/680........................................................................................................118 FocusontheRegulationofDataUseinsteadofDataCollection?.............................118 InterpretationofArticle4(2)toEncompassSubsequentUsesofGDPRData....119a. ‘InAccordancewiththeLaw’...............................................................................................................120b. ‘NecessarytothatOtherPurpose’.....................................................................................................121

c. ‘ProportionatetothatOtherPurpose’.............................................................................................122d. MissingCriterion:RespectoftheEssenceoftheFundamentalRighttoData

Protection?..................................................................................................................................................123 AccountabilityofLawEnforcementAuthoritiesasAdditionalSafeguard?.........123

Shortcomings:ConsequencesofSubsequentUsesofGDPRDataoutsidetheScopeofArticle4(2)ofDirective2016/680...........................................................124 SubsequentUseofGDPRDataas‘InitialProcessing’undertheDirective?.........124 ConsequencesonDataSubjects’Rights...............................................................................126

Conclusions.......................................................................................................................128Chapter6:AccountabilityandMitigationofRisks................................................131

Introduction.........................................................................................................................132 DataProtectionbyDesignandDataProtectionbyDefault:Overarching

Obligations..........................................................................................................................134 BuildingontheConceptofPrivacybyDesign?................................................................135a. PrivacybyDesign......................................................................................................................................135b. TheConceptinEUDataProtectionLegislation...........................................................................136c. InspiredbybutdifferentfromPrivacybyDesign.......................................................................137 NotallDataProtectionPrinciplesareTechnicallyEmbeddable..............................138a. DataProtectionPrinciples....................................................................................................................139b. OrganisationalandTechnicalMeasures.........................................................................................139c. PrincipleofPurposeLimitation..........................................................................................................140

DPIA:AComplementaryRisk-ManagementTool................................................142 InitialAssessment:RiskAnalysis...........................................................................................143a. High-RiskProcessing...............................................................................................................................143b. Factors...........................................................................................................................................................145 ElementsofaDPIA........................................................................................................................145a. Scope:SingleProcessingoraSeriesofProcessingOperations?..........................................146b. FeaturesofaDPIA....................................................................................................................................146c. RiskMitigation...........................................................................................................................................146

LawEnforcementReprocessingofGDPRBiometricData.................................147 PreliminaryAssessment.............................................................................................................148a. ProcessingofBiometricData:HighRiskProcessing?...............................................................148b. TypesofLawEnforcementPurposes..............................................................................................149c. MatchingorCombiningDifferentDatasets....................................................................................149d. DatanotObtainedDirectlyfromIndividuals...............................................................................149e. ExceptionstotheExerciseofIndividuals’Rights.......................................................................150f. UseofNewTechnologies......................................................................................................................150 ElementsoftheDPIA...................................................................................................................151a. DescriptionoftheProcessing..............................................................................................................151b. Risks...............................................................................................................................................................152c. SafeguardsandSolutions.......................................................................................................................152

Conclusions.........................................................................................................................153Chapter7:ConclusionsandSuggestionsforFutureResearch..........................155

Bibliography......................................................................................................................167 Samenvatting .................................................................................................................199

Chapter 1Framing the Topic and the Research Questions

10

Chapter1:FramingtheTopicandtheResearchQuestions

Introduction

Biometrictechnologiesareverypresent inourdaily lives.Limitedfora longtimetothefieldsoflawenforcementandbordercontrols,biometrictechnologiesarenowcommonlyusedbytheprivatesector.Fingerprints,face,voiceoririsdataareused,amongothers,tobookpayments,giveaccesstoworkpremisesorunlockmobiledevices.1By2020,banksareestimatedtoofferbiometricservicestomorethan1,9millioncustomers.2Besidesthegrowinguseofbiometricdatabyprivateparties,anothertrendhasemergedthanks to the ‘vast trove of personal data’ that socialmedia and online platform hold.3Among the data collected are facial images (photographs, videos) and voice samples(videosoraudiomessages),whichcanbereprocessedforbiometricrecognitionpurposes.MarkZuckerberg,theFacebook’sCEO,hasrecentlyacknowledgedthatthesocialnetworkprocessesthephotographsuploadedontotheplatformforfacialrecognitionpurposes.4Afew years ago, the company developed facial recognition software to match people’spictureswithfriends’namesandencourageduserstoidentifypeoplethatlookedliketheirfriends.5After complaints from the Irish and theHamburgData ProtectionAuthorities,6Facebook deactivated the ‘tag’ feature in Europe,7but the company announced in April

1Ethan Ayer, ‘How Government Biometrics areMoving into the Private Sector’ (BiometricUpdate, 28 June2017)<https://www.biometricupdate.com/201706/how-government-biometrics-are-moving-into-the-private-sector>accessed30September2018.2Xavier Larduinat, ‘Biometrics and the Next Financial Sector Revolution' (blog.Gemalto, 22 May 2018)<https://blog.gemalto.com/financial-services/2018/05/22/biometrics-and-the-next-financial-sectorrevolution/> accessed 30 September 2018; Business Wire, ‘The Biometrics for Banking: Market andTechnology Analysis, Adoption Strategies and Forecasts 2018-2023- Second Edition’ (businesswire.com, 29June 2018) <https://www.businesswire.com/news/home/20180629005676/en/Biometrics-Banking-2018-Market-Technology-Analysis-Adoption>accessed30September2018.3The expression of ‘vast trove’ is commonly used in relation to the exploitation of collected data by socialmedia, see for instanceSominiSengupta, ‘Facebook’sProspectsMayRestonTroveofData’NewYorkTimes(14 May 2012) <https://www.nytimes.com/2012/05/15/technology/facebook-needs-to-turn-data-trove-into-investor-gold.html?pagewanted=all>accessed30September2018.4SteveAndriole,‘Facebook'sZuckerbergQuietlyDropsAnotherPrivacyBomb-FacialRecognition'Forbes(12April2018)<https://www.forbes.com/sites/steveandriole/2018/04/12/facebooks-zukerberg-quietly-drops-another-privacy-bomb-facial-recognition/#27ebe7fe51c0>accessed30September2018.5Forexample,IngridLunden,‘FacebookTurnsOffFacialRecognitionintheEU,GetstheAll-ClearOnSeveralPoints from Ireland's Data Protection Commissioner on its Review' TechCrunch (21 September 2012)<https://techcrunch.com/2012/09/21/facebook-turns-off-facial-recognition-in-the-eu-gets-the-all-clear-from-irelands-data-protection-commissioner-on-its-review/>accessed30September2018.6For instance, Press Association, ‘Facebook Faces Fines up to £80K’ The Guardian (21 September 2012)<https://www.theguardian.com/technology/2012/sep/21/facebook-faces-privacy-fine> accessed 30September2018;HelenPidd,‘FacebookFacialRecognitionSoftwareViolatesPrivacyLaws,saysGermany’TheGuardian (3 August 2011) <https://www.theguardian.com/technology/2011/aug/03/facebook-facial-recognition-privacy-germany>accessed30September2018.7TimBradshaw,‘FacebookEndsFacialRecognitioninEurope’FinancialTimes(21September2012)<https://www.ft.com/content/fa9c4af8-03fc-11e2-b91b-00144feabdc0>accessed30September2018.

2018itsintenttoreintroduceitinEuropebasedonusers’consent.8Inaddition,totestitsfacial matching algorithms, the social media has set up a private facial recognitiondatabaseforresearchpurposes.ButFacebookisnottheonlyonetoprocessforbiometricpurposes the data of its users. Google has also developed its own large-scale facialdatabasefedbythephotographsitholds.9Besides,theInternetsearchengineenablesitsuserstorecordtheirvoiceandaudioactivities.Oneofthepurposesofthe ‘GoogleVoiceandAudio'functionispreciselytoallowthecompanytouseindividuals'voicestoimproveitsspeechrecognitionsystems.10Facialimagesandvoicesamplesheldbysocialnetworksareparticularlyvaluabletolawenforcement authorities as they allow the identification of individuals based on thedistinctivecharacteristicsoftheirbody(e.g.facegeometry)orbehaviour(e.g.voicetone,accent). As reported by the transparency reports of the big tech companies (includingFacebookandGoogle),therequestsmadebylawenforcementauthoritiestoaccessusers'accounts and content have increased through the years.11Although the reports do notdisclose the types of content requested and obtained, one could assume that lawenforcementauthorities requestaccess topictures,videosandvoice samples, to furtherprocessthemincludingforbiometricrecognitionpurposes.12Lawenforcementauthoritiescanhaveaccesstobiometricdatathroughdifferentchannels.They can directly collect them, for instance during a criminal investigation. They canrequestaccesstobiometricdataheldindatabasessetupbypublicauthoritiesfornon-lawenforcementpurposes (such as databases constituted for border controls purposes).Ortheycanrequestaccess tobiometricdataheldbyprivateparties. It ison the lattercasethattheresearchfocuses.TheincreasingvolumeofbiometricdataheldbyprivatepartiesandtheadoptionofnewEUdataprotectionrulesjustifysuchachoice.Theresearchalsobuildsonatrendthathasgrownovertheyears,raisingconcernsonits impactsondata

8Tyron Stewart, ‘Facebook is Using GDPR as a Means to Bring Facial Recognition Back to Europe’MobileMarketing (18 April 2018) <https://mobilemarketingmagazine.com/facebook-facial-recognition-eu-europe-gdpr-canada>accessed30September2018.9AccordingtoIraKemelmacher-Schlizermanetal,severalsocialmediaandonlineplatformshaveconstitutedprivateresearchfacialdatabasebasedonthephotographsthattheyhold.FaceNet,theprivatedatabasesetupbyGoogleforresearchpurposesexclusivelyisdeemedtobethebiggestonecontainingmorethan500millionpictures from more than 10 million individuals, as described in Ira Kemelmacher-Shlizerman et al, ‘TheMegaFaceBenchmark:1MillionFaces forRecognitionatScale' (2015)<https://arxiv.org/abs/1512.00596>accessed30September2018.10SeeSupportGoogleonGoogleVoiceandAudioActivity<https://support.google.com/websearch/answer/6030020?co=GENIE.Platform%3DDesktop&hl=en>accessed30September2018.11Seeforinstance,Facebook’sTransparencyReportreleasedinMay2018<https://transparency.facebook.com/government-data-requests>accessed30September2018;Google’sTransparencyReport<https://transparencyreport.google.com/user-data/overview>accessed30September2018;Apple’sTransparencyReport,January–June2017<https://images.apple.com/legal/privacy/transparency/requests-2017-H1-en.pdf>accessed30September2018;seealsoMicrosoft’sTransparencyReport<https://www.microsoft.com/en-us/about/corporate-responsibility/lerr/>accessed30September2018.12See for instance, in the USA, Matt Cagle, ‘Facebook, Instagram, and Twitter Provided Data Access for aSurveillanceProductMarketedtoTargetActivistsofColor’ACLUNorthernCalifornia(11October2016).

1

Framing the Topic and the Research Questions

11

Chapter1:FramingtheTopicandtheResearchQuestions

Introduction

Biometrictechnologiesareverypresent inourdaily lives.Limitedfora longtimetothefieldsoflawenforcementandbordercontrols,biometrictechnologiesarenowcommonlyusedbytheprivatesector.Fingerprints,face,voiceoririsdataareused,amongothers,tobookpayments,giveaccesstoworkpremisesorunlockmobiledevices.1By2020,banksareestimatedtoofferbiometricservicestomorethan1,9millioncustomers.2Besidesthegrowinguseofbiometricdatabyprivateparties,anothertrendhasemergedthanks to the ‘vast trove of personal data’ that socialmedia and online platform hold.3Among the data collected are facial images (photographs, videos) and voice samples(videosoraudiomessages),whichcanbereprocessedforbiometricrecognitionpurposes.MarkZuckerberg,theFacebook’sCEO,hasrecentlyacknowledgedthatthesocialnetworkprocessesthephotographsuploadedontotheplatformforfacialrecognitionpurposes.4Afew years ago, the company developed facial recognition software to match people’spictureswithfriends’namesandencourageduserstoidentifypeoplethatlookedliketheirfriends.5After complaints from the Irish and theHamburgData ProtectionAuthorities,6Facebook deactivated the ‘tag’ feature in Europe,7but the company announced in April

1Ethan Ayer, ‘How Government Biometrics areMoving into the Private Sector’ (BiometricUpdate, 28 June2017)<https://www.biometricupdate.com/201706/how-government-biometrics-are-moving-into-the-private-sector>accessed30September2018.2Xavier Larduinat, ‘Biometrics and the Next Financial Sector Revolution' (blog.Gemalto, 22 May 2018)<https://blog.gemalto.com/financial-services/2018/05/22/biometrics-and-the-next-financial-sectorrevolution/> accessed 30 September 2018; Business Wire, ‘The Biometrics for Banking: Market andTechnology Analysis, Adoption Strategies and Forecasts 2018-2023- Second Edition’ (businesswire.com, 29June 2018) <https://www.businesswire.com/news/home/20180629005676/en/Biometrics-Banking-2018-Market-Technology-Analysis-Adoption>accessed30September2018.3The expression of ‘vast trove’ is commonly used in relation to the exploitation of collected data by socialmedia, see for instanceSominiSengupta, ‘Facebook’sProspectsMayRestonTroveofData’NewYorkTimes(14 May 2012) <https://www.nytimes.com/2012/05/15/technology/facebook-needs-to-turn-data-trove-into-investor-gold.html?pagewanted=all>accessed30September2018.4SteveAndriole,‘Facebook'sZuckerbergQuietlyDropsAnotherPrivacyBomb-FacialRecognition'Forbes(12April2018)<https://www.forbes.com/sites/steveandriole/2018/04/12/facebooks-zukerberg-quietly-drops-another-privacy-bomb-facial-recognition/#27ebe7fe51c0>accessed30September2018.5Forexample,IngridLunden,‘FacebookTurnsOffFacialRecognitionintheEU,GetstheAll-ClearOnSeveralPoints from Ireland's Data Protection Commissioner on its Review' TechCrunch (21 September 2012)<https://techcrunch.com/2012/09/21/facebook-turns-off-facial-recognition-in-the-eu-gets-the-all-clear-from-irelands-data-protection-commissioner-on-its-review/>accessed30September2018.6For instance, Press Association, ‘Facebook Faces Fines up to £80K’ The Guardian (21 September 2012)<https://www.theguardian.com/technology/2012/sep/21/facebook-faces-privacy-fine> accessed 30September2018;HelenPidd,‘FacebookFacialRecognitionSoftwareViolatesPrivacyLaws,saysGermany’TheGuardian (3 August 2011) <https://www.theguardian.com/technology/2011/aug/03/facebook-facial-recognition-privacy-germany>accessed30September2018.7TimBradshaw,‘FacebookEndsFacialRecognitioninEurope’FinancialTimes(21September2012)<https://www.ft.com/content/fa9c4af8-03fc-11e2-b91b-00144feabdc0>accessed30September2018.

2018itsintenttoreintroduceitinEuropebasedonusers’consent.8Inaddition,totestitsfacial matching algorithms, the social media has set up a private facial recognitiondatabaseforresearchpurposes.ButFacebookisnottheonlyonetoprocessforbiometricpurposes the data of its users. Google has also developed its own large-scale facialdatabasefedbythephotographsitholds.9Besides,theInternetsearchengineenablesitsuserstorecordtheirvoiceandaudioactivities.Oneofthepurposesofthe ‘GoogleVoiceandAudio'functionispreciselytoallowthecompanytouseindividuals'voicestoimproveitsspeechrecognitionsystems.10Facialimagesandvoicesamplesheldbysocialnetworksareparticularlyvaluabletolawenforcement authorities as they allow the identification of individuals based on thedistinctivecharacteristicsoftheirbody(e.g.facegeometry)orbehaviour(e.g.voicetone,accent). As reported by the transparency reports of the big tech companies (includingFacebookandGoogle),therequestsmadebylawenforcementauthoritiestoaccessusers'accounts and content have increased through the years.11Although the reports do notdisclose the types of content requested and obtained, one could assume that lawenforcementauthorities requestaccess topictures,videosandvoice samples, to furtherprocessthemincludingforbiometricrecognitionpurposes.12Lawenforcementauthoritiescanhaveaccesstobiometricdatathroughdifferentchannels.They can directly collect them, for instance during a criminal investigation. They canrequestaccesstobiometricdataheldindatabasessetupbypublicauthoritiesfornon-lawenforcementpurposes (such as databases constituted for border controls purposes).Ortheycanrequestaccess tobiometricdataheldbyprivateparties. It ison the lattercasethattheresearchfocuses.TheincreasingvolumeofbiometricdataheldbyprivatepartiesandtheadoptionofnewEUdataprotectionrulesjustifysuchachoice.Theresearchalsobuildsonatrendthathasgrownovertheyears,raisingconcernsonits impactsondata

8Tyron Stewart, ‘Facebook is Using GDPR as a Means to Bring Facial Recognition Back to Europe’MobileMarketing (18 April 2018) <https://mobilemarketingmagazine.com/facebook-facial-recognition-eu-europe-gdpr-canada>accessed30September2018.9AccordingtoIraKemelmacher-Schlizermanetal,severalsocialmediaandonlineplatformshaveconstitutedprivateresearchfacialdatabasebasedonthephotographsthattheyhold.FaceNet,theprivatedatabasesetupbyGoogleforresearchpurposesexclusivelyisdeemedtobethebiggestonecontainingmorethan500millionpictures from more than 10 million individuals, as described in Ira Kemelmacher-Shlizerman et al, ‘TheMegaFaceBenchmark:1MillionFaces forRecognitionatScale' (2015)<https://arxiv.org/abs/1512.00596>accessed30September2018.10SeeSupportGoogleonGoogleVoiceandAudioActivity<https://support.google.com/websearch/answer/6030020?co=GENIE.Platform%3DDesktop&hl=en>accessed30September2018.11Seeforinstance,Facebook’sTransparencyReportreleasedinMay2018<https://transparency.facebook.com/government-data-requests>accessed30September2018;Google’sTransparencyReport<https://transparencyreport.google.com/user-data/overview>accessed30September2018;Apple’sTransparencyReport,January–June2017<https://images.apple.com/legal/privacy/transparency/requests-2017-H1-en.pdf>accessed30September2018;seealsoMicrosoft’sTransparencyReport<https://www.microsoft.com/en-us/about/corporate-responsibility/lerr/>accessed30September2018.12See for instance, in the USA, Matt Cagle, ‘Facebook, Instagram, and Twitter Provided Data Access for aSurveillanceProductMarketedtoTargetActivistsofColor’ACLUNorthernCalifornia(11October2016).

Chapter 1

12

subjects’ rights: the access to and re-use by law enforcement authorities of biometricdatabasesinitiallyconstitutedforanon-lawenforcementpurpose.ThistendencyhasbeencriticisedbytheEuropeanDataProtectionSupervisor(EDPS),butmainlyinrelationtodatabasesconstitutedfortheasylumandbordercontrolspoliciesoftheEU.As early as2005, theEDPSwarnedagainst the risksposedby lawenforcement‘systematic’ access to databases constituted for a different purpose without specificjustificationsorsafeguards.13Itrepeateditsconcernsin2009and2012whenitreviewedthe proposals to extend the scope of the asylum seekers’ EU fingerprint database (theEURODAC)tolawenforcementauthorities.14Inparticular,itwasconcernedthatthedataatstakebelongedtoindividualsnotsuspectedof(havingcommitted)anycrime.15Italsohighlighted the challenges that such an extension of purpose posed to the principle ofpurpose limitation and warned against the risk of ‘function creep.’16From that timeonwards,theEDPShasnotstoppedreiteratingitscriticismstowardsatrendthathasbeen‘normalised.’ For instance, in recent proposals on border controls, the EuropeanCommission has proposed ‘from the start of the system’ to provide law enforcementauthorities access to foreign travellers’ databases.17The Article 29 Data ProtectionWorking Party (A29WP)18has also criticised and analysed this trend, including in itsOpinion on the principle of purpose limitation.19The role of this principle, whichconstitutesoneofthecoreelementsoftheresearch,isexplainedingreaterdetailsinthenextchapters.The research, however, does not focus on these public databases but on the trend ofsecondaryuseof biometricdataoriginating from theprivate sector.More specifically itinvestigatesthere-useofprivate-sectordatabylawenforcementauthoritiesbecauseitisassumedthatdatasubjectsmightbenefit fromadifferent levelofprotectionwhentheir

13EDPS, ‘Opinion of the European Data Protection Supervisor on the Proposal for a Council DecisionconcerningaccessforconsultationoftheVisaInformationSystem(VIS)bytheauthoritiesofMemberStatesresponsible for internal security and by Europol for the purposes of the prevention, detection andinvestigationof terrorist offences andofother serious criminaloffences (COM(2005)600 final)’ [2006]OJC97/6,6-7.14EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheamendedproposalforaRegulationoftheEuropean Parliament and of the Council concerning the establishment of ‘Eurodac’ for the comparison offingerprints for the effective application of Regulation (EC) No (.../...) (establishing the criteria andmechanisms for determining the Member State responsible for examining an application for internationalprotectionlodgedinoneoftheMemberStatesbyathird-countrynationalorastatelessperson),andontheproposal for a Council Decision on requesting comparisons with Eurodac data by Member States’ lawenforcementauthoritiesandEuropolforlawenforcementpurposes’[2010]OJC92/1.15ibid8.16EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheestablishmentof'EURODAC'forthecomparisonoffingerprintsfortheeffectiveapplicationofRegulation(EU)No[.../...][...](Recastversion)’[2012],7.<https://edps.europa.eu/sites/edp/files/publication/12-09-05_eurodac_en.pdf>accessed30September2018.17EDPS,‘Opinion06/2016,EDPSOpinionontheSecondEUSmartBordersPackage,RecommendationsontherevisedProposaltoestablishanEntry/ExitSystem’[2016],19-21.18AnindependentbodyadvisingtheEuropeanCommissionondataprotectionmatters,whichisreplacedbytheEuropeanDataProtectionBoardwiththeentryintoforceofthenewEUdataprotectionrules.19egA29WP, ‘Opinion05/2013onSmartBorders’ [2013]WP206;aswell asA29WP, ‘Opinion03/2013onpurposelimitation’[2013]WP203.

10

dataareinitiallycollectedforanon-lawenforcementpurpose(suchasanoperationalorcommercialpurpose)andfurtherprocessedforalawenforcementpurpose(suchasinthecontextofacriminalinvestigation).Thethesisfocusesonbiometricdatabecauseoftheirability to distinctively identify individuals through their ‘unique link’ to an individual’sbody or behaviour.20 Biometric data, which are the representations of biometriccharacteristics, have also been used for a long time by police authorities to identifyindividuals.21Thenovelty lies in thesourceof thedata,whichdonotoriginate fromlawenforcementauthoritiesbutfromtheprivatesector.Before the adoption of a comprehensive EU data protection framework, the rulesapplicable to the processing of personal data were split between the Data ProtectionDirective (Directive 95/46/EC) and a patchwork of instruments applicable to theprocessingofpersonaldataintheareaofpoliceandjudicialcooperation.Thisfragmentedlegalframeworkhasbeenreplacedbyageneralinstrumentapplicabletotheprocessingofpersonal data across sectors (the General Data Protection Regulation or GDPR)22and amorespecificdirectivegoverningtheprocessingofpersonaldataincriminalandjudicialcontexts (Directive2016/680or the ‘police’Directive).23The interfacebetween the twoinstrumentsanditsconsequencesonthesafeguardsgrantedtoindividualsareattheheartoftheresearch.

ResearchQuestionsWith theentry into forceof theLisbonTreaty,24theCharterofFundamentalRights (theCharter)becameabinding instrumenthavingthesamelegalvalueastheTreaties.25TheCharterproclaimsfundamentalrights,amongwhichtherighttotheprotectionofpersonaldata (Article 8 of the Charter). As detailed in the next section (theoretical framework),Article8oftheChartersetsoutthefundamentalrighttodataprotectionandspecifiestheconditions under which personal data should be processed. Paragraph 2 of Article 8provides,inparticular,that:

20The alleged ‘uniqueness’ of biometric characteristics, challenged by forensics experts, is discussed inChapters2and3ofthethesis.21Seeforinstance,thesystemofmeasurementsofhands,feet,andotherbody'spartsbyAlfredBertilloninthe19thCentury,inSimonCole, ‘MeasuringtheCriminalBody’,SuspectIdentities:AHistoryofFingerprintingandCriminalIdentification(HarvardUniversityPress2001)32-59.22European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection ofindividualswithregardtotheprocessingofpersonaldataandofthefreemovementofsuchdataandrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1.23EuropeanParliamentandCouncilDirective(EU)2016/680of27April2016,on theprotectionofnaturalpersons with regard to the processing of personal data by competent authorities for the purposes of theprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA[2016]OJL119/89. 24Treaty of Lisbon Amending the Treaty on European Union and the Treaty establishing the EuropeanCommunity[2007]OJC306/01.25art6of theTreatyonEuropeanUnion(TEU), seeConsolidatedVersionof theTreatyonEuropeanUnion[2016]OJC202/13,19.

1


13

subjects’ rights: the access to and re-use by law enforcement authorities of biometricdatabasesinitiallyconstitutedforanon-lawenforcementpurpose.ThistendencyhasbeencriticisedbytheEuropeanDataProtectionSupervisor(EDPS),butmainlyinrelationtodatabasesconstitutedfortheasylumandbordercontrolspoliciesoftheEU.As early as2005, theEDPSwarnedagainst the risksposedby lawenforcement‘systematic’ access to databases constituted for a different purpose without specificjustificationsorsafeguards.13Itrepeateditsconcernsin2009and2012whenitreviewedthe proposals to extend the scope of the asylum seekers’ EU fingerprint database (theEURODAC)tolawenforcementauthorities.14Inparticular,itwasconcernedthatthedataatstakebelongedtoindividualsnotsuspectedof(havingcommitted)anycrime.15Italsohighlighted the challenges that such an extension of purpose posed to the principle ofpurpose limitation and warned against the risk of ‘function creep.’16From that timeonwards,theEDPShasnotstoppedreiteratingitscriticismstowardsatrendthathasbeen‘normalised.’ For instance, in recent proposals on border controls, the EuropeanCommission has proposed ‘from the start of the system’ to provide law enforcementauthorities access to foreign travellers’ databases.17The Article 29 Data ProtectionWorking Party (A29WP)18has also criticised and analysed this trend, including in itsOpinion on the principle of purpose limitation.19The role of this principle, whichconstitutesoneofthecoreelementsoftheresearch,isexplainedingreaterdetailsinthenextchapters.The research, however, does not focus on these public databases but on the trend ofsecondaryuseof biometricdataoriginating from theprivate sector.More specifically itinvestigatesthere-useofprivate-sectordatabylawenforcementauthoritiesbecauseitisassumedthatdatasubjectsmightbenefit fromadifferent levelofprotectionwhentheir

13EDPS, ‘Opinion of the European Data Protection Supervisor on the Proposal for a Council DecisionconcerningaccessforconsultationoftheVisaInformationSystem(VIS)bytheauthoritiesofMemberStatesresponsible for internal security and by Europol for the purposes of the prevention, detection andinvestigationof terrorist offences andofother serious criminaloffences (COM(2005)600 final)’ [2006]OJC97/6,6-7.14EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheamendedproposalforaRegulationoftheEuropean Parliament and of the Council concerning the establishment of ‘Eurodac’ for the comparison offingerprints for the effective application of Regulation (EC) No (.../...) (establishing the criteria andmechanisms for determining the Member State responsible for examining an application for internationalprotectionlodgedinoneoftheMemberStatesbyathird-countrynationalorastatelessperson),andontheproposal for a Council Decision on requesting comparisons with Eurodac data by Member States’ lawenforcementauthoritiesandEuropolforlawenforcementpurposes’[2010]OJC92/1.15ibid8.16EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheestablishmentof'EURODAC'forthecomparisonoffingerprintsfortheeffectiveapplicationofRegulation(EU)No[.../...][...](Recastversion)’[2012],7.<https://edps.europa.eu/sites/edp/files/publication/12-09-05_eurodac_en.pdf>accessed30September2018.17EDPS,‘Opinion06/2016,EDPSOpinionontheSecondEUSmartBordersPackage,RecommendationsontherevisedProposaltoestablishanEntry/ExitSystem’[2016],19-21.18AnindependentbodyadvisingtheEuropeanCommissionondataprotectionmatters,whichisreplacedbytheEuropeanDataProtectionBoardwiththeentryintoforceofthenewEUdataprotectionrules.19egA29WP, ‘Opinion05/2013onSmartBorders’ [2013]WP206;aswell asA29WP, ‘Opinion03/2013onpurposelimitation’[2013]WP203.

10

dataareinitiallycollectedforanon-lawenforcementpurpose(suchasanoperationalorcommercialpurpose)andfurtherprocessedforalawenforcementpurpose(suchasinthecontextofacriminalinvestigation).Thethesisfocusesonbiometricdatabecauseoftheirability to distinctively identify individuals through their ‘unique link’ to an individual’sbody or behaviour.20 Biometric data, which are the representations of biometriccharacteristics, have also been used for a long time by police authorities to identifyindividuals.21Thenovelty lies in thesourceof thedata,whichdonotoriginate fromlawenforcementauthoritiesbutfromtheprivatesector.Before the adoption of a comprehensive EU data protection framework, the rulesapplicable to the processing of personal data were split between the Data ProtectionDirective (Directive 95/46/EC) and a patchwork of instruments applicable to theprocessingofpersonaldataintheareaofpoliceandjudicialcooperation.Thisfragmentedlegalframeworkhasbeenreplacedbyageneralinstrumentapplicabletotheprocessingofpersonal data across sectors (the General Data Protection Regulation or GDPR)22and amorespecificdirectivegoverningtheprocessingofpersonaldataincriminalandjudicialcontexts (Directive2016/680or the ‘police’Directive).23The interfacebetween the twoinstrumentsanditsconsequencesonthesafeguardsgrantedtoindividualsareattheheartoftheresearch.

ResearchQuestionsWith theentry into forceof theLisbonTreaty,24theCharterofFundamentalRights (theCharter)becameabinding instrumenthavingthesamelegalvalueastheTreaties.25TheCharterproclaimsfundamentalrights,amongwhichtherighttotheprotectionofpersonaldata (Article 8 of the Charter). As detailed in the next section (theoretical framework),Article8oftheChartersetsoutthefundamentalrighttodataprotectionandspecifiestheconditions under which personal data should be processed. Paragraph 2 of Article 8provides,inparticular,that:

20The alleged ‘uniqueness’ of biometric characteristics, challenged by forensics experts, is discussed inChapters2and3ofthethesis.21Seeforinstance,thesystemofmeasurementsofhands,feet,andotherbody'spartsbyAlfredBertilloninthe19thCentury,inSimonCole, ‘MeasuringtheCriminalBody’,SuspectIdentities:AHistoryofFingerprintingandCriminalIdentification(HarvardUniversityPress2001)32-59.22European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection ofindividualswithregardtotheprocessingofpersonaldataandofthefreemovementofsuchdataandrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1.23EuropeanParliamentandCouncilDirective(EU)2016/680of27April2016,on theprotectionofnaturalpersons with regard to the processing of personal data by competent authorities for the purposes of theprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA[2016]OJL119/89. 24Treaty of Lisbon Amending the Treaty on European Union and the Treaty establishing the EuropeanCommunity[2007]OJC306/01.25art6of theTreatyonEuropeanUnion(TEU), seeConsolidatedVersionof theTreatyonEuropeanUnion[2016]OJC202/13,19.

Chapter 1

14

‘Suchdata[i.e.personaldata]mustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw.Everyonehastherightofaccesstodatawhichhasbeencollectedconcerninghimorher,andtherighttohaveitrectified.’26

Thefundamentalrighttodataprotectionisfleshedoutinsecondarylaw,andinparticularin the GDPR and the ‘police’ Directive. Due to the nature of the right and the type ofpersonaldataatstake,itislegitimatetoinvestigatetheguaranteesorsafeguardsaffordedto individuals whose personal data, held by private parties, are reprocessed by lawenforcementauthorities.Theresearchquestionofthestudyisthuswordedasfollows:

Which safeguards does the new EU data protection framework grant toindividuals whose biometric data were initially collected by private partiesandaresubsequentlyprocessedforalawenforcementpurposebycompetentauthorities?

Thismainquestionisaddressedthrough:1)AninvestigationoftheterminologyandthelegalnatureofbiometricdatafromanEUdataprotectionperspectivebasedonthefollowingquestions:

Howis thenotionof ‘biometricdata’definedandapproached fromatechnologicaland a data protection perspective? How does the new data protection frameworkdefinethecategoryof‘biometricdata’?Howdifferentarebiometricdatafromothertypesofpersonaldata?Is thereanyspecificprotectionattachedtothiscategoryofpersonaldata?

2)AdiscussionontheinterfacebetweentheGDPRandthe‘police’Directive,aswellastheindispensableassessmentof thesubsequentuseofprivate-sectorbiometricdata for lawenforcementpurposes,approachedthroughthefollowingquestions:

Does the new data protection framework address the collection of personal dataunderoneinstrument(theGDPR)andtheirfurtherprocessingundertheother(thenewDirective)?Inthisscenario,doestheprincipleofpurposelimitationplayinanyroleinlimitingorframingtheaccesstoandre-useofpersonaldatainitiallycollectedforadifferentpurpose?

Arethereanyspecificsafeguardstoprotectindividuals’rights?Doindividualshave,for instance, theright tobe informedof thesubsequentuseof theirpersonaldata?And how should these safeguards be mitigated with the interests pursued by lawenforcementauthorities?

26CharterofFundamentalRightsoftheEuropeanUnion[2000]OJC364/3,10,seenow[2016]OJC202/389,395.

3)Anattempttomitigatetheriskstotheindividuals’righttodataprotectionanddefinepossiblesolutionsbasedonthefollowingquestions:

Which role can the new tools of Data Protection by Design and Data ProtectionImpactAssessmentplay?Basedonthefindingsofthepreviousquestionsandontheaccountability tools provided by the new data protection framework, whichrecommendationscanbemade?

MethodologyThisresearchisalegalstudywithaninterdisciplinarycomponent.Theresearchquestioncannotbeansweredwithoutunderstandingthefieldofbiometricrecognition.Tothatend,theresearcherhascollaboratedwithscientists(engineersandcomputerscientists)duringthe preparation of the research. The non-legal elements of the study provide necessaryinsightsandareusedasdescriptiveandexplanatoryelements.27

1. InterdisciplinaryComponentThefirstsetofquestionsinvestigatesthecontextoftheresearch,comparingtheconceptof ‘biometric data' as defined in the new EU data protection framework with thetechnological notion, and assessing the impact of the new legal rules on biometric dataprocessing.Thefirstissueisaddressedintwochapters,oneontheterminology(Chapter2)andtheotheronthelegalnatureofbiometricdata(Chapter3).Tounderstand the field that the lawregulatesand theprocessingofbiometricdata, theresearchhasreliedonexpertsinthefield.Thepurposewastogainabasicknowledgeoftechnicalissuesthroughinformaldiscussionswithscientistsandthereadingofscientificliterature. Guidedby experts, the researcher could identify ‘topical’ technological issuesthatcouldhaveanimpactondataprotection.Forinstance,formanyyears,itwasbelievedthat biometric templates (such as fingerprint templates)were anonymous data as theywereamathematicalrepresentationoffingerprintimagesandcouldnotbetracedbacktothe individual to whom the fingerprints belonged.28However, several researchers haveshown that it is possible to reconstruct, though partially, a fingerprint image from afingerprint template.29Taking into account the current state-of-the-art, it would beincorrect to state that fingerprint templatesareanonymousdata, and thusnotpersonaldata.

27TheresearchfollowsinpartthemethodologydescribedbySchramainWendySchrama,‘HowtoCarryoutInterdisciplinaryLegalResearch:SomeExperienceswithanInterdisciplinaryResearchMethod'(2011)7(1)UtrechtLawReview147.28Seeinparticular,JanGrijpink,‘PrivacyLaw:BiometricsandPrivacy’(2001)17(3)ComputerLaw&SecurityReview154,156.29egKaiCaoandAnilJain,‘LearningFingerprintReconstruction:fromMinutiaetoImage’(2015)10(1)IEEETransactionsonInformationForensicsandSecurity104.

1


15

‘Suchdata[i.e.personaldata]mustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw.Everyonehastherightofaccesstodatawhichhasbeencollectedconcerninghimorher,andtherighttohaveitrectified.’26

Thefundamentalrighttodataprotectionisfleshedoutinsecondarylaw,andinparticularin the GDPR and the ‘police’ Directive. Due to the nature of the right and the type ofpersonaldataatstake,itislegitimatetoinvestigatetheguaranteesorsafeguardsaffordedto individuals whose personal data, held by private parties, are reprocessed by lawenforcementauthorities.Theresearchquestionofthestudyisthuswordedasfollows:

Which safeguards does the new EU data protection framework grant toindividuals whose biometric data were initially collected by private partiesandaresubsequentlyprocessedforalawenforcementpurposebycompetentauthorities?

Thismainquestionisaddressedthrough:1)AninvestigationoftheterminologyandthelegalnatureofbiometricdatafromanEUdataprotectionperspectivebasedonthefollowingquestions:

Howis thenotionof ‘biometricdata’definedandapproached fromatechnologicaland a data protection perspective? How does the new data protection frameworkdefinethecategoryof‘biometricdata’?Howdifferentarebiometricdatafromothertypesofpersonaldata?Is thereanyspecificprotectionattachedtothiscategoryofpersonaldata?

2)AdiscussionontheinterfacebetweentheGDPRandthe‘police’Directive,aswellastheindispensableassessmentof thesubsequentuseofprivate-sectorbiometricdata for lawenforcementpurposes,approachedthroughthefollowingquestions:

Does the new data protection framework address the collection of personal dataunderoneinstrument(theGDPR)andtheirfurtherprocessingundertheother(thenewDirective)?Inthisscenario,doestheprincipleofpurposelimitationplayinanyroleinlimitingorframingtheaccesstoandre-useofpersonaldatainitiallycollectedforadifferentpurpose?

Arethereanyspecificsafeguardstoprotectindividuals’rights?Doindividualshave,for instance, theright tobe informedof thesubsequentuseof theirpersonaldata?And how should these safeguards be mitigated with the interests pursued by lawenforcementauthorities?

26CharterofFundamentalRightsoftheEuropeanUnion[2000]OJC364/3,10,seenow[2016]OJC202/389,395.

3)Anattempttomitigatetheriskstotheindividuals’righttodataprotectionanddefinepossiblesolutionsbasedonthefollowingquestions:

Which role can the new tools of Data Protection by Design and Data ProtectionImpactAssessmentplay?Basedonthefindingsofthepreviousquestionsandontheaccountability tools provided by the new data protection framework, whichrecommendationscanbemade?

MethodologyThisresearchisalegalstudywithaninterdisciplinarycomponent.Theresearchquestioncannotbeansweredwithoutunderstandingthefieldofbiometricrecognition.Tothatend,theresearcherhascollaboratedwithscientists(engineersandcomputerscientists)duringthe preparation of the research. The non-legal elements of the study provide necessaryinsightsandareusedasdescriptiveandexplanatoryelements.27

1. InterdisciplinaryComponentThefirstsetofquestionsinvestigatesthecontextoftheresearch,comparingtheconceptof ‘biometric data' as defined in the new EU data protection framework with thetechnological notion, and assessing the impact of the new legal rules on biometric dataprocessing.Thefirstissueisaddressedintwochapters,oneontheterminology(Chapter2)andtheotheronthelegalnatureofbiometricdata(Chapter3).Tounderstand the field that the lawregulatesand theprocessingofbiometricdata, theresearchhasreliedonexpertsinthefield.Thepurposewastogainabasicknowledgeoftechnicalissuesthroughinformaldiscussionswithscientistsandthereadingofscientificliterature. Guidedby experts, the researcher could identify ‘topical’ technological issuesthatcouldhaveanimpactondataprotection.Forinstance,formanyyears,itwasbelievedthat biometric templates (such as fingerprint templates)were anonymous data as theywereamathematicalrepresentationoffingerprintimagesandcouldnotbetracedbacktothe individual to whom the fingerprints belonged.28However, several researchers haveshown that it is possible to reconstruct, though partially, a fingerprint image from afingerprint template.29Taking into account the current state-of-the-art, it would beincorrect to state that fingerprint templatesareanonymousdata, and thusnotpersonaldata.

27TheresearchfollowsinpartthemethodologydescribedbySchramainWendySchrama,‘HowtoCarryoutInterdisciplinaryLegalResearch:SomeExperienceswithanInterdisciplinaryResearchMethod'(2011)7(1)UtrechtLawReview147.28Seeinparticular,JanGrijpink,‘PrivacyLaw:BiometricsandPrivacy’(2001)17(3)ComputerLaw&SecurityReview154,156.29egKaiCaoandAnilJain,‘LearningFingerprintReconstruction:fromMinutiaetoImage’(2015)10(1)IEEETransactionsonInformationForensicsandSecurity104.

Chapter 1

16

To build the ‘basic’ scientific knowledge, the researcher has consulted handbooks,manuals,andencyclopediainthefield.Inparticular,thebook‘IntroductiontoBiometrics’hasconstitutedasoundreferenceduringtheresearchasitintroducescriticaltopicssuchas terminology, security, privacy, biometric recognition techniques and modalities.30Completed with ‘the ‘Handbook on Biometrics’ on different biometric technologies,31itprovides a solid overview of the field and applicable modalities (face recognition, irisrecognition, hand geometry recognition, or fingerprint recognition to name a few).Specialisedhandbooksonfacerecognition32andfingerprintrecognition33havealsobeenconsultedforadeeperunderstandingofthetopic.Foracomprehensiveoverview,severalentries in the ‘Encyclopedia of Biometrics’ have constituted useful references,34inparticular,onthedistinctionbetweentheverificationandtheidentificationprocess;35theharmonisationofthebiometricvocabulary,36ortheoriginsoftheuseoffingerprintsinacriminal context.37The Encyclopedia containsmore than one thousand entries that areeitherdefinitionsorshortdescriptionsoftheconcepts,systems,algorithms,techniquesormodalities.Last,theresearchhasalsotakenintoaccountbookspresentingissuesrelatingto biometric technologies from legal, ethical, and technological perspectives, such as‘SecurityandPrivacyinBiometrics’38and‘EthicsandPolicyofBiometrics.’39Issues identified as essential for the research have been discussed with engineers andcomputer scientists who were partners in the EU-FP7 INGRESS project in which theresearcherparticipated.40Thisprojectwasdedicatedtothedevelopmentofnewtypesoffingerprintsensorsandinvolvedcollaborationbetweentechnicalandlegalexperts.Someof these partners indicated relevant scientific literature in the field of fingerprintreconstruction.41The discussions have been very useful to determine, for instance, if abiometric template contains identifying information and could thus qualify as personaland/or biometric data. They have also helped establish the distinction between theconcept of identification from a biometric recognition perspective and that from a dataprotectionperspective.Thosenuancesarediscussedinthenextchaptersofthethesis.

30AnilKJain,ArunA.Ross,andKarthikNandakumar(eds),IntroductiontoBiometrics(Springer2011).31AnilJain,PatrickFlynn,andArunRoss(eds),HandbookofBiometrics(Springer2008).32StanZLiandAnilKJain(eds),HandbookofFaceRecognition(2ndedn,Springer2011).33DavideMaltoni,DarioMaio,AnilKJain,andSalilPrabhakar(eds),HandbookofFingerprintRecognition(2ndedn,Springer2009).34StanZLiandAnilKJain(eds),EncyclopediaofBiometrics(Springer2015).35eg JamesLWayman, ‘BiometricVerification/Identification/Authentication/Recognition:TheTerminology'inEncyclopediaofBiometrics(n34)153-157.36egReneMcIver,‘BiometricVocabularyStandardization’inEncyclopediaofBiometrics(n34)157-160.37egDavideMaltoni,‘FingerprintRecognition,Overview’inEncyclopediaofBiometrics(n34)510-513.38PatrickCampisi(ed),SecurityandPrivacyinBiometrics(Springer2013).39AjayKumarandDavidZhang(eds),EthicsandPolicyofBiometrics,ThirdInternationalConferenceonEthicsandPolicyofBiometricsandInternationalDataSharing,IECB(Springer2010).40The INGRESSproject (InnovativeTechnology forFingerprintLiveScanners) ran fromNovember2013 toMay2017underthegrantagreementno312792.<http://www.ingress-project.eu>accessed30September2018.41SeeCaoandJain(n29).

14

2. LegalAnalysisThe second set of questions addresses the normative issues raised by the research. Itreliesonadoctrinalanalysisofthelaw,caselaw,guidelinesandopinionsinthefieldofEUdata protection. As defined by Mann, doctrine ‘explains, makes coherent or justifies asegment of the law as part of a larger system of law.’42According to Hutchinson andDuncan, ‘doctrinal research is research into the law and legal concepts. Thismethod ofresearch was the dominant influence in 19th and 20th century views of law and legalscholarship,andittendstodominatelegalresearchdesign.'43The research follows the Hutchinson and Duncan’s two-step approach methodology,whichconsistsinfirstfindingthesources,andtheninterpretingandanalysingthem.Thefirst step stateswhat the law says, i.e. the GDPR and Directive 2016/680,whereas thesecondone interprets the provisions. The interpretation ismade through theEuropeanCourtofJustice(ECJ)caselawonconceptsoriginatingfromthepreviousdataprotectioninstrument, Directive 95/46/EC, and the European Court of Human Rights (ECtHR)jurisprudenceonthescopeofandlimitationstotherighttoprivacyasencompassingtheright to data protection. The method is further described in the next section on the‘theoreticalframework.’Answers to the last setofquestionsarebasedon theaccountability tools introduced inbothinstruments,namelytheDataProtectionbydesignandbydefaultmeasuresandtheDataProtectionImpactAssessmentprovision.ThispartreliesontheinterpretationgiventotheprovisionsbytheEuropeanDataProtectionSupervisor(EDPS)andtheArticle29DataProtectionWorkingParty(A29WP).The legalmethodused, togetherwithspecificreferences totheprovisions,case lawandopinions,isfurtherdetailedinthenextsection.Finally, concerning the format of the thesis, the researcher has opted for a thesis bypublications. First, the topic of the dissertation and the adoption of the new legal dataprotectionframeworkduringtheresearchhavejustifiedthepublicationofthefindingsatan early stage of the research. Second, the submission and revision of the articles havehelped the researcher refine her analysis and argumentation in a very technical field.Third,theobjectiveoftheresearcherwastodevelopthenecessarywritingskillstopursueanacademiccareer,whiletestingherfindingsonthenewEUdataprotectionframework.

42TrischaMann (ed),AustralianLawDictionary(1st edn, OUP 2010) 197; Hutchinson andDuncan in TerryHutchinsonandNigelDuncan,‘DefiningandDescribingWhatWeDo:DoctrinalLegalResearch'(2012)17(1)DeakinLawReview83,84.43HutchinsonandDuncan,ibid85.

1


17

To build the ‘basic’ scientific knowledge, the researcher has consulted handbooks,manuals,andencyclopediainthefield.Inparticular,thebook‘IntroductiontoBiometrics’hasconstitutedasoundreferenceduringtheresearchasitintroducescriticaltopicssuchas terminology, security, privacy, biometric recognition techniques and modalities.30Completed with ‘the ‘Handbook on Biometrics’ on different biometric technologies,31itprovides a solid overview of the field and applicable modalities (face recognition, irisrecognition, hand geometry recognition, or fingerprint recognition to name a few).Specialisedhandbooksonfacerecognition32andfingerprintrecognition33havealsobeenconsultedforadeeperunderstandingofthetopic.Foracomprehensiveoverview,severalentries in the ‘Encyclopedia of Biometrics’ have constituted useful references,34inparticular,onthedistinctionbetweentheverificationandtheidentificationprocess;35theharmonisationofthebiometricvocabulary,36ortheoriginsoftheuseoffingerprintsinacriminal context.37The Encyclopedia containsmore than one thousand entries that areeitherdefinitionsorshortdescriptionsoftheconcepts,systems,algorithms,techniquesormodalities.Last,theresearchhasalsotakenintoaccountbookspresentingissuesrelatingto biometric technologies from legal, ethical, and technological perspectives, such as‘SecurityandPrivacyinBiometrics’38and‘EthicsandPolicyofBiometrics.’39Issues identified as essential for the research have been discussed with engineers andcomputer scientists who were partners in the EU-FP7 INGRESS project in which theresearcherparticipated.40Thisprojectwasdedicatedtothedevelopmentofnewtypesoffingerprintsensorsandinvolvedcollaborationbetweentechnicalandlegalexperts.Someof these partners indicated relevant scientific literature in the field of fingerprintreconstruction.41The discussions have been very useful to determine, for instance, if abiometric template contains identifying information and could thus qualify as personaland/or biometric data. They have also helped establish the distinction between theconcept of identification from a biometric recognition perspective and that from a dataprotectionperspective.Thosenuancesarediscussedinthenextchaptersofthethesis.

30AnilKJain,ArunA.Ross,andKarthikNandakumar(eds),IntroductiontoBiometrics(Springer2011).31AnilJain,PatrickFlynn,andArunRoss(eds),HandbookofBiometrics(Springer2008).32StanZLiandAnilKJain(eds),HandbookofFaceRecognition(2ndedn,Springer2011).33DavideMaltoni,DarioMaio,AnilKJain,andSalilPrabhakar(eds),HandbookofFingerprintRecognition(2ndedn,Springer2009).34StanZLiandAnilKJain(eds),EncyclopediaofBiometrics(Springer2015).35eg JamesLWayman, ‘BiometricVerification/Identification/Authentication/Recognition:TheTerminology'inEncyclopediaofBiometrics(n34)153-157.36egReneMcIver,‘BiometricVocabularyStandardization’inEncyclopediaofBiometrics(n34)157-160.37egDavideMaltoni,‘FingerprintRecognition,Overview’inEncyclopediaofBiometrics(n34)510-513.38PatrickCampisi(ed),SecurityandPrivacyinBiometrics(Springer2013).39AjayKumarandDavidZhang(eds),EthicsandPolicyofBiometrics,ThirdInternationalConferenceonEthicsandPolicyofBiometricsandInternationalDataSharing,IECB(Springer2010).40The INGRESSproject (InnovativeTechnology forFingerprintLiveScanners) ran fromNovember2013 toMay2017underthegrantagreementno312792.<http://www.ingress-project.eu>accessed30September2018.41SeeCaoandJain(n29).

14

2. LegalAnalysisThe second set of questions addresses the normative issues raised by the research. Itreliesonadoctrinalanalysisofthelaw,caselaw,guidelinesandopinionsinthefieldofEUdata protection. As defined by Mann, doctrine ‘explains, makes coherent or justifies asegment of the law as part of a larger system of law.’42According to Hutchinson andDuncan, ‘doctrinal research is research into the law and legal concepts. Thismethod ofresearch was the dominant influence in 19th and 20th century views of law and legalscholarship,andittendstodominatelegalresearchdesign.'43The research follows the Hutchinson and Duncan’s two-step approach methodology,whichconsistsinfirstfindingthesources,andtheninterpretingandanalysingthem.Thefirst step stateswhat the law says, i.e. the GDPR and Directive 2016/680,whereas thesecondone interprets the provisions. The interpretation ismade through theEuropeanCourtofJustice(ECJ)caselawonconceptsoriginatingfromthepreviousdataprotectioninstrument, Directive 95/46/EC, and the European Court of Human Rights (ECtHR)jurisprudenceonthescopeofandlimitationstotherighttoprivacyasencompassingtheright to data protection. The method is further described in the next section on the‘theoreticalframework.’Answers to the last setofquestionsarebasedon theaccountability tools introduced inbothinstruments,namelytheDataProtectionbydesignandbydefaultmeasuresandtheDataProtectionImpactAssessmentprovision.ThispartreliesontheinterpretationgiventotheprovisionsbytheEuropeanDataProtectionSupervisor(EDPS)andtheArticle29DataProtectionWorkingParty(A29WP).The legalmethodused, togetherwithspecificreferences totheprovisions,case lawandopinions,isfurtherdetailedinthenextsection.Finally, concerning the format of the thesis, the researcher has opted for a thesis bypublications. First, the topic of the dissertation and the adoption of the new legal dataprotectionframeworkduringtheresearchhavejustifiedthepublicationofthefindingsatan early stage of the research. Second, the submission and revision of the articles havehelped the researcher refine her analysis and argumentation in a very technical field.Third,theobjectiveoftheresearcherwastodevelopthenecessarywritingskillstopursueanacademiccareer,whiletestingherfindingsonthenewEUdataprotectionframework.

42TrischaMann (ed),AustralianLawDictionary(1st edn, OUP 2010) 197; Hutchinson andDuncan in TerryHutchinsonandNigelDuncan,‘DefiningandDescribingWhatWeDo:DoctrinalLegalResearch'(2012)17(1)DeakinLawReview83,84.43HutchinsonandDuncan,ibid85.

Chapter 1

18 15

TheoreticalFrameworkThestudycoversdifferentareas: thedataprotectionrulesapplicable todataprocessingforbothlawenforcementandnon-lawenforcementpurposes,aswellasthedefinitionandprocessingofbiometricdatafromdataprotectionandtechnologicalperspectives.Thekeyconceptsandtheoriesonwhichtheresearchisbased,awellasthelegalframework,aredescribedbelow.

ConceptsandTheoriesTheresearchassessesthenewEUdataprotectionframework,whichprovidesastatutorydefinitionoftheconceptof‘biometricdata’andappliesspecificrulestotheprocessingofpersonaldata for lawenforcementpurposes.This framework isadoptedon thebasisoftherighttodataprotectionenshrinedinArticle8oftheCharterofFundamentalRights.

TheEURighttoDataProtectionasaFundamentalRightEvenbefore theentry into forceof theCharterofFundamentalRights, the right todataprotectionwasrecognisedbytheECJasafundamentalright.44Withtheentryintoforceofthe Charter, the right to data protection became a full-fledged, albeit not absolute,fundamental right.45Restrictions to EU fundamental rights are, indeed, permitted underspecific conditions.46The main theory of the research is based on the scope of thefundamental right to the protection of personal data, also called the right to dataprotection.Specific guarantees derive from the fundamental nature of the right to data protection,such as the data protection principles of fair processing and purpose specification, therequirement of a legal basis (either individuals’ consent or other ‘legitimate basis laiddownbylaw’),andthedatasubjects’rightsofaccessandrectification.47Assetoutinthegeneral Article 52(1) of the Charter, fundamental rights can be limited under specificconditions. The limitationsmust be defined by law, respect the ‘essence’ of the right atstake,andcomplywiththeprinciplesofproportionalityandnecessity.48ThoseconditionsarebasedontheEuropeanCourtofJustice’scaselaw,asacknowledgedin thenon-bindingexplanations to theCharter.49After theentry into forceof theLisbonTreaty,andthusthebindingapplicationoftheCharter,theECJacknowledgedthe‘relative’

44AsacknowledgedbytheECJinitscaselawPromusicae,seeCaseC-275/06,ProductoresdeMúsicadeEspaña(Promusicae)vTelefónicadeEspañaSAU[2008]ECLI:EU:C:2008:54,paras63-65.45EstablishedbytheECJ’scaselawandart52(1)Charter,aswellasreflectedinRecital4GDPR.46art52(1)Charter.47art8(2)Charter.48art52oftheCharterreadsasfollows:‘1.AnylimitationontheexerciseoftherightsandfreedomsrecognisedbythisChartermustbeprovidedforby law and respect the essence of those rights and freedoms. Subject to the principle of proportionality,limitationsmay bemade only if they are necessary and genuinely meet the objectives of general interestrecognisedbytheUnionortheneedtoprotecttherightsandfreedomsofothers.’49ExplanationsrelatingtotheCharterofFundamentalRights[2007]OJC303/17,17-35.

natureoftherighttodataprotectionintheVolkercase,50whichitreiteratedinSchwarzonthecollectionandstorageoffingerprintsinEUcitizens’passports.51TheCourtstatedthat‘therighttotheprotectionofpersonaldataisnot,however,anabsoluteright,butmustbeconsidered in relation to its function in society.’52The Court did not explain what thisfunction is, but checked, instead, if the right to data protection had been infringed.53Commentingonthisdecision,MifsudBonnicihassuggestedthreepossiblefunctionstotherighttodataprotection:thefirstoneisbasedonthecontrolorautonomythatindividualsmightexerciseon theirpersonaldata; thesecondon the ‘trust’ thatdataprotectioncaninjectinsociety,andthelastoneislinkedtotheroleplayedbytherighttoenablecitizenstoparticipateinsociety.54Todate,theECJhasnotdiscussedthematter.Instead,itseemsthattheCourthasmovedtotheissueofthe ‘essence’oftherighttodataprotectionandthe permitted limitations to the fundamental rights.55But since Recital 4 of the GDPRexpresslyreferstotheECJ’sruling,56theECJmighthavetospecify,atapointintime,whatthefunctionoftherighttodataprotectioninsocietyis.The current research thus acknowledges the non-absolute nature of the right to dataprotectionanditspossiblelimitationsforlawenforcementpurposes,throughtheanalysisofcaselaw.However,thefocusofthestudyisnotonthejustificationsoftheselimitationsbutonthesafeguardsgiventoindividualswhentheirpersonaldata–beingbiometricdatain the situation at stake - are re-used by law enforcement authorities. The researchinvestigates the issues from the perspective of the data subjects and attempts todetermine whether the new data protection framework provide specific data subjects’safeguards(substantiveandproceduralones).Thesecondtheoryonwhichtheresearchisbuiltisthe‘conceptualisation’oftherighttodataprotection,57astherightofindividualstocontrolhowtheirpersonaldataareused.58

50Joined Cases C-92/09 and C-93/09 VolkerundMarkus ScheckeandHartmutEifert v LandHessen [2010]ECLI:EU:C:2010:662,para48. 51CaseC-291/12MichaelSchwarzvStadtBochum[2013]ECLI:EU:C:2013:670,para33.52ibidpara48.53JoinedCasesVolkerandEifert(n50).54JeanneMifsudBonnici, ‘Exploring theNon-AbsoluteNatureof theRight toDataProtection’ (2014)28(2)InternationalReviewofLaw,ComputersandTechnology131,132.55e.g.Opinion1/15of theCourt(GrandChamber)ontheDraftAgreementbetweenCanadaandtheEuropeanUnion[2017]ECLI:EU:C:2016:656,para150.56Recital4GDPRprovidesthat‘[t]herighttotheprotectionofpersonaldataisnotanabsoluteright;itmustbe considered in relation to its function in society and be balanced against other fundamental rights, inaccordancewiththeprincipleofproportionality.’57ToborrowtheexpressionfromTzanouinMariaTzanou, ‘DataProtectionasaFundamentalRightNexttoPrivacy?‘Reconstructing'anotsoNewRight'(2013)3(2)InternationalDataPrivacyLaw88,89-90;seealsoGloriaGonzálezFuster,TheEmergenceofPersonalDataProtectionasaFundamentalRightoftheEU(Springer2014)214-215.58Formulatedasa ‘righttoself-determination’bytheGermanConstitutionalCourt in its ‘PopulationCensusDecision', the concept ishowevernotpresent in allEUMemberStates jurisdictions, seeOrlaLynskey, ‘TheRole of Individual Control over Personal Data in EU Data Protection Law', the Foundations of EU DataProtection Law (OUP 2015), 178; see Maria Tzanou, ‘Data Protection as a Fundamental Right', TheFundamentalRighttoDataProtection:NormativeValueintheContextofCounter-TerrorismSurveillance(HartPublishing2017)7-44.

1


19 15

TheoreticalFrameworkThestudycoversdifferentareas: thedataprotectionrulesapplicable todataprocessingforbothlawenforcementandnon-lawenforcementpurposes,aswellasthedefinitionandprocessingofbiometricdatafromdataprotectionandtechnologicalperspectives.Thekeyconceptsandtheoriesonwhichtheresearchisbased,awellasthelegalframework,aredescribedbelow.

ConceptsandTheoriesTheresearchassessesthenewEUdataprotectionframework,whichprovidesastatutorydefinitionoftheconceptof‘biometricdata’andappliesspecificrulestotheprocessingofpersonaldata for lawenforcementpurposes.This framework isadoptedon thebasisoftherighttodataprotectionenshrinedinArticle8oftheCharterofFundamentalRights.

TheEURighttoDataProtectionasaFundamentalRightEvenbefore theentry into forceof theCharterofFundamentalRights, the right todataprotectionwasrecognisedbytheECJasafundamentalright.44Withtheentryintoforceofthe Charter, the right to data protection became a full-fledged, albeit not absolute,fundamental right.45Restrictions to EU fundamental rights are, indeed, permitted underspecific conditions.46The main theory of the research is based on the scope of thefundamental right to the protection of personal data, also called the right to dataprotection.Specific guarantees derive from the fundamental nature of the right to data protection,such as the data protection principles of fair processing and purpose specification, therequirement of a legal basis (either individuals’ consent or other ‘legitimate basis laiddownbylaw’),andthedatasubjects’rightsofaccessandrectification.47Assetoutinthegeneral Article 52(1) of the Charter, fundamental rights can be limited under specificconditions. The limitationsmust be defined by law, respect the ‘essence’ of the right atstake,andcomplywiththeprinciplesofproportionalityandnecessity.48ThoseconditionsarebasedontheEuropeanCourtofJustice’scaselaw,asacknowledgedin thenon-bindingexplanations to theCharter.49After theentry into forceof theLisbonTreaty,andthusthebindingapplicationoftheCharter,theECJacknowledgedthe‘relative’

44AsacknowledgedbytheECJinitscaselawPromusicae,seeCaseC-275/06,ProductoresdeMúsicadeEspaña(Promusicae)vTelefónicadeEspañaSAU[2008]ECLI:EU:C:2008:54,paras63-65.45EstablishedbytheECJ’scaselawandart52(1)Charter,aswellasreflectedinRecital4GDPR.46art52(1)Charter.47art8(2)Charter.48art52oftheCharterreadsasfollows:‘1.AnylimitationontheexerciseoftherightsandfreedomsrecognisedbythisChartermustbeprovidedforby law and respect the essence of those rights and freedoms. Subject to the principle of proportionality,limitationsmay bemade only if they are necessary and genuinely meet the objectives of general interestrecognisedbytheUnionortheneedtoprotecttherightsandfreedomsofothers.’49ExplanationsrelatingtotheCharterofFundamentalRights[2007]OJC303/17,17-35.

natureoftherighttodataprotectionintheVolkercase,50whichitreiteratedinSchwarzonthecollectionandstorageoffingerprintsinEUcitizens’passports.51TheCourtstatedthat‘therighttotheprotectionofpersonaldataisnot,however,anabsoluteright,butmustbeconsidered in relation to its function in society.’52The Court did not explain what thisfunction is, but checked, instead, if the right to data protection had been infringed.53Commentingonthisdecision,MifsudBonnicihassuggestedthreepossiblefunctionstotherighttodataprotection:thefirstoneisbasedonthecontrolorautonomythatindividualsmightexerciseon theirpersonaldata; thesecondon the ‘trust’ thatdataprotectioncaninjectinsociety,andthelastoneislinkedtotheroleplayedbytherighttoenablecitizenstoparticipateinsociety.54Todate,theECJhasnotdiscussedthematter.Instead,itseemsthattheCourthasmovedtotheissueofthe ‘essence’oftherighttodataprotectionandthe permitted limitations to the fundamental rights.55But since Recital 4 of the GDPRexpresslyreferstotheECJ’sruling,56theECJmighthavetospecify,atapointintime,whatthefunctionoftherighttodataprotectioninsocietyis.The current research thus acknowledges the non-absolute nature of the right to dataprotectionanditspossiblelimitationsforlawenforcementpurposes,throughtheanalysisofcaselaw.However,thefocusofthestudyisnotonthejustificationsoftheselimitationsbutonthesafeguardsgiventoindividualswhentheirpersonaldata–beingbiometricdatain the situation at stake - are re-used by law enforcement authorities. The researchinvestigates the issues from the perspective of the data subjects and attempts todetermine whether the new data protection framework provide specific data subjects’safeguards(substantiveandproceduralones).Thesecondtheoryonwhichtheresearchisbuiltisthe‘conceptualisation’oftherighttodataprotection,57astherightofindividualstocontrolhowtheirpersonaldataareused.58

50Joined Cases C-92/09 and C-93/09 VolkerundMarkus ScheckeandHartmutEifert v LandHessen [2010]ECLI:EU:C:2010:662,para48. 51CaseC-291/12MichaelSchwarzvStadtBochum[2013]ECLI:EU:C:2013:670,para33.52ibidpara48.53JoinedCasesVolkerandEifert(n50).54JeanneMifsudBonnici, ‘Exploring theNon-AbsoluteNatureof theRight toDataProtection’ (2014)28(2)InternationalReviewofLaw,ComputersandTechnology131,132.55e.g.Opinion1/15of theCourt(GrandChamber)ontheDraftAgreementbetweenCanadaandtheEuropeanUnion[2017]ECLI:EU:C:2016:656,para150.56Recital4GDPRprovidesthat‘[t]herighttotheprotectionofpersonaldataisnotanabsoluteright;itmustbe considered in relation to its function in society and be balanced against other fundamental rights, inaccordancewiththeprincipleofproportionality.’57ToborrowtheexpressionfromTzanouinMariaTzanou, ‘DataProtectionasaFundamentalRightNexttoPrivacy?‘Reconstructing'anotsoNewRight'(2013)3(2)InternationalDataPrivacyLaw88,89-90;seealsoGloriaGonzálezFuster,TheEmergenceofPersonalDataProtectionasaFundamentalRightoftheEU(Springer2014)214-215.58Formulatedasa ‘righttoself-determination’bytheGermanConstitutionalCourt in its ‘PopulationCensusDecision', the concept ishowevernotpresent in allEUMemberStates jurisdictions, seeOrlaLynskey, ‘TheRole of Individual Control over Personal Data in EU Data Protection Law', the Foundations of EU DataProtection Law (OUP 2015), 178; see Maria Tzanou, ‘Data Protection as a Fundamental Right', TheFundamentalRighttoDataProtection:NormativeValueintheContextofCounter-TerrorismSurveillance(HartPublishing2017)7-44.

Chapter 1

20

Thisconceptofindividuals’controlisexpresslyrecognisedinRecital7GDPR.59Recitals51and61ofthe‘police'Directivealsorefertothenotionofcontrol,butmoreintermsof‘lossof control' or ‘deprivation fromexercising control' resulting fromrisks todata subjects'rightsandfreedomsorfromdamagelinkedtoadatabreach.InMemberStates’traditions,andinparticular inGermany,therighttocontroloverpersonaldata isrecognisedasaninformationalrighttoself-determination.However,ithasneverbeenformulatedassuchbytheECJ.Severalauthorshavewrittenabouttheexistenceandscopeofsucharight,atnational and EU levels.60But as observed by Lynskey, ultimately, this control ‘at bestenables individuals to exercise rights’ but is not absolute control over their personaldata.61Itisonthisconceptionofrelativecontrolthattheresearchisdeveloped.

TheConceptof‘LawEnforcement’TheA29WPandtheEDPShavecriticisedthereprocessingofpersonaldataforpurposesother than their original purpose of collection, and in particular, in the context of lawenforcementreprocessing.62Someauthorshaveconceptualiseditasa‘shiftinthepurposeofprocessing.’63Notonlyhavethepersonaldataatstakebeeninitiallycollectedfornon-law enforcement purposes (e.g. commercial purposes, operational purposes or bordercontrolpurposes),buttheymightalsorelatetonon-suspectindividuals.AspointedoutbyBoehm,‘thisshift...hasseriousconsequencesfortherightsofindividuals,whichimplicitlyleadstoachangeintheapplicabledataprotectionrightsandtheirconnectedproceduralguarantees.’64The research is built on thishypothesis.And, asdataprotection rules aresplit intotwoinstruments–ageneralinstrumentandaspecificoneonlawenforcementprocessing-itiscriticaltomakingthisassessment.Inthecontextofthisstudy,theterm‘lawenforcement’referstoboththefieldcoveredbyDirective 2016/680 and the competent authorities processing the personal datawithinthescopeoftheDirective.FollowingArticle1(1)ofDirective2016/680,lawenforcementpurposesaredefinedas‘theprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionof

59Recital7GDPRprovidesthat‘[n]aturalpersonsshouldhavecontroloftheirownpersonaldata.’60Foraselectedliteratureontherighttoself-determinationinGermany,seeinparticular,JoeCannataci,‘LexPersonalitis&Technology-drivenLaw'(2008)5(1)Scripted,3;GerritHornungandChristophSchnabel,‘DataProtection inGermanyI: thePopulationCensusDecisionandtheRight to InformationalSelf-Determination'(2009)25(1)ComputerLawandReview84;AntoinetteRouvroyandYvesPoullet,‘theRighttoInformationalSelf-DeterminationandtheValueofSelf-Development:ReassessingtheImportanceofPrivacyforDemocracy’inSergeGutwirthetal(eds),ReinventingDataProtection?(Springer2009)45-76;J.C.Buitelaar,‘Privacy:BacktotheRoots’(2012)13(3)GermanLawJournal171;ChristopheLazaroandDanielLeMétayer ‘TheControloverPersonalData:TrueRemedyorFairyTale?’(2015)12(1)SCRIPT-ed3;andatEUlevel,seeLynskey,‘TheLinkbetweenDataProtectionandPrivacyintheEULegalOrder'(n58)89-130,andTzanou(n57)40.61SeeLynskey,‘TheLimitsofIndividualControloverPersonalData’(n58)230.62AsexplainedinSectionI.63Franziska Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice:TowardsHarmonisedDataProtectionPrinciplesforInformationExchangeatEU-level(Springer2012)382.64ibid.

18

criminal penalties.’65National security services are excluded from the scope of theDirective,aswellasdataprocessingintheareaofCommonForeignandSecurityPolicy.66Among the law enforcement purposes covered by the Directive, two are of particularinterestduetotheir impactondatasubjects’rights:processingforcriminalsurveillanceandcriminalinvestigationpurposes.‘Criminalsurveillance’isunderstood,forthepurposeofthisresearch,assurveillanceledbylawenforcement(orpolice)authorities,excludingfromitsscopesurveillancebynationalsecurityormilitaryagencies.Criminalsurveillanceis not linked to a specific offence, but to ‘risks and threats to security.’67It is used toanticipateorpreventcriminaloffences.AsobservedbyVervaele,‘insomecountriestheseinvestigations[carriedoutinthecontextofcriminalsurveillance]aresubmittedtoanex-ante judicial review, in others they are not.’68Thus, the rules applicable to criminalintelligence might greatly vary from one Member State to another. In the absence ofoffences, suspects, or victims, the impacts on data subjects' rightsmight also be higherthan those in the context of criminal investigation. By contrast, criminal investigationusually starts with an offence and falls within the criminal procedural framework atnational level. However, the distinction between the two is not always clear-cut: inparticular,criminalsurveillancecanalsobeused inthecontextofcriminal investigationandtargetspecificindividuals.69Asforlawenforcementauthorities,thosearethe‘competentauthorities’towhomtherulesoftheDirectiveapply.AssetoutinArticle3ofDirective2016/680,theyareeitherpublicauthorities (police or judicial authorities) or bodies entrusted with a law enforcementtask.70Lawenforcementauthoritiescoverbothpoliceandcriminaljusticeauthorities.

TheNotionof‘BiometricData’Theresearchinvestigatesthenotionof‘biometricdata’.Untiltheadoptionofthenewdataprotection framework, the notion had not been officially introduced in any EU dataprotectionlegislation.TheA29WPattemptedtodefinethenotion,71andboththeEDPS72

65art1(1)Directive2016/680;intheUSA,theconceptof‘lawenforcement’hasabroadermeaningasitalsocovers border enforcement, public security, national security, as well as non-criminal judicial andadministrativeproceedings,seeFinalReportbyEU-USHigh-LevelContactGrouponInformationSharingandPrivacyandPersonalDataProtection,28May2008,9831/08;as citedbydeBusser inElsDeBusser,DataProtectioninEUandUSCriminalCooperation:ASubstantiveLawApproachtotheEUInternalandTransatlanticCooperationinCriminalMattersbetweenJudicialandLawEnforcementAuthorities(Maklu2009)401.66Recital14Directive2016/680.67John Vervaele, ‘Surveillance and Criminal Investigation: Blurring of Thresholds and Boundaries in theCriminalJusticeSystem' inSergeGutwirth,RonaldLeenesandPauldeHert(eds),ReloadingDataProtection(Springer2014)115-116.68ibid.69Onthisspecificissue,seeIraRubinstein,GregoryNojeim,andRonaldLee,‘SystematicGovernmentAccesstoPrivate-Sector Data, A Comparative Analysis’ in Fred Cate and James Dempsey (eds), Bulk Collection,SystematicGovernment’sAccesstoPrivateSectorData(OUP2017)38-42.70art3(7)(a)-(b)Directive2016/680.71A29WP,‘Opinion4/2007ontheconceptofpersonaldata’[2007]WP136,8.72egEDPS, ‘OpinionoftheEuropeanDataProtectionSupervisoronthedraftCouncilRegulation(EC) layingdown the form of the laissez-passer to be issued to members and servants of the institutions' [2006] OJC313/36, 37 stating that: ‘biometric data are sensitive by definition’; and more recently, EDPS, ‘Opinion4/2018ontheProposalsfortwoRegulationsestablishingaframeworkforinteroperabilitybetweenEUlarge-

1


21

Thisconceptofindividuals’controlisexpresslyrecognisedinRecital7GDPR.59Recitals51and61ofthe‘police'Directivealsorefertothenotionofcontrol,butmoreintermsof‘lossof control' or ‘deprivation fromexercising control' resulting fromrisks todata subjects'rightsandfreedomsorfromdamagelinkedtoadatabreach.InMemberStates’traditions,andinparticular inGermany,therighttocontroloverpersonaldata isrecognisedasaninformationalrighttoself-determination.However,ithasneverbeenformulatedassuchbytheECJ.Severalauthorshavewrittenabouttheexistenceandscopeofsucharight,atnational and EU levels.60But as observed by Lynskey, ultimately, this control ‘at bestenables individuals to exercise rights’ but is not absolute control over their personaldata.61Itisonthisconceptionofrelativecontrolthattheresearchisdeveloped.

TheConceptof‘LawEnforcement’TheA29WPandtheEDPShavecriticisedthereprocessingofpersonaldataforpurposesother than their original purpose of collection, and in particular, in the context of lawenforcementreprocessing.62Someauthorshaveconceptualiseditasa‘shiftinthepurposeofprocessing.’63Notonlyhavethepersonaldataatstakebeeninitiallycollectedfornon-law enforcement purposes (e.g. commercial purposes, operational purposes or bordercontrolpurposes),buttheymightalsorelatetonon-suspectindividuals.AspointedoutbyBoehm,‘thisshift...hasseriousconsequencesfortherightsofindividuals,whichimplicitlyleadstoachangeintheapplicabledataprotectionrightsandtheirconnectedproceduralguarantees.’64The research is built on thishypothesis.And, asdataprotection rules aresplit intotwoinstruments–ageneralinstrumentandaspecificoneonlawenforcementprocessing-itiscriticaltomakingthisassessment.Inthecontextofthisstudy,theterm‘lawenforcement’referstoboththefieldcoveredbyDirective 2016/680 and the competent authorities processing the personal datawithinthescopeoftheDirective.FollowingArticle1(1)ofDirective2016/680,lawenforcementpurposesaredefinedas‘theprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionof

59Recital7GDPRprovidesthat‘[n]aturalpersonsshouldhavecontroloftheirownpersonaldata.’60Foraselectedliteratureontherighttoself-determinationinGermany,seeinparticular,JoeCannataci,‘LexPersonalitis&Technology-drivenLaw'(2008)5(1)Scripted,3;GerritHornungandChristophSchnabel,‘DataProtection inGermanyI: thePopulationCensusDecisionandtheRight to InformationalSelf-Determination'(2009)25(1)ComputerLawandReview84;AntoinetteRouvroyandYvesPoullet,‘theRighttoInformationalSelf-DeterminationandtheValueofSelf-Development:ReassessingtheImportanceofPrivacyforDemocracy’inSergeGutwirthetal(eds),ReinventingDataProtection?(Springer2009)45-76;J.C.Buitelaar,‘Privacy:BacktotheRoots’(2012)13(3)GermanLawJournal171;ChristopheLazaroandDanielLeMétayer ‘TheControloverPersonalData:TrueRemedyorFairyTale?’(2015)12(1)SCRIPT-ed3;andatEUlevel,seeLynskey,‘TheLinkbetweenDataProtectionandPrivacyintheEULegalOrder'(n58)89-130,andTzanou(n57)40.61SeeLynskey,‘TheLimitsofIndividualControloverPersonalData’(n58)230.62AsexplainedinSectionI.63Franziska Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice:TowardsHarmonisedDataProtectionPrinciplesforInformationExchangeatEU-level(Springer2012)382.64ibid.

18

criminal penalties.’65National security services are excluded from the scope of theDirective,aswellasdataprocessingintheareaofCommonForeignandSecurityPolicy.66Among the law enforcement purposes covered by the Directive, two are of particularinterestduetotheir impactondatasubjects’rights:processingforcriminalsurveillanceandcriminalinvestigationpurposes.‘Criminalsurveillance’isunderstood,forthepurposeofthisresearch,assurveillanceledbylawenforcement(orpolice)authorities,excludingfromitsscopesurveillancebynationalsecurityormilitaryagencies.Criminalsurveillanceis not linked to a specific offence, but to ‘risks and threats to security.’67It is used toanticipateorpreventcriminaloffences.AsobservedbyVervaele,‘insomecountriestheseinvestigations[carriedoutinthecontextofcriminalsurveillance]aresubmittedtoanex-ante judicial review, in others they are not.’68Thus, the rules applicable to criminalintelligence might greatly vary from one Member State to another. In the absence ofoffences, suspects, or victims, the impacts on data subjects' rightsmight also be higherthan those in the context of criminal investigation. By contrast, criminal investigationusually starts with an offence and falls within the criminal procedural framework atnational level. However, the distinction between the two is not always clear-cut: inparticular,criminalsurveillancecanalsobeused inthecontextofcriminal investigationandtargetspecificindividuals.69Asforlawenforcementauthorities,thosearethe‘competentauthorities’towhomtherulesoftheDirectiveapply.AssetoutinArticle3ofDirective2016/680,theyareeitherpublicauthorities (police or judicial authorities) or bodies entrusted with a law enforcementtask.70Lawenforcementauthoritiescoverbothpoliceandcriminaljusticeauthorities.

TheNotionof‘BiometricData’Theresearchinvestigatesthenotionof‘biometricdata’.Untiltheadoptionofthenewdataprotection framework, the notion had not been officially introduced in any EU dataprotectionlegislation.TheA29WPattemptedtodefinethenotion,71andboththeEDPS72

65art1(1)Directive2016/680;intheUSA,theconceptof‘lawenforcement’hasabroadermeaningasitalsocovers border enforcement, public security, national security, as well as non-criminal judicial andadministrativeproceedings,seeFinalReportbyEU-USHigh-LevelContactGrouponInformationSharingandPrivacyandPersonalDataProtection,28May2008,9831/08;as citedbydeBusser inElsDeBusser,DataProtectioninEUandUSCriminalCooperation:ASubstantiveLawApproachtotheEUInternalandTransatlanticCooperationinCriminalMattersbetweenJudicialandLawEnforcementAuthorities(Maklu2009)401.66Recital14Directive2016/680.67John Vervaele, ‘Surveillance and Criminal Investigation: Blurring of Thresholds and Boundaries in theCriminalJusticeSystem' inSergeGutwirth,RonaldLeenesandPauldeHert(eds),ReloadingDataProtection(Springer2014)115-116.68ibid.69Onthisspecificissue,seeIraRubinstein,GregoryNojeim,andRonaldLee,‘SystematicGovernmentAccesstoPrivate-Sector Data, A Comparative Analysis’ in Fred Cate and James Dempsey (eds), Bulk Collection,SystematicGovernment’sAccesstoPrivateSectorData(OUP2017)38-42.70art3(7)(a)-(b)Directive2016/680.71A29WP,‘Opinion4/2007ontheconceptofpersonaldata’[2007]WP136,8.72egEDPS, ‘OpinionoftheEuropeanDataProtectionSupervisoronthedraftCouncilRegulation(EC) layingdown the form of the laissez-passer to be issued to members and servants of the institutions' [2006] OJC313/36, 37 stating that: ‘biometric data are sensitive by definition’; and more recently, EDPS, ‘Opinion4/2018ontheProposalsfortwoRegulationsestablishingaframeworkforinteroperabilitybetweenEUlarge-

Chapter 1

22 19

andtheCourtofJusticereferredtotheirsensitivenature.73However,manyuncertaintiesremainedconcerningthenotionandtheregimeofdataprotectionapplicablethereof.Thetopic of biometrics through the lens of EU data protection and privacy has beenresearchedindepthbyElsKindt.Inthepre-GDPRarea,Kindthasinvestigatedtheconceptof biometric data and suggested the application of a test of proportionality for theprocessingofbiometricdatabyprivateparties.Herworkisthemostcomprehensiveanddetailed study that can be found in the field.74The study of Nancy Yue Liu can also bementioned,asLiuhasaddressedtheuseofbiometrictechnologiesandcomparedthelegalframeworks applicable in Europe, Australia, and the United States.75But neither studythoroughly covers the issue of law enforcement access to and use of biometric datacollectedbytheprivatesector.76The statutory notion of ‘biometric data’ is addressed in detail in Chapter 3 of thedissertation.

TheConceptof‘Safeguards’Theresearchaimstoassessthesafeguardsattachedtoorderivingfromthefundamentalrighttodataprotection.Theterm‘safeguards'isusedinmanydocumentsrelatingtodataprotection,but itdoesnotalwaysrefer to thesame typesofguarantees.Safeguardscanmeanthedataprotectionprinciplesapplicabletotheprocessingofpersonaldata,77butitcan also refer to data subjects' rights or themeasures put in place to protect the datathemselvesandensuretheirsecurityorrestrictaccesstothem.78Thetermisindeedverybroad.Inthecontextofthisresearch,‘safeguard'isunderstoodas‘guarantee'affordedtoindividuals when their personal data, namely biometric data, are collected for a GDPRpurpose and re-used for one of the purposes of the ‘police' Directive. The research

scaleinformationsystems'[2018]11,wheretheEDPSstatesthat‘…biometricdatawhichare,bynature,verysensitive.Indeed,unlikeotherpersonaldata,biometricdataareneithergivenbyathirdpartynorchosenbythe individual; they are immanent to the body itself and refer uniquely and permanently to a person.’<https://edps.europa.eu/sites/edp/files/publication/2018-04-16_interoperability_opinion_en.pdf> accessed30September2018.73TheECJdidnotrulethatbiometricdataaresensitivedata;butAGMengozzididinhisOpinioninCaseC-291/12, seeC-291/12MichaelSchwarzvStadtBochum[2013],OpinionofAdvocateGeneralMengozzi,para52,EU:C:2013:401.74Els Kindt, Privacy and Data Protection Issues of Biometric Applications, A Comparative Legal Analysis(Springer2013).75NancyYueLiu,Bio-Privacy,PrivacyRegulationsandtheChallengesofBiometrics(Routledge2012).76EvenifElsKindtmentionsthetopicinherresearch,seeKindt(n74)787-790.77Asdefinedinart5GDPRandart4(1)Directive2016/680.78 In that sense see for instance, William Lowrance, ‘Privacy, Confidentiality, Safeguards,’ Privacy,Confidentiality,andHealthResearch(CambridgeUniversityPress2012)34;EDPS,‘OpinionontheProposalforaRegulationoftheEuropeanParliamentandoftheCouncilconcerningtheVisaInformationSystem(VIS)andtheexchangeofdatabetweenMemberStatesonshortstay-visas(COM(2004)835final)’[2005]OJC181/13;A29WP,‘Opinion3/2006ontheDirective2006/24/ECoftheEuropeanParliamentandoftheCouncilontheretention of data generated or processed in connection with the provision of publicly available electroniccommunicationsservicesorofpubliccommunicationsnetworksandamendingDirective2002/58/EC’[2006]WP119,2-3;seealsoBignamiusingthetermtocoverbothsafeguardstoindividualsandtotheprotectionofdata in Francesca Bignami, ‘The US Legal System on Data Protection in the Field of Law Enforcement.Safeguards,RightsandRemediesforEUCitizens’(StudyfortheLIBECommittee,EuropeanParliament2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU%282015%29519215_EN.pdf>accessed30September2018.

20

investigates,inparticular,theexistenceofanyproceduralandsubstantivesafeguards,aswellastheroleplayedbytheprincipleofpurposelimitation.The notion of ‘safeguards’ originates from the ECtHR’s interpretation of the right toprivacyenshrinedinArticle8oftheEuropeanConventiononHumanRights(ECHR)andparticularly on the limitations to that right (Article8(2)ECHR). In the interpretationofthat provision, the ECtHR has checked at several occasions whether the nationallegislationatstakeprovided‘appropriatesafeguards’againstabuses:inparticularincasesof state surveillance,79police surveillance,80or criminal cases.81The ECJ has furtherdevelopedthenotioninitsjudgmentsondataretentionintheapplicationofbothArticles7 and 8 of the Charter. It is thus relevant to assesswhether the GDPR and the ‘police'Directive provide appropriate safeguards to individuals when their personal datacollected by private parties are reprocessed for a law enforcement purpose.82Theresearch aims to define the scope and nature of these safeguards, taking into accountpossible limitations for the sake of criminal investigation or crime prevention. Thesesafeguardsareanalysedanddiscussedindifferentchaptersofthestudy.

LegalFrameworkThe legal framework applicable to the research is composed of EU primary sources,namelyArticles7and8oftheCharter,EUsecondarylegislationandmorespecificallytheGDPRandthe ‘police’Directive(Directive2016/680),and finallycase lawand ‘soft’ lawinstrumentscomposedofOpinions,GuidelinesandRecommendationsofboththeA29WPandtheEDPS.

EUPrimarySourcesArticles7and8oftheCharter:fundamentalrightstoprivacyanddataprotectionIntheCharterofFundamentalRights,therighttodataprotectionisestablishedasarightdistinct from the right to privacy. These fundamental rights are enshrined in Article 7(righttorespectforprivateandfamilylife)andArticle8(righttotheprotectionofpersonaldata) of the Charter.83While Article 7 of the Charter corresponds to Article 8 ECHR;84

79egKlassandothersvGermanyAppno5029/71(ECHR,6September1978);RomanZakharovvRussiaAppno47143/06 (ECHR, 4 December 2015), and SzabóandVissyvHungaryApp no 37138/14 (ECHR, 12 January2016).80MalonevtheUnitedKingdomApp no 8691/79 (ECHR, 2 August 1984),andKhanvUK App no 35394/97(ECHR,12May2000).81egMKvFranceAppno19522/09(ECHR,18April2013).82On this specific issue, see the report by FranziskaBoehmbased on the previous data protection regime,FranziskaBoehm,‘AcomparisonbetweenUSandEUdataprotectionlegislationforlawenforcementpurposes'(StudyfortheLIBECommittee,EuropeanParliament2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf>accessed30September2018.83art7Charter(entitled‘respectforprivateandfamilylife’)providesthat‘everyonehastherighttorespectforhisorherprivateandfamilylife,homeandcommunications.’art8Charter(entitled‘protectionofpersonaldata’)readsasfollows:

a.Everyonehastherighttotheprotectionofpersonaldataconcerninghimorher.b.Suchdatamustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw.Everyonehastherightofaccesstodatawhichhasbeencollectedconcerninghimorher,andtherighttohaveitrectified(…)

1


23 19

andtheCourtofJusticereferredtotheirsensitivenature.73However,manyuncertaintiesremainedconcerningthenotionandtheregimeofdataprotectionapplicablethereof.Thetopic of biometrics through the lens of EU data protection and privacy has beenresearchedindepthbyElsKindt.Inthepre-GDPRarea,Kindthasinvestigatedtheconceptof biometric data and suggested the application of a test of proportionality for theprocessingofbiometricdatabyprivateparties.Herworkisthemostcomprehensiveanddetailed study that can be found in the field.74The study of Nancy Yue Liu can also bementioned,asLiuhasaddressedtheuseofbiometrictechnologiesandcomparedthelegalframeworks applicable in Europe, Australia, and the United States.75But neither studythoroughly covers the issue of law enforcement access to and use of biometric datacollectedbytheprivatesector.76The statutory notion of ‘biometric data’ is addressed in detail in Chapter 3 of thedissertation.

TheConceptof‘Safeguards’Theresearchaimstoassessthesafeguardsattachedtoorderivingfromthefundamentalrighttodataprotection.Theterm‘safeguards'isusedinmanydocumentsrelatingtodataprotection,but itdoesnotalwaysrefer to thesame typesofguarantees.Safeguardscanmeanthedataprotectionprinciplesapplicabletotheprocessingofpersonaldata,77butitcan also refer to data subjects' rights or themeasures put in place to protect the datathemselvesandensuretheirsecurityorrestrictaccesstothem.78Thetermisindeedverybroad.Inthecontextofthisresearch,‘safeguard'isunderstoodas‘guarantee'affordedtoindividuals when their personal data, namely biometric data, are collected for a GDPRpurpose and re-used for one of the purposes of the ‘police' Directive. The research

scaleinformationsystems'[2018]11,wheretheEDPSstatesthat‘…biometricdatawhichare,bynature,verysensitive.Indeed,unlikeotherpersonaldata,biometricdataareneithergivenbyathirdpartynorchosenbythe individual; they are immanent to the body itself and refer uniquely and permanently to a person.’<https://edps.europa.eu/sites/edp/files/publication/2018-04-16_interoperability_opinion_en.pdf> accessed30September2018.73TheECJdidnotrulethatbiometricdataaresensitivedata;butAGMengozzididinhisOpinioninCaseC-291/12, seeC-291/12MichaelSchwarzvStadtBochum[2013],OpinionofAdvocateGeneralMengozzi,para52,EU:C:2013:401.74Els Kindt, Privacy and Data Protection Issues of Biometric Applications, A Comparative Legal Analysis(Springer2013).75NancyYueLiu,Bio-Privacy,PrivacyRegulationsandtheChallengesofBiometrics(Routledge2012).76EvenifElsKindtmentionsthetopicinherresearch,seeKindt(n74)787-790.77Asdefinedinart5GDPRandart4(1)Directive2016/680.78 In that sense see for instance, William Lowrance, ‘Privacy, Confidentiality, Safeguards,’ Privacy,Confidentiality,andHealthResearch(CambridgeUniversityPress2012)34;EDPS,‘OpinionontheProposalforaRegulationoftheEuropeanParliamentandoftheCouncilconcerningtheVisaInformationSystem(VIS)andtheexchangeofdatabetweenMemberStatesonshortstay-visas(COM(2004)835final)’[2005]OJC181/13;A29WP,‘Opinion3/2006ontheDirective2006/24/ECoftheEuropeanParliamentandoftheCouncilontheretention of data generated or processed in connection with the provision of publicly available electroniccommunicationsservicesorofpubliccommunicationsnetworksandamendingDirective2002/58/EC’[2006]WP119,2-3;seealsoBignamiusingthetermtocoverbothsafeguardstoindividualsandtotheprotectionofdata in Francesca Bignami, ‘The US Legal System on Data Protection in the Field of Law Enforcement.Safeguards,RightsandRemediesforEUCitizens’(StudyfortheLIBECommittee,EuropeanParliament2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU%282015%29519215_EN.pdf>accessed30September2018.

20

investigates,inparticular,theexistenceofanyproceduralandsubstantivesafeguards,aswellastheroleplayedbytheprincipleofpurposelimitation.The notion of ‘safeguards’ originates from the ECtHR’s interpretation of the right toprivacyenshrinedinArticle8oftheEuropeanConventiononHumanRights(ECHR)andparticularly on the limitations to that right (Article8(2)ECHR). In the interpretationofthat provision, the ECtHR has checked at several occasions whether the nationallegislationatstakeprovided‘appropriatesafeguards’againstabuses:inparticularincasesof state surveillance,79police surveillance,80or criminal cases.81The ECJ has furtherdevelopedthenotioninitsjudgmentsondataretentionintheapplicationofbothArticles7 and 8 of the Charter. It is thus relevant to assesswhether the GDPR and the ‘police'Directive provide appropriate safeguards to individuals when their personal datacollected by private parties are reprocessed for a law enforcement purpose.82Theresearch aims to define the scope and nature of these safeguards, taking into accountpossible limitations for the sake of criminal investigation or crime prevention. Thesesafeguardsareanalysedanddiscussedindifferentchaptersofthestudy.

LegalFrameworkThe legal framework applicable to the research is composed of EU primary sources,namelyArticles7and8oftheCharter,EUsecondarylegislationandmorespecificallytheGDPRandthe ‘police’Directive(Directive2016/680),and finallycase lawand ‘soft’ lawinstrumentscomposedofOpinions,GuidelinesandRecommendationsofboththeA29WPandtheEDPS.

EUPrimarySourcesArticles7and8oftheCharter:fundamentalrightstoprivacyanddataprotectionIntheCharterofFundamentalRights,therighttodataprotectionisestablishedasarightdistinct from the right to privacy. These fundamental rights are enshrined in Article 7(righttorespectforprivateandfamilylife)andArticle8(righttotheprotectionofpersonaldata) of the Charter.83While Article 7 of the Charter corresponds to Article 8 ECHR;84

79egKlassandothersvGermanyAppno5029/71(ECHR,6September1978);RomanZakharovvRussiaAppno47143/06 (ECHR, 4 December 2015), and SzabóandVissyvHungaryApp no 37138/14 (ECHR, 12 January2016).80MalonevtheUnitedKingdomApp no 8691/79 (ECHR, 2 August 1984),andKhanvUK App no 35394/97(ECHR,12May2000).81egMKvFranceAppno19522/09(ECHR,18April2013).82On this specific issue, see the report by FranziskaBoehmbased on the previous data protection regime,FranziskaBoehm,‘AcomparisonbetweenUSandEUdataprotectionlegislationforlawenforcementpurposes'(StudyfortheLIBECommittee,EuropeanParliament2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf>accessed30September2018.83art7Charter(entitled‘respectforprivateandfamilylife’)providesthat‘everyonehastherighttorespectforhisorherprivateandfamilylife,homeandcommunications.’art8Charter(entitled‘protectionofpersonaldata’)readsasfollows:

a.Everyonehastherighttotheprotectionofpersonaldataconcerninghimorher.b.Suchdatamustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw.Everyonehastherightofaccesstodatawhichhasbeencollectedconcerninghimorher,andtherighttohaveitrectified(…)

Chapter 1

24

Article8oftheCharterisbasedonArticle8ECHRaswellasonArticle286oftheTreatyestablishing theEuropeanCommunity,85Directive95/46/EC,andConvention108of theCouncil of Europe.86The Charter links the two rights but establishes them as separaterights. By contrast, the ECtHRhas interpreted the right to privacy inArticle 8 ECHR asencompassingtherighttodataprotection.87AlthoughthetworightsareformallydistinctintheCharter,theEuropeanCourtofJusticemergedthemintoa‘hybrid’rightinitscaselawdecidedjustaftertheentryintoforceoftheCharter.MentioningexplicitlybothArticles7and8oftheCharter,theCourtreferredtoa‘righttorespectforprivatelifewithregardtotheprocessingofpersonaldata.’88Someauthorscriticisedthisapproach,opiningthattheECJshouldhaveinsteadestablishedtheexistenceofafundamentalrighttodataprotection,nexttotherighttoprivacy.89Inlaterdecisions,theECJseemstohaveabandonedthisapproach,clearlydistinguishingthetworightsandcitingArticles7and8individually.90Article16TFEU:SingleBasisforSecondaryEULawintheFieldofDataProtectionIntroducedbytheLisbonTreaty,Article16oftheTreatyontheFunctioningoftheEUisthe horizontal legal basis on which EU legislation on data protection across sectors isadopted.91It sets up the ordinary legislative procedure to adopt data protection rulesapplicable todifferentpolicyareas, including internalmarketand lawenforcement. It ison this ground that the EU institutions have adopted both the GDPR and the ‘police’Directive.However,despitethecollapseofthepillarstructure,Article16TFEUdoesnotimply that data protection rules will apply across all sectors via the same instrument.RulesondataprocessingintheareaofCommonForeignandSecurityProtectionremainsubject to adifferent legal basis.92As for lawenforcementprocessing,Declaration21ofthe Lisbon Treaty acknowledges their ‘specific nature’,93allowing for the adoption of a

c.Compliancewiththeserulesshallbesubjecttocontrolbyanindependentauthority.

84AsacknowledgedintheExplanationsrelatingtotheCharterofFundamentalRights(n49)20.85ReplacedbyArticle16TFEUandArticle39TEU.86SeeExplanationsrelatingtotheCharter(n49)20.87In particular,SandMarper vtheUnitedKingdom App nos 30562/04 and 30566/04 (ECHR, 4 December2008),para103:‘[t]heprotectionofpersonaldataisoffundamentalimportancetoaperson'senjoymentofhisorherrighttorespectforprivateandfamilylife,asguaranteedbyArticle8oftheConvention.’88VolkerandEifert(n50)para52.89eg Tzanou (n 57) 88-99; González Fuster (n 57) 234-235; but note, in contrast, Lynskey's analysis whoobserved that itwas too early to draw conclusions and that in the end the Courtmight not consider ‘dataprotectionasasubsetoftherighttoprivacy'inOrlaLynskey,‘ReconcilingDataProtectionwithOtherRightsandInterests’(n58)174.90eg Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others [2014]ECLI:EU:C:2014:238; Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen andSecretaryofStatefortheHomeDepartmentvTomWatsonandothers [2016]ECLI:EU:C:2016:970,andCaseC-362/14MaximilianSchremsvDataProtectionCommissioner[2015]ECLI:EU:C:2015:650.91TotheexclusionoftheCommonForeignandPolicySecurityMatters.92Followingart39TreatyonEuropeanUnion.93‘Declarationontheprotectionofpersonaldatainthefieldsofjudicialcooperationincriminalmattersandpolicecooperation’,No.21,DeclarationsAnnexedtotheFinalActoftheIntergovernmentalConferencewhichadoptedtheTreatyofLisbon,OJEUC83/335,345.

22

different data protection regime in that area.94As a consequence, the data protectionpackagewasnotproposedas an ‘overarching’ instrument, but insteadas a lexgeneralis(the GDPR) completed by a lex specialis for law enforcement processing (the ‘police’Directive).

EUSecondaryLegislationBeforetheentryintoforceoftheLisbonTreaty,theEUcompetencesweresplitintothreepillars: the firstpillar covering internalmarketmatters, thesecond foreignandsecuritymatters, while the third on freedom, security and justice included criminal and policecooperationmatters.Pre-LisbonTreatyThemaintextapplicabletotheprocessingofpersonaldataforinternalmarketissueswas

theDataProtectionDirective(Directive95/46/EC);95whileapatchworkofrulesapplied

tothirdpillarmatters.96For instance,severaladhocCouncilFrameworkDecisionswere

adopted in theareasof security,police cooperation, andpolice and judicial cooperation

agencies.97But the most relevant instrument for law enforcement processing was the

CouncilFrameworkDecision2008/977/JHAontheprotectionofpersonaldataprocessed

by lawenforcementauthorities.98Thescopeof this instrumentwas,however, limited to

cross-borderdataprocessing.99MemberStateswerealsoencouragedtotakeintoaccount

thenon-bindingCouncilofEurope’sRecommendationontheuseofpersonaldata inthe

policesector(RecommendationR(87)15).100TheapplicationoftheRecommendationhas

also led to many discrepancies at the national level, as established in the report

‘RecommendationR(87)15:Twenty-FiveYearsDowntheLine.’101

94AsanalysedbyLynskeyinOrlaLynskey,‘TheKeyCharacteristicsoftheEUDataProtectionRegime’(n58)19; despite the statementmadeby theEUCommission inEuropeanCommission ‘Communication from theCommission to theEuropeanParliament, theCouncil, theEconomicandSocialCommitteeof theRegions:AComprehensiveApproachtoPersonalDataProtectionintheEuropeanUnion’COM(2010)609final[2010]4:‘Inparticular,thenewlegalbasisallowstheEUtohaveasinglelegalinstrumentforregulatingdataprotection,includingtheareasofpolicecooperationandjudicialcooperationincriminalmatters.’95EuropeanParliamentandCouncilDirective95/46/ECof24October1995ontheprotectionofindividualswithregardtotheprocessingofsuchdata(Directive95/46/EC)[1995]OJL281/31.96Seeamongothers,HielkeHijmansandAlfonsoScirocco, ‘Shortcomings inEUDataProtectionintheThirdand Secondpillars. Can theLisbonTreatyBeExpected toHelp?’ 46(5)CommonMarket LawReview1485,1496-1497.97Formoredetailedanalysis,seePaulDeHertandVagelisPapakonstantinou, ‘TheNewPoliceandCriminalJusticeDataProtectionDirective:AFirstAnalysis’(2016)7(1)NewJournalofEuropeanCriminalLaw7.98Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal dataprocessed in the framework of police and judicial cooperation in criminal matters (Council FrameworkDecision2008/977/JHA)[2008]OJL350/60.99Recital7CouncilFrameworkDecision2008/977/JHA.100CouncilofEuropeRecommendationNoR(87)15oftheCommitteeofMinisterstoMemberStatesregulatingtheuseofpersonaldatainthepolicesector[1987]<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016804e7a3c>accessed30September2018.101JosephACannataciandMireilleMCaruana,‘RecommendationR(87)15:Twenty-FiveYearsDowntheLine'(2013)ReporttotheConsultativeCommitteeoftheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,T-PD(2013)11

1


25

Article8oftheCharterisbasedonArticle8ECHRaswellasonArticle286oftheTreatyestablishing theEuropeanCommunity,85Directive95/46/EC,andConvention108of theCouncil of Europe.86The Charter links the two rights but establishes them as separaterights. By contrast, the ECtHRhas interpreted the right to privacy inArticle 8 ECHR asencompassingtherighttodataprotection.87AlthoughthetworightsareformallydistinctintheCharter,theEuropeanCourtofJusticemergedthemintoa‘hybrid’rightinitscaselawdecidedjustaftertheentryintoforceoftheCharter.MentioningexplicitlybothArticles7and8oftheCharter,theCourtreferredtoa‘righttorespectforprivatelifewithregardtotheprocessingofpersonaldata.’88Someauthorscriticisedthisapproach,opiningthattheECJshouldhaveinsteadestablishedtheexistenceofafundamentalrighttodataprotection,nexttotherighttoprivacy.89Inlaterdecisions,theECJseemstohaveabandonedthisapproach,clearlydistinguishingthetworightsandcitingArticles7and8individually.90Article16TFEU:SingleBasisforSecondaryEULawintheFieldofDataProtectionIntroducedbytheLisbonTreaty,Article16oftheTreatyontheFunctioningoftheEUisthe horizontal legal basis on which EU legislation on data protection across sectors isadopted.91It sets up the ordinary legislative procedure to adopt data protection rulesapplicable todifferentpolicyareas, including internalmarketand lawenforcement. It ison this ground that the EU institutions have adopted both the GDPR and the ‘police’Directive.However,despitethecollapseofthepillarstructure,Article16TFEUdoesnotimply that data protection rules will apply across all sectors via the same instrument.RulesondataprocessingintheareaofCommonForeignandSecurityProtectionremainsubject to adifferent legal basis.92As for lawenforcementprocessing,Declaration21ofthe Lisbon Treaty acknowledges their ‘specific nature’,93allowing for the adoption of a

c.Compliancewiththeserulesshallbesubjecttocontrolbyanindependentauthority.

84AsacknowledgedintheExplanationsrelatingtotheCharterofFundamentalRights(n49)20.85ReplacedbyArticle16TFEUandArticle39TEU.86SeeExplanationsrelatingtotheCharter(n49)20.87In particular,SandMarper vtheUnitedKingdom App nos 30562/04 and 30566/04 (ECHR, 4 December2008),para103:‘[t]heprotectionofpersonaldataisoffundamentalimportancetoaperson'senjoymentofhisorherrighttorespectforprivateandfamilylife,asguaranteedbyArticle8oftheConvention.’88VolkerandEifert(n50)para52.89eg Tzanou (n 57) 88-99; González Fuster (n 57) 234-235; but note, in contrast, Lynskey's analysis whoobserved that itwas too early to draw conclusions and that in the end the Courtmight not consider ‘dataprotectionasasubsetoftherighttoprivacy'inOrlaLynskey,‘ReconcilingDataProtectionwithOtherRightsandInterests’(n58)174.90eg Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others [2014]ECLI:EU:C:2014:238; Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen andSecretaryofStatefortheHomeDepartmentvTomWatsonandothers [2016]ECLI:EU:C:2016:970,andCaseC-362/14MaximilianSchremsvDataProtectionCommissioner[2015]ECLI:EU:C:2015:650.91TotheexclusionoftheCommonForeignandPolicySecurityMatters.92Followingart39TreatyonEuropeanUnion.93‘Declarationontheprotectionofpersonaldatainthefieldsofjudicialcooperationincriminalmattersandpolicecooperation’,No.21,DeclarationsAnnexedtotheFinalActoftheIntergovernmentalConferencewhichadoptedtheTreatyofLisbon,OJEUC83/335,345.

22

different data protection regime in that area.94As a consequence, the data protectionpackagewasnotproposedas an ‘overarching’ instrument, but insteadas a lexgeneralis(the GDPR) completed by a lex specialis for law enforcement processing (the ‘police’Directive).

EUSecondaryLegislationBeforetheentryintoforceoftheLisbonTreaty,theEUcompetencesweresplitintothreepillars: the firstpillar covering internalmarketmatters, thesecond foreignandsecuritymatters, while the third on freedom, security and justice included criminal and policecooperationmatters.Pre-LisbonTreatyThemaintextapplicabletotheprocessingofpersonaldataforinternalmarketissueswas

theDataProtectionDirective(Directive95/46/EC);95whileapatchworkofrulesapplied

tothirdpillarmatters.96For instance,severaladhocCouncilFrameworkDecisionswere

adopted in theareasof security,police cooperation, andpolice and judicial cooperation

agencies.97But the most relevant instrument for law enforcement processing was the

CouncilFrameworkDecision2008/977/JHAontheprotectionofpersonaldataprocessed

by lawenforcementauthorities.98Thescopeof this instrumentwas,however, limited to

cross-borderdataprocessing.99MemberStateswerealsoencouragedtotakeintoaccount

thenon-bindingCouncilofEurope’sRecommendationontheuseofpersonaldata inthe

policesector(RecommendationR(87)15).100TheapplicationoftheRecommendationhas

also led to many discrepancies at the national level, as established in the report

‘RecommendationR(87)15:Twenty-FiveYearsDowntheLine.’101

94AsanalysedbyLynskeyinOrlaLynskey,‘TheKeyCharacteristicsoftheEUDataProtectionRegime’(n58)19; despite the statementmadeby theEUCommission inEuropeanCommission ‘Communication from theCommission to theEuropeanParliament, theCouncil, theEconomicandSocialCommitteeof theRegions:AComprehensiveApproachtoPersonalDataProtectionintheEuropeanUnion’COM(2010)609final[2010]4:‘Inparticular,thenewlegalbasisallowstheEUtohaveasinglelegalinstrumentforregulatingdataprotection,includingtheareasofpolicecooperationandjudicialcooperationincriminalmatters.’95EuropeanParliamentandCouncilDirective95/46/ECof24October1995ontheprotectionofindividualswithregardtotheprocessingofsuchdata(Directive95/46/EC)[1995]OJL281/31.96Seeamongothers,HielkeHijmansandAlfonsoScirocco, ‘Shortcomings inEUDataProtectionintheThirdand Secondpillars. Can theLisbonTreatyBeExpected toHelp?’ 46(5)CommonMarket LawReview1485,1496-1497.97Formoredetailedanalysis,seePaulDeHertandVagelisPapakonstantinou, ‘TheNewPoliceandCriminalJusticeDataProtectionDirective:AFirstAnalysis’(2016)7(1)NewJournalofEuropeanCriminalLaw7.98Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal dataprocessed in the framework of police and judicial cooperation in criminal matters (Council FrameworkDecision2008/977/JHA)[2008]OJL350/60.99Recital7CouncilFrameworkDecision2008/977/JHA.100CouncilofEuropeRecommendationNoR(87)15oftheCommitteeofMinisterstoMemberStatesregulatingtheuseofpersonaldatainthepolicesector[1987]<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016804e7a3c>accessed30September2018.101JosephACannataciandMireilleMCaruana,‘RecommendationR(87)15:Twenty-FiveYearsDowntheLine'(2013)ReporttotheConsultativeCommitteeoftheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,T-PD(2013)11

Chapter 1

26

NewDataProtectionFrameworkAfter the entry into force of the Lisbon Treaty, the European Commission proposed in2012acompleteoverhaulofthedataprotectionrules.TheEuropeanCommissioninitiallyplanned to introduce a single instrument to regulate data processing, including in thepoliceandcriminaljusticearea.102However,asnotedbyLynskey,103insteadofproposinga ‘comprehensive instrument,’ the European Commission proposed two distinctinstruments:ageneralregulation,whichbecametheGeneralDataProtectionRegulation(GDPR),104and a specific Directive, which became the ‘police' Directive applicable todomestic and cross-border processing of personal data in the law enforcement area.105The GDPR has repealedDirective 95/46/EC, and the ‘police' Directive has replaced theCouncilFrameworkDirective2008/977/JHAwhileextending its scope todomesticdataprocessing.106

CaseLawandSoft-LawInstrumentsTheresearchbuildsonareviewoftheECtHRandtheECJ’srespectivecaselawrelatingtotheprocessingofbiometricdata,107thetestofnecessityandproportionality(includingasappliedinthecontextofsurveillance),108aswellastheretentionofdataandtheiraccessforlawenforcementpurposes.109Besides,theresearchreliesonopinions,recommendations,orguidelines, issuedbyboththe A29WP and the EDPS. In particular, the A29WP has adopted several documentsrelevant to biometric data and biometric technologies pre-GDPR area. Both the A29WPand the EDPS have adopted opinions on the new data protection framework. As a sidenote,itshouldbeobservedthattheEuropeanDataProtectionBoard,whichreplacestheA29WP,hasendorsedA29WPdocumentsrelatingtotheGDPR.110

<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806840b2>accessed30September2018.102EuropeanCommission,‘CommunicationfromtheCommissiontotheEuropeanParliament,theCouncil,theEconomicandSocialCommitteeoftheRegions:AComprehensiveApproachtoPersonalDataProtectionintheEuropeanUnion’COM(2010)609final,4:‘Inparticular,thenewlegalbasisallowstheEUtohaveasinglelegalinstrumentforregulatingdataprotection,includingtheareasofpolicecooperationandjudicialcooperationincriminalmatters.’<https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2010:0609:FIN>accessed30September2018.103Lynskey(n94).104GDPR(n22).105Directive2016/680(n23).106See respectively Recital 7 Council Framework Decision 2008/977/JHA, and Recitals 6 and 7 Directive2016/680.107egSandMarpervUnitedKingdom(n87);MichaelSchwarzvStadtBochum(n51);JoinedCasesC-446/12toV-449/12WPWillemsandothers[2015]ECLI:EU:C:2015:238.108egHandysidevUKAppno5493/73(ECHR,7December1976);DigitalRightsIreland(n90);Tele2Sverige(n90),andSchrems(n90).109InparticularDigitalRightsIreland(n90)andTele2Sverige(n90).110SeethelistinEDPB,‘Endorsement1/2018’[2018]<https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf>accessed30September2018.

24

V. StructureThethesisiscomposedofsevenchapters, includingtheintroductionandtheconclusion.Fourofthechaptersarecomprisedofarticlespublishedinpeer-reviewedjournals.Eachofthemhastackledoneoftheissuesraisedbythetopic.Thejournalsinwhichpartsofthethesishavebeenpublishedare the InternationalDataPrivacyLaw Journal (Oxford), theComputer Law and Security Review (Elsevier), and the European Data Protection LawReview(Lexxion).Thejournalswereselectedfortheaudiencetheyreach,theirrankings,aswellas theirspecificscope.Twoof themfocusondataprotectionandprivacy issues,whereas one covers legal and technological topics. The articles are reproduced aspublished,savethreeminormodifications.First, forconsistencywiththeotherchapters,theheadingsandsub-headingsofthefirstarticlehavebeenalignedwiththestructureoftheotherarticles.Second,inthethirdarticle(chapter4),theterm‘data’wasinitiallyusedasasingularnounduetoeditorialrequirements.However,as‘data’isusedinalltheotherchapters as a plural noun, the third article has been amended accordingly.111Last, forbetterreadability,thefootnotesofthedifferentarticleshavebeenharmonisedasmuchaspossible.Chapter1 introduces theresearchandsetsout thebackground, theresearchquestions,themethodologyfollowed,aswellasthetheoreticalframework.Asapreliminaryremark,itshouldbeacknowledgedthattheresearchstartedin2014underthepreviousEUdataprotection regime, composed of theData ProtectionDirective and a patchwork of rulesapplicable to law enforcement authorities for the processing of personal data. In thecourse of the research, the new EU data protection reform package was adopted. Theadoptionof thenewregulatory framework implied toshift the focusof thestudy to theinterpretationofthenewprovisions.Chapter2addressesseveralterminologicalissues.Itbuildsonanobservation:thelackofrigour from EU bodies and institutions when they use the term ‘biometrics' to meaninterchangeably ‘biometric methods', ‘automated recognition' or ‘biometric data.' Fromthisobservationwasborntheneedtoclarifyanddistinguishtheconceptsof‘biometrics'and ‘biometric data' from both a technological and a legal perspective. The article hassurveyed reports, opinions, and other documents published by European bodies andinstitutions. It looksat thedifferencesbetween legaland technological realities.WrittenbeforetheadoptionofthenewEUdataprotectionframework, itextendstheanalysistothe European sphere covering both the EU's and the Council of Europe's legal orders.Published in the International Data Privacy Law, the article is entitled ‘AvoidingTerminologicalConfusionbetweentheNotionsof‘Biometrics’and‘BiometricData’:an

111Itshouldbenotedthatbothformscanbeusedandthechoicetousetheterm‘data‘(egpersonal,sensitiveorbiometricdata)asapluralnounwasguidedbyitsusagebytheEUinstitutionsinthelegalinstrumentsofreference.

1


27

NewDataProtectionFrameworkAfter the entry into force of the Lisbon Treaty, the European Commission proposed in2012acompleteoverhaulofthedataprotectionrules.TheEuropeanCommissioninitiallyplanned to introduce a single instrument to regulate data processing, including in thepoliceandcriminaljusticearea.102However,asnotedbyLynskey,103insteadofproposinga ‘comprehensive instrument,’ the European Commission proposed two distinctinstruments:ageneralregulation,whichbecametheGeneralDataProtectionRegulation(GDPR),104and a specific Directive, which became the ‘police' Directive applicable todomestic and cross-border processing of personal data in the law enforcement area.105The GDPR has repealedDirective 95/46/EC, and the ‘police' Directive has replaced theCouncilFrameworkDirective2008/977/JHAwhileextending its scope todomesticdataprocessing.106

CaseLawandSoft-LawInstrumentsTheresearchbuildsonareviewoftheECtHRandtheECJ’srespectivecaselawrelatingtotheprocessingofbiometricdata,107thetestofnecessityandproportionality(includingasappliedinthecontextofsurveillance),108aswellastheretentionofdataandtheiraccessforlawenforcementpurposes.109Besides,theresearchreliesonopinions,recommendations,orguidelines, issuedbyboththe A29WP and the EDPS. In particular, the A29WP has adopted several documentsrelevant to biometric data and biometric technologies pre-GDPR area. Both the A29WPand the EDPS have adopted opinions on the new data protection framework. As a sidenote,itshouldbeobservedthattheEuropeanDataProtectionBoard,whichreplacestheA29WP,hasendorsedA29WPdocumentsrelatingtotheGDPR.110

<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806840b2>accessed30September2018.102EuropeanCommission,‘CommunicationfromtheCommissiontotheEuropeanParliament,theCouncil,theEconomicandSocialCommitteeoftheRegions:AComprehensiveApproachtoPersonalDataProtectionintheEuropeanUnion’COM(2010)609final,4:‘Inparticular,thenewlegalbasisallowstheEUtohaveasinglelegalinstrumentforregulatingdataprotection,includingtheareasofpolicecooperationandjudicialcooperationincriminalmatters.’<https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2010:0609:FIN>accessed30September2018.103Lynskey(n94).104GDPR(n22).105Directive2016/680(n23).106See respectively Recital 7 Council Framework Decision 2008/977/JHA, and Recitals 6 and 7 Directive2016/680.107egSandMarpervUnitedKingdom(n87);MichaelSchwarzvStadtBochum(n51);JoinedCasesC-446/12toV-449/12WPWillemsandothers[2015]ECLI:EU:C:2015:238.108egHandysidevUKAppno5493/73(ECHR,7December1976);DigitalRightsIreland(n90);Tele2Sverige(n90),andSchrems(n90).109InparticularDigitalRightsIreland(n90)andTele2Sverige(n90).110SeethelistinEDPB,‘Endorsement1/2018’[2018]<https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf>accessed30September2018.

24

V. StructureThethesisiscomposedofsevenchapters, includingtheintroductionandtheconclusion.Fourofthechaptersarecomprisedofarticlespublishedinpeer-reviewedjournals.Eachofthemhastackledoneoftheissuesraisedbythetopic.Thejournalsinwhichpartsofthethesishavebeenpublishedare the InternationalDataPrivacyLaw Journal (Oxford), theComputer Law and Security Review (Elsevier), and the European Data Protection LawReview(Lexxion).Thejournalswereselectedfortheaudiencetheyreach,theirrankings,aswellas theirspecificscope.Twoof themfocusondataprotectionandprivacy issues,whereas one covers legal and technological topics. The articles are reproduced aspublished,savethreeminormodifications.First, forconsistencywiththeotherchapters,theheadingsandsub-headingsofthefirstarticlehavebeenalignedwiththestructureoftheotherarticles.Second,inthethirdarticle(chapter4),theterm‘data’wasinitiallyusedasasingularnounduetoeditorialrequirements.However,as‘data’isusedinalltheotherchapters as a plural noun, the third article has been amended accordingly.111Last, forbetterreadability,thefootnotesofthedifferentarticleshavebeenharmonisedasmuchaspossible.Chapter1 introduces theresearchandsetsout thebackground, theresearchquestions,themethodologyfollowed,aswellasthetheoreticalframework.Asapreliminaryremark,itshouldbeacknowledgedthattheresearchstartedin2014underthepreviousEUdataprotection regime, composed of theData ProtectionDirective and a patchwork of rulesapplicable to law enforcement authorities for the processing of personal data. In thecourse of the research, the new EU data protection reform package was adopted. Theadoptionof thenewregulatory framework implied toshift the focusof thestudy to theinterpretationofthenewprovisions.Chapter2addressesseveralterminologicalissues.Itbuildsonanobservation:thelackofrigour from EU bodies and institutions when they use the term ‘biometrics' to meaninterchangeably ‘biometric methods', ‘automated recognition' or ‘biometric data.' Fromthisobservationwasborntheneedtoclarifyanddistinguishtheconceptsof‘biometrics'and ‘biometric data' from both a technological and a legal perspective. The article hassurveyed reports, opinions, and other documents published by European bodies andinstitutions. It looksat thedifferencesbetween legaland technological realities.WrittenbeforetheadoptionofthenewEUdataprotectionframework, itextendstheanalysistothe European sphere covering both the EU's and the Council of Europe's legal orders.Published in the International Data Privacy Law, the article is entitled ‘AvoidingTerminologicalConfusionbetweentheNotionsof‘Biometrics’and‘BiometricData’:an

111Itshouldbenotedthatbothformscanbeusedandthechoicetousetheterm‘data‘(egpersonal,sensitiveorbiometricdata)asapluralnounwasguidedbyitsusagebytheEUinstitutionsinthelegalinstrumentsofreference.

Chapter 1

28 25

InvestigationintotheMeaningsoftheTermsfromaEuropeanDataProtectionandaScientificPerspective.’Buildingon theprevious chapter,Chapter3 analyses the legalnatureofbiometricdataafter theadoptionof thenewEUdataprotection framework. It focuseson thestatutorydefinition of ‘biometric data’. The article is one of the early interpretations of thedefinition.Thearticledescribes the four componentsof thedefinitionandaddresses, inparticular, the issue of identification from both data protection and technologicalperspectives. It finds out that the concepts do not match, as the concept of biometricidentification is very narrow and specific. It also criticises the criterion used to classifybiometricdataasa typeof sensitivedata:according to theGDPR, theyarenotsensitivepernaturebutbecomesensitiveiftheyareprocessedtouniquelyidentifyanindividual.Bycontrast, genetic data that also relate to individuals’ unique attributes are sensitive bynature.Basedonthestate-of-the-artinbiometricrecognition,whichallowsthedisclosureofavastamountof informationaboutanindividual(includinghisorherkinship),112thearticlequestionswhetherthedistinctionmadebetweengeneticdataandbiometricdataisjustified and sustainable. Entitled ‘Legal Nature of Biometric Data: from ‘Generic’PersonalDatatoSensitiveData,’thearticleispublishedintheEuropeanDataProtectionLawReview. Having set the legal and technical background, Chapter 4 and Chapter 5 analyse thescenariooflawenforcementaccesstoandre-useofpersonaldatacollectedbytheprivatesector.ThetwochaptersraisetheissueoftheinterfacebetweentheGDPRandDirective2016/680.WhiletheGDPRappliestothecollectionofpersonaldatabyprivateparties,therulescontainedinDirective2016/680applytothesubsequentuseofthesedataforalawenforcementpurpose.Chapters4and5arenotspecifictotheprocessingofbiometricdatabutareillustratedwithcasesinvolvingtheprocessingofbiometricdata.Chapter 4 reproduces the article published in the Computer Law and Security Reviewjournalunder the title ‘LawEnforcementAccesstoPersonalDataOriginallyCollectedby Private Parties: Missing Data Subjects’ Safeguards in Directive 2016/680?’ Thepurpose of the article is to determine whether Directive 2016/680 provides adequatesafeguardswhenpersonal data originating from theprivate sector are further accessedandusedby lawenforcement authorities.The articlebuildson the findingsof theECJ’scaseondataretention,andmorespecificallyDigitalRightsIrelandandTele2Sverige.ThescenariosattheoriginoftheCourt'sdecisionsaredifferentsinceinthetwocasesdataaremandatorilyretainedbyprivatepartiestobelateraccessedandusedbylawenforcementauthorities. However, the article applies the findings by analogy and finds out thatDirective2016/680mightnotprovideadequateprocedural and substantive safeguards.

112Thereisveryrecentresearchonthisissueintheareaoffaceverification;seeforinstanceMiguelBordalloLopez et al, ‘Kinship Verification from Facial Images and Videos: Human versus Machine’ (2018) 29(5)MachineVisionandApplications873.

26

In particular, the right to information defined in Article 13 of the Directive, does notimpose an obligation to inform and notify individuals that law enforcement authoritieshave further processed their personal data. If law enforcement purposes may justify adelay in providing the information to an individual, they do not justify an absence ofnotification. This notification is crucial for individuals, as it will trigger their right toremedy, aswell as other data subjects’ rights. Last, the article briefly touches upon theissueoftheprincipleofpurposelimitationasasafeguardinreprocessingdataacrossthetwoinstruments.Thislastissuemakesatransitiontothenextchapter,whichisentirelydedicatedtothatprinciple.Chapter 5 questions the role played by the principle of purpose limitation whenprocessing operations are carried out across the two instruments. Published in theEuropean Data Protection Law Review, the article focuses on the ‘Subsequent Use ofGDPR Data for a Law Enforcement Purpose: The Forgotten Principle of PurposeLimitation?’Theprincipleofpurposelimitationseemstobeanessentialelement,asitisexplicitlymentionedasoneofthecomponentsofthefundamentalrighttodataprotection(Article8of theCharter).Reviewing the rulesestablished respectively in theGDPRandDirective 2016/680, the scenario of subsequent processing across the two instrumentsseems to be forgotten or voluntarily omitted. Building on the ambiguous wording ofArticle4(2)ofDirective2016/680,thearticlesuggestsaboldinterpretationtofindarolefortheprincipleofpurposelimitation.However,awarethatthisinterpretationmightnotbedominant, the article concludeson the likelihoodof diverging interpretations amongMember States. This issue illustrates the existence of shortcomings in the relationshipbetweenthetwoinstruments.Chapter6 provides somerecommendations tomitigate the risks to individuals’ right todataprotectionbasedon theDataProtectionbyDesignand theDataProtection ImpactAssessmentmeasures.Apartofthechapterisbuiltonaconferencepaperdiscussingtherelationship between the concept of ‘Privacy by Design' and the principle of purposelimitation.Althoughasyetunpublished,thechapterisaddedtothedissertationtoprovidesome recommendations tailor-made to the law enforcement use of biometric datageneratedbytheprivatesector.Itisintendedtosubmitthischapterforpublication.Finally, Chapter 7 summarises the key findings of the study, answers the researchquestion, and suggests paths for future research in the field. It suggests focusing, forinstance,oncasestudies,suchasfacialrecognition.

1


29 25

InvestigationintotheMeaningsoftheTermsfromaEuropeanDataProtectionandaScientificPerspective.’Buildingon theprevious chapter,Chapter3 analyses the legalnatureofbiometricdataafter theadoptionof thenewEUdataprotection framework. It focuseson thestatutorydefinition of ‘biometric data’. The article is one of the early interpretations of thedefinition.Thearticledescribes the four componentsof thedefinitionandaddresses, inparticular, the issue of identification from both data protection and technologicalperspectives. It finds out that the concepts do not match, as the concept of biometricidentification is very narrow and specific. It also criticises the criterion used to classifybiometricdataasa typeof sensitivedata:according to theGDPR, theyarenotsensitivepernaturebutbecomesensitiveiftheyareprocessedtouniquelyidentifyanindividual.Bycontrast, genetic data that also relate to individuals’ unique attributes are sensitive bynature.Basedonthestate-of-the-artinbiometricrecognition,whichallowsthedisclosureofavastamountof informationaboutanindividual(includinghisorherkinship),112thearticlequestionswhetherthedistinctionmadebetweengeneticdataandbiometricdataisjustified and sustainable. Entitled ‘Legal Nature of Biometric Data: from ‘Generic’PersonalDatatoSensitiveData,’thearticleispublishedintheEuropeanDataProtectionLawReview. Having set the legal and technical background, Chapter 4 and Chapter 5 analyse thescenariooflawenforcementaccesstoandre-useofpersonaldatacollectedbytheprivatesector.ThetwochaptersraisetheissueoftheinterfacebetweentheGDPRandDirective2016/680.WhiletheGDPRappliestothecollectionofpersonaldatabyprivateparties,therulescontainedinDirective2016/680applytothesubsequentuseofthesedataforalawenforcementpurpose.Chapters4and5arenotspecifictotheprocessingofbiometricdatabutareillustratedwithcasesinvolvingtheprocessingofbiometricdata.Chapter 4 reproduces the article published in the Computer Law and Security Reviewjournalunder the title ‘LawEnforcementAccesstoPersonalDataOriginallyCollectedby Private Parties: Missing Data Subjects’ Safeguards in Directive 2016/680?’ Thepurpose of the article is to determine whether Directive 2016/680 provides adequatesafeguardswhenpersonal data originating from theprivate sector are further accessedandusedby lawenforcement authorities.The articlebuildson the findingsof theECJ’scaseondataretention,andmorespecificallyDigitalRightsIrelandandTele2Sverige.ThescenariosattheoriginoftheCourt'sdecisionsaredifferentsinceinthetwocasesdataaremandatorilyretainedbyprivatepartiestobelateraccessedandusedbylawenforcementauthorities. However, the article applies the findings by analogy and finds out thatDirective2016/680mightnotprovideadequateprocedural and substantive safeguards.

112Thereisveryrecentresearchonthisissueintheareaoffaceverification;seeforinstanceMiguelBordalloLopez et al, ‘Kinship Verification from Facial Images and Videos: Human versus Machine’ (2018) 29(5)MachineVisionandApplications873.

26

In particular, the right to information defined in Article 13 of the Directive, does notimpose an obligation to inform and notify individuals that law enforcement authoritieshave further processed their personal data. If law enforcement purposes may justify adelay in providing the information to an individual, they do not justify an absence ofnotification. This notification is crucial for individuals, as it will trigger their right toremedy, aswell as other data subjects’ rights. Last, the article briefly touches upon theissueoftheprincipleofpurposelimitationasasafeguardinreprocessingdataacrossthetwoinstruments.Thislastissuemakesatransitiontothenextchapter,whichisentirelydedicatedtothatprinciple.Chapter 5 questions the role played by the principle of purpose limitation whenprocessing operations are carried out across the two instruments. Published in theEuropean Data Protection Law Review, the article focuses on the ‘Subsequent Use ofGDPR Data for a Law Enforcement Purpose: The Forgotten Principle of PurposeLimitation?’Theprincipleofpurposelimitationseemstobeanessentialelement,asitisexplicitlymentionedasoneofthecomponentsofthefundamentalrighttodataprotection(Article8of theCharter).Reviewing the rulesestablished respectively in theGDPRandDirective 2016/680, the scenario of subsequent processing across the two instrumentsseems to be forgotten or voluntarily omitted. Building on the ambiguous wording ofArticle4(2)ofDirective2016/680,thearticlesuggestsaboldinterpretationtofindarolefortheprincipleofpurposelimitation.However,awarethatthisinterpretationmightnotbedominant, the article concludeson the likelihoodof diverging interpretations amongMember States. This issue illustrates the existence of shortcomings in the relationshipbetweenthetwoinstruments.Chapter6 provides somerecommendations tomitigate the risks to individuals’ right todataprotectionbasedon theDataProtectionbyDesignand theDataProtection ImpactAssessmentmeasures.Apartofthechapterisbuiltonaconferencepaperdiscussingtherelationship between the concept of ‘Privacy by Design' and the principle of purposelimitation.Althoughasyetunpublished,thechapterisaddedtothedissertationtoprovidesome recommendations tailor-made to the law enforcement use of biometric datageneratedbytheprivatesector.Itisintendedtosubmitthischapterforpublication.Finally, Chapter 7 summarises the key findings of the study, answers the researchquestion, and suggests paths for future research in the field. It suggests focusing, forinstance,oncasestudies,suchasfacialrecognition.

Chapter 2Avoiding Terminological Confusion between the

Notions of ‘Biometrics’ and ‘Biometric Data’

32

Chapter 2: Avoiding Terminological Confusion between the Notions of‘Biometrics’and‘BiometricData’

An Investigation into theMeaningsof theTerms fromaEuropeanDataProtectionandaScientificPerspective*Abstract:This article has beenmotivated by an observation: the lack of rigour by European bodieswhen they use scientific terms to address data protection and privacy issues raised bybiometric technologies and biometric data. In particular, they improperly use the term‘biometrics’tomeanatthesametime‘biometricdata’,‘identificationmethod’,or‘biometrictechnologies.’Basedonthisobservation,thereisaneedtoclarifywhat‘biometrics’meansforthebiometriccommunity,andwhetherandhowthelegalcommunityshouldusethetermina data protection andprivacy context. In parallel to that exercise of clarification, there isalso a need to investigate the current legal definition of ‘biometric data’ as framed byEuropean bodies at the level of the European Union and the Council of Europe. Thecomparisonof the regulatoryand scientificdefinitionsof the term ‘biometricdata’ revealsthatthetermisusedintwodifferentcontexts.However,itislegitimatetoquestiontherolethat thescientificdefinitioncouldexerciseon theregulatorydefinition.Moreprecisely, thequestioniswhetherthetechnicalprocessthroughwhichbiometricinformationisextractedandtransformedintoabiometrictemplateshouldbereflectedintheregulatorydefinitionoftheterm.

IntroductionBiometric technologies allow the capture, collection, and processing of biometricinformationaboutindividuals.Theirinformationisthentransformedintodigitalbitsthatcanberetrievedwhennecessaryforcomparison.Thebiometricprocessingofindividuals’information and data raises personal data protection issues. The first one is whetherindividuals’biometricdataconstituteacategoryofpersonaldataasdefinedatEuropeanlevel.Buttobeabletodeterminethelegalregimeapplicabletobiometricdata,onemustunderstandandassessthedefinition(s)giventotheterm‘biometricdata’bytheEuropeandata protection community. This is highly relevant since the European Commission hasintroducedaregulatorydefinitionoftheterminitsproposalsofrevisionoftheEuropean

*Articlepublished in the InternationalDataPrivacyLaw journal (IDPL), volume6, issue1, February2016,pages63-76;theauthorwishestothankProfJeanneMifsudBonniciandProfLaurenceGormleyfortheirveryvaluablecommentsandtheanonymouspeer-reviewers.Theviewsexpressedinthisarticlearesolelythoseoftheauthor.Allremainingerrorsaretheauthor’ssoleresponsibility.

Data Protection Framework. This reform, commonly designated under the name of theData Protection Reform Package,1is composed of a General Data Protection Regulation(GDPR) (replacing the current Data Protection Directive, Directive 95/46/EC)2and aspecificDirectiveondataprotectionandlawenforcement(replacingthecurrentCouncilFramework Decision 2008/780/JHA).3The European Parliament (EP) voted in firstreading the two proposals of the package in March 2014,4whereas the Council of theEuropeanUnion (EU) only agreed in June 2015 on a text for the GDPR.5At the time ofwriting, theEuropeanCommission,EPandCouncilof theEUhavestarteda ‘trilogue’ontheproposalof theGDPR,6whereastheCouncilof theEUpursues itsdiscussionsamongitsmembersontheproposalforaDirectiveinlawenforcementanddataprotection.Asaconsequence,regulatorydefinitionofbiometricdataatEUlevelreferredtointhearticleistheonecontainedintheoriginalproposaloftheGDPRtogetherwithitsamendedversionadoptedbytheEuropeanParliamentandagreedbytheCounciloftheEU.Byclarifyingthemeaningof‘biometricdata’fromaEuropeandataprotectionperspective,thereisaneedtodistinguishitfromtheterm‘biometrics’.Aswillbeexplainedinthefirstsection ‘Biometrics: a catchall notion?’, different Europeanbodies have indeedused theterm ‘biometrics’ in their legal opinions and reports to mean all at the same time

1Thetwoproposalsaredesignatedundertheexpression‘DataProtectionReformPackage’,althoughitisnottheofficialnamegivenbytheEuropeanCommission.However,severalEuropeanbodies,suchastheEuropeanDataProtectionSupervisor,haveusedthisexpressiontodesignatethetwoproposals.See,forexample,EDPS‘OpinionoftheEuropeanDataProtectionSupervisoronthedataprotectionreformpackage’[2012]<https://edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf>accessed20July2015.2European Commission, Proposal for a Regulation of the European Parliament and of the Council on theprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),COM(2012)11final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN>accessed20July2015.3European Commission, Proposal for a Directive of the European Parliament and of the Council on theprotection of individuals with regard to the processing of personal data by competent authorities for thepurposes of prevention, investigation, detection or prosecution of criminal offences or the execution ofcriminalpenalties,andthefreemovementofsuchdata,COM(2012)10final,2012/0010(COD)[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0010&from=en>accessed20July2015.4EuropeanParliament,legislativeresolutionontheproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)(COM(2012)0011-C7-0025/2012–2012/0011(COD))[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402>accessed20July2015.EuropeanParliament,legislativeresolutionontheproposalforadirectiveoftheEuropeanParliamentandofthe Council on the protection of individuals with regard to the processing of personal data by competentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecution of criminal penalties, and the freemovement of such data (COM (2012) 0010 – C7-0024/2012 -2012/0010(COD))[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219>accessed20July2015.5CounciloftheEU,proposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),Preparationforageneralapproach9565/15(11June2015)[2015]<https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf>accessed30August2015.6EuropeanCommission’spressrelease:<http://europa.eu/rapid/press-release_STATEMENT-155257_fr.htm>accessed20July2015.

33

2

Avoiding Terminological Confusion between the Notions of ‘Biometrics’ and ‘Biometric Data’

Chapter 2: Avoiding Terminological Confusion between the Notions of‘Biometrics’and‘BiometricData’

An Investigation into theMeaningsof theTerms fromaEuropeanDataProtectionandaScientificPerspective*Abstract:This article has beenmotivated by an observation: the lack of rigour by European bodieswhen they use scientific terms to address data protection and privacy issues raised bybiometric technologies and biometric data. In particular, they improperly use the term‘biometrics’tomeanatthesametime‘biometricdata’,‘identificationmethod’,or‘biometrictechnologies.’Basedonthisobservation,thereisaneedtoclarifywhat‘biometrics’meansforthebiometriccommunity,andwhetherandhowthelegalcommunityshouldusethetermina data protection andprivacy context. In parallel to that exercise of clarification, there isalso a need to investigate the current legal definition of ‘biometric data’ as framed byEuropean bodies at the level of the European Union and the Council of Europe. Thecomparisonof the regulatoryand scientificdefinitionsof the term ‘biometricdata’ revealsthatthetermisusedintwodifferentcontexts.However,itislegitimatetoquestiontherolethat thescientificdefinitioncouldexerciseon theregulatorydefinition.Moreprecisely, thequestioniswhetherthetechnicalprocessthroughwhichbiometricinformationisextractedandtransformedintoabiometrictemplateshouldbereflectedintheregulatorydefinitionoftheterm.

IntroductionBiometric technologies allow the capture, collection, and processing of biometricinformationaboutindividuals.Theirinformationisthentransformedintodigitalbitsthatcanberetrievedwhennecessaryforcomparison.Thebiometricprocessingofindividuals’information and data raises personal data protection issues. The first one is whetherindividuals’biometricdataconstituteacategoryofpersonaldataasdefinedatEuropeanlevel.Buttobeabletodeterminethelegalregimeapplicabletobiometricdata,onemustunderstandandassessthedefinition(s)giventotheterm‘biometricdata’bytheEuropeandata protection community. This is highly relevant since the European Commission hasintroducedaregulatorydefinitionoftheterminitsproposalsofrevisionoftheEuropean

*Articlepublished in the InternationalDataPrivacyLaw journal (IDPL), volume6, issue1, February2016,pages63-76;theauthorwishestothankProfJeanneMifsudBonniciandProfLaurenceGormleyfortheirveryvaluablecommentsandtheanonymouspeer-reviewers.Theviewsexpressedinthisarticlearesolelythoseoftheauthor.Allremainingerrorsaretheauthor’ssoleresponsibility.

Data Protection Framework. This reform, commonly designated under the name of theData Protection Reform Package,1is composed of a General Data Protection Regulation(GDPR) (replacing the current Data Protection Directive, Directive 95/46/EC)2and aspecificDirectiveondataprotectionandlawenforcement(replacingthecurrentCouncilFramework Decision 2008/780/JHA).3The European Parliament (EP) voted in firstreading the two proposals of the package in March 2014,4whereas the Council of theEuropeanUnion (EU) only agreed in June 2015 on a text for the GDPR.5At the time ofwriting, theEuropeanCommission,EPandCouncilof theEUhavestarteda ‘trilogue’ontheproposalof theGDPR,6whereastheCouncilof theEUpursues itsdiscussionsamongitsmembersontheproposalforaDirectiveinlawenforcementanddataprotection.Asaconsequence,regulatorydefinitionofbiometricdataatEUlevelreferredtointhearticleistheonecontainedintheoriginalproposaloftheGDPRtogetherwithitsamendedversionadoptedbytheEuropeanParliamentandagreedbytheCounciloftheEU.Byclarifyingthemeaningof‘biometricdata’fromaEuropeandataprotectionperspective,thereisaneedtodistinguishitfromtheterm‘biometrics’.Aswillbeexplainedinthefirstsection ‘Biometrics: a catchall notion?’, different Europeanbodies have indeedused theterm ‘biometrics’ in their legal opinions and reports to mean all at the same time

1Thetwoproposalsaredesignatedundertheexpression‘DataProtectionReformPackage’,althoughitisnottheofficialnamegivenbytheEuropeanCommission.However,severalEuropeanbodies,suchastheEuropeanDataProtectionSupervisor,haveusedthisexpressiontodesignatethetwoproposals.See,forexample,EDPS‘OpinionoftheEuropeanDataProtectionSupervisoronthedataprotectionreformpackage’[2012]<https://edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf>accessed20July2015.2European Commission, Proposal for a Regulation of the European Parliament and of the Council on theprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),COM(2012)11final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN>accessed20July2015.3European Commission, Proposal for a Directive of the European Parliament and of the Council on theprotection of individuals with regard to the processing of personal data by competent authorities for thepurposes of prevention, investigation, detection or prosecution of criminal offences or the execution ofcriminalpenalties,andthefreemovementofsuchdata,COM(2012)10final,2012/0010(COD)[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0010&from=en>accessed20July2015.4EuropeanParliament,legislativeresolutionontheproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)(COM(2012)0011-C7-0025/2012–2012/0011(COD))[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402>accessed20July2015.EuropeanParliament,legislativeresolutionontheproposalforadirectiveoftheEuropeanParliamentandofthe Council on the protection of individuals with regard to the processing of personal data by competentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecution of criminal penalties, and the freemovement of such data (COM (2012) 0010 – C7-0024/2012 -2012/0010(COD))[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219>accessed20July2015.5CounciloftheEU,proposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),Preparationforageneralapproach9565/15(11June2015)[2015]<https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf>accessed30August2015.6EuropeanCommission’spressrelease:<http://europa.eu/rapid/press-release_STATEMENT-155257_fr.htm>accessed20July2015.

34

Chapter 2

29

‘biometricdata’, ‘identificationmethod’,and ‘biometric technologies’.7Thisarticleclaimsthat the term ‘biometrics’ is first a technical term thatdoesnothaveany legalmeaningfromadataprotectionperspective.Afterhavingdescribedthenotionof ‘biometrics’,thearticlewillfocus,inthesecondsection‘Biometricdata:atechnicalandalegalnotion’,onthenotionof‘biometricdata’,whichiscrucialfromadataprotectionpointofview.Itwillarguethatthetermreferstotwodifferentnotions,alegaloneandascientificone,whichcannotbemerged into a single one since they servedifferentpurposes.The articlewillexplainthe fundamentaldifferencebetweenthetwoandwill investigatewhetherornotthelegaldefinitionshouldreflectthescientificdefinition.Thisarticlefocusesonterminologicalissuesandnotonthelegalnatureof‘biometricdata’.However,defining ‘biometricdata’andasaconsequence ‘biometrics’ isanecessaryfirststep to laterassess the legalnatureof ‘biometricdata’ fromaEuropeandataprotectionperspective.Thisfollowingstepisnotthetopicofthecurrentarticlebutofasubsequentone. In addition, this article will attempt to bridge a gap between legal experts in theEuropeandataprotectionfieldandscientistsinthebiometricfield.Bothtypesofexpertsuse the same termsbutgive themdifferentmeanings.8Byunderstandinghowscientistsareapproachingthetwonotions,thisarticlewillassesswhether(andhow)theregulatorydefinitions of ‘biometrics’ and ‘biometric data’ should reflect the scientific ones. It willhowevernotassesswhetherthescientificdefinitionsmightneedtoreflectthelegalones.ThetextofreferenceonthescientificsideistheInternationalStandardISO/IEC2382-37harmonisingthevocabularyusedinthefieldofbiometrics.9AlthoughthecurrentversionoftheStandardisthefirstonepublishedandmightbesubjecttorevision,ithasalreadybeen quoted as a document of reference by national data protection authorities.10TheStandard contains more than 100 entries that are used in the field of biometrics.Referencestoitsdefinitionswillmainlyfocusonthetwomostrelevantnotionsinadataprotection context: ‘biometrics’ and ‘biometric data’. Other terms used in the field ofbiometricswillbementionedinthecourseofthisarticle,buttheywillnotbethoroughlyanalysed.Toreflect thediversityofdefinitionsanddisciplines, severalscientificsourcespublishedbeforetheadoptionoftheInternationalStandardwillalsobementioned.Theyinclude, amongothers, definitions in glossaries [theGlossaryofBiometricTerms of 1999

7Seeforexample,Article29DataProtectionWorkingParty, ‘Opinion3/2012ondevelopments inbiometrictechnologies’[2012]WP193.8Thisarticlehasbeen inspiredbydiscussionswithbiometricexpertsandengineersworking in the fieldofbiometrics. Experts in different fields use the same terms with different meanings without necessarilyacknowledging the differences. Concerning the term ‘biometrics’, it is first of all a technical term. As aconsequence,oncannotignoreitsmeaningfromascientificperspective.9ISO/IEC2382-37:2012(E)—InformationTechnology—Vocabulary—Part37:Biometrics<http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=55194>accessed20July2015.10Il Garante (Italian Data Protection Authority), Guidelines on Biometric Recognition and GraphometricSignature,AnnexAtotheGarante’sOrderof12November2014,3<http://194.242.234.211/documents/10160/0/GUIDELINES+ON+BIOMETRIC+RECOGNITION> accessed 20July2015.

andtheBiometricsGlossaryoftheUSNationalScienceandTechnologyCouncil(NSTC)of2006],11areportonBiometricRecognition,12andtheEncyclopediaofBiometrics.13Onthesideofdataprotectionandprivacyinrelationtobiometrictechnologies,thereviewof the existing literature is based on twomain studies. The first isBio-Privacy,PrivacyRegulations and the Challenge of Biometrics by Nancy Yue Liu.14The second is thereference work on Privacy and Data Protection Issues of Biometric Applications by ElsKindt.15Inthefirstbook,theauthorbrieflydescribesthenotionof‘biometrics’inashortsectiononterminology,whereas in thesecondbook, theauthorthoroughlyassessesthelegalnatureofbiometricdataandproposesherowndefinition. If thisarticle isbuiltontheirresearch,italsogoesbeyond.Itproposestoinvestigatehowthescientificdefinitionsof ‘biometrics’ and ‘biometric data’ by the biometric community can help the Europeandata protection community to understand the notion of ‘biometrics’ and to determinewhether the scientific definition could be used to ‘reshape’ the legal definition of‘biometricdata’.Legalopinions,reports,andlegislativereportsattheEuropeandataprotectionlevelwillalsobereviewed.Forthepurposeofthisarticle,theEuropeanlevelshouldbeunderstoodasencompassingtheleveloftheEUandoftheCouncilofEurope.Atbothlevels,severalinitiativesandmeasuresaddressingbiometricissuesareinterestingtoassess.Moreprecisely,atEUlevel,OpinionsandaWorkingDocumentonbiometricsissuedbytheArticle 29WorkingParty aswell as differentOpinions of theEuropeanDataProtectionSupervisor (EDPS) on biometric issueswill be surveyed. This part is completed by theanalysisoftheEuropeanCommission’sproposalsontheDataProtectionReformPackage.Whenever necessary, a distinction will be made between the text proposed by theEuropeanCommission,thetextadoptedatfirstreadingbytheEP,andthetextagreedbytheCounciloftheEU.BesidesinitiativesattheEUlevel,severaldocumentsadoptedattheleveloftheCouncilofEurope on biometric issues deserve special attention. First of all, the issue of theapplicationoftheprinciplescontainedinConvention108tobiometricdatawasraisedin2005inaProgressReportdraftedbytheConsultativeCommitteeoftheConvention.16The

11Association for Biometrics and International Computer Security Association, ‘1999 Glossary of BiometricTerms,’ 1-12 <biometrics3.tripod.com/pubs/glossary.pdf> accessed 20 July 2015; US National Science andTechnologyCouncil’sSubcommitteeonBiometrics,‘BiometricsGlossary’(2006),1-33<http://www.biometrics.gov/documents/glossary.pdf>accessed20July2015.12Whither Biometrics Committee & National Research Council, Biometric Recognition: Challenges andOpportunities,JNPatoandLIMillett(eds)(TheNationalAcademiesPress2010).13StanZLi(ed),EncyclopediaofBiometrics(1stedn,Springer2009).14NancyYueLiu,Bio-Privacy,PrivacyRegulationsandtheChallengeofBiometrics(Routledge2012).15Els Kindt, Privacy and Data Protection Issues of Biometric Applications, A Comparative Legal Analysis(Springer2013).16CouncilofEurope,ConsultativeCommitteeofConvention108,‘ProgressReportontheApplicationofthePrinciplesofConvention108totheCollectionandProcessingofBiometricData’(2005)<http://www.coe.int/t/dghl/standardsetting/dataprotection/Reports/Biometrics_2005_en.pdf>accessed20

35

2


29

‘biometricdata’, ‘identificationmethod’,and ‘biometric technologies’.7Thisarticleclaimsthat the term ‘biometrics’ is first a technical term thatdoesnothaveany legalmeaningfromadataprotectionperspective.Afterhavingdescribedthenotionof ‘biometrics’,thearticlewillfocus,inthesecondsection‘Biometricdata:atechnicalandalegalnotion’,onthenotionof‘biometricdata’,whichiscrucialfromadataprotectionpointofview.Itwillarguethatthetermreferstotwodifferentnotions,alegaloneandascientificone,whichcannotbemerged into a single one since they servedifferentpurposes.The articlewillexplainthe fundamentaldifferencebetweenthetwoandwill investigatewhetherornotthelegaldefinitionshouldreflectthescientificdefinition.Thisarticlefocusesonterminologicalissuesandnotonthelegalnatureof‘biometricdata’.However,defining ‘biometricdata’andasaconsequence ‘biometrics’ isanecessaryfirststep to laterassess the legalnatureof ‘biometricdata’ fromaEuropeandataprotectionperspective.Thisfollowingstepisnotthetopicofthecurrentarticlebutofasubsequentone. In addition, this article will attempt to bridge a gap between legal experts in theEuropeandataprotectionfieldandscientistsinthebiometricfield.Bothtypesofexpertsuse the same termsbutgive themdifferentmeanings.8Byunderstandinghowscientistsareapproachingthetwonotions,thisarticlewillassesswhether(andhow)theregulatorydefinitions of ‘biometrics’ and ‘biometric data’ should reflect the scientific ones. It willhowevernotassesswhetherthescientificdefinitionsmightneedtoreflectthelegalones.ThetextofreferenceonthescientificsideistheInternationalStandardISO/IEC2382-37harmonisingthevocabularyusedinthefieldofbiometrics.9AlthoughthecurrentversionoftheStandardisthefirstonepublishedandmightbesubjecttorevision,ithasalreadybeen quoted as a document of reference by national data protection authorities.10TheStandard contains more than 100 entries that are used in the field of biometrics.Referencestoitsdefinitionswillmainlyfocusonthetwomostrelevantnotionsinadataprotection context: ‘biometrics’ and ‘biometric data’. Other terms used in the field ofbiometricswillbementionedinthecourseofthisarticle,buttheywillnotbethoroughlyanalysed.Toreflect thediversityofdefinitionsanddisciplines, severalscientificsourcespublishedbeforetheadoptionoftheInternationalStandardwillalsobementioned.Theyinclude, amongothers, definitions in glossaries [theGlossaryofBiometricTerms of 1999

7Seeforexample,Article29DataProtectionWorkingParty, ‘Opinion3/2012ondevelopments inbiometrictechnologies’[2012]WP193.8Thisarticlehasbeen inspiredbydiscussionswithbiometricexpertsandengineersworking in the fieldofbiometrics. Experts in different fields use the same terms with different meanings without necessarilyacknowledging the differences. Concerning the term ‘biometrics’, it is first of all a technical term. As aconsequence,oncannotignoreitsmeaningfromascientificperspective.9ISO/IEC2382-37:2012(E)—InformationTechnology—Vocabulary—Part37:Biometrics<http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=55194>accessed20July2015.10Il Garante (Italian Data Protection Authority), Guidelines on Biometric Recognition and GraphometricSignature,AnnexAtotheGarante’sOrderof12November2014,3<http://194.242.234.211/documents/10160/0/GUIDELINES+ON+BIOMETRIC+RECOGNITION> accessed 20July2015.

andtheBiometricsGlossaryoftheUSNationalScienceandTechnologyCouncil(NSTC)of2006],11areportonBiometricRecognition,12andtheEncyclopediaofBiometrics.13Onthesideofdataprotectionandprivacyinrelationtobiometrictechnologies,thereviewof the existing literature is based on twomain studies. The first isBio-Privacy,PrivacyRegulations and the Challenge of Biometrics by Nancy Yue Liu.14The second is thereference work on Privacy and Data Protection Issues of Biometric Applications by ElsKindt.15Inthefirstbook,theauthorbrieflydescribesthenotionof‘biometrics’inashortsectiononterminology,whereas in thesecondbook, theauthorthoroughlyassessesthelegalnatureofbiometricdataandproposesherowndefinition. If thisarticle isbuiltontheirresearch,italsogoesbeyond.Itproposestoinvestigatehowthescientificdefinitionsof ‘biometrics’ and ‘biometric data’ by the biometric community can help the Europeandata protection community to understand the notion of ‘biometrics’ and to determinewhether the scientific definition could be used to ‘reshape’ the legal definition of‘biometricdata’.Legalopinions,reports,andlegislativereportsattheEuropeandataprotectionlevelwillalsobereviewed.Forthepurposeofthisarticle,theEuropeanlevelshouldbeunderstoodasencompassingtheleveloftheEUandoftheCouncilofEurope.Atbothlevels,severalinitiativesandmeasuresaddressingbiometricissuesareinterestingtoassess.Moreprecisely,atEUlevel,OpinionsandaWorkingDocumentonbiometricsissuedbytheArticle 29WorkingParty aswell as differentOpinions of theEuropeanDataProtectionSupervisor (EDPS) on biometric issueswill be surveyed. This part is completed by theanalysisoftheEuropeanCommission’sproposalsontheDataProtectionReformPackage.Whenever necessary, a distinction will be made between the text proposed by theEuropeanCommission,thetextadoptedatfirstreadingbytheEP,andthetextagreedbytheCounciloftheEU.BesidesinitiativesattheEUlevel,severaldocumentsadoptedattheleveloftheCouncilofEurope on biometric issues deserve special attention. First of all, the issue of theapplicationoftheprinciplescontainedinConvention108tobiometricdatawasraisedin2005inaProgressReportdraftedbytheConsultativeCommitteeoftheConvention.16The

11Association for Biometrics and International Computer Security Association, ‘1999 Glossary of BiometricTerms,’ 1-12 <biometrics3.tripod.com/pubs/glossary.pdf> accessed 20 July 2015; US National Science andTechnologyCouncil’sSubcommitteeonBiometrics,‘BiometricsGlossary’(2006),1-33<http://www.biometrics.gov/documents/glossary.pdf>accessed20July2015.12Whither Biometrics Committee & National Research Council, Biometric Recognition: Challenges andOpportunities,JNPatoandLIMillett(eds)(TheNationalAcademiesPress2010).13StanZLi(ed),EncyclopediaofBiometrics(1stedn,Springer2009).14NancyYueLiu,Bio-Privacy,PrivacyRegulationsandtheChallengeofBiometrics(Routledge2012).15Els Kindt, Privacy and Data Protection Issues of Biometric Applications, A Comparative Legal Analysis(Springer2013).16CouncilofEurope,ConsultativeCommitteeofConvention108,‘ProgressReportontheApplicationofthePrinciplesofConvention108totheCollectionandProcessingofBiometricData’(2005)<http://www.coe.int/t/dghl/standardsetting/dataprotection/Reports/Biometrics_2005_en.pdf>accessed20

36

Chapter 2

Parliamentary Assembly of the Council of Europe (PACE) also raised in 2011 theimportance to take into account ‘the human rights implications of biometrics’ throughnotably a standardised definition of ‘biometric data’. For this reason, three documents,Resolution1797(2011),Recommendation1960(2011),andthepreparatoryreportoftheResolution and Recommendation, called theHaibach Report, have been analysed.17Lastbutnotleast,thedraftexplanatoryreportonthemodernisationofConvention108isalsomentioned.18

‘Biometrics’:ACatchallNotion?Inageneraldictionary,suchasMerriam-Webster,theterm‘biometrics’isdefinedintwodifferent ways. It is a synonym of ‘biometry’, understood as ‘the statistical analysis ofbiological observations and phenomena’.19It also means ‘measurement and analysis ofunique physical or behavioural characteristics (as fingerprints or voice patterns)especiallyasameansofverifyingidentity’.20Forscientistsfromdifferentdisciplines(suchas medicine, mathematics, statistics, or biometrics),21the term has more than twomeanings. These multiple meanings have indeed created the need to harmonise thevocabulary used in the biometric field. In the field of data protection and privacy, thedifferentEuropean institutionsandbodies thathaveassessedbiometric issueshavenotalwaysusedtheterm‘biometrics’inaconsistentway.Ultimately,inconclusionofthesection,thearticlewilldeterminewhetherornottheterm‘biometrics’shouldbeusedinadataprotectionandprivacycontext.

July2015.Thereportwasupdatedin2013byanacademicreport,whichhasnotbeenanalysedinthearticlesinceithasnotbeenissuednorendorsedbytheCouncilofEuropeoranyofitsbodies.17ParliamentaryAssemblyoftheCouncilofEurope,CommitteeonLegalAffairsandHumanRights,‘TheNeedforaGlobalConsiderationoftheHumanRightsImplicationsofBiometrics,’RapporteurHHaibach,Doc12522(16February2011)<http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=13103&lang=en>accessed20July2015;ParliamentaryAssemblyoftheCouncilofEurope,Recommendation1960(2011),‘TheNeed for a Global Consideration of the Human Rights Implications of Biometrics’<http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17964&lang=en> accessed 20 July2015; Parliamentary Assembly of the Council of Europe, Resolution 1797 (2011), ‘The Need for a GlobalConsiderationoftheHumanRightsImplicationsofBiometrics’<http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17968&lang=en>accessed20July2015.18CouncilofEurope,BureauoftheConsultativeCommitteeofConvention108fortheprotectionofindividualswith regard to automatic processing of personal data [ETS. No. 108], ‘Draft Explanatory Report of theModernisedVersionofConvention108’(basedontheproposalsadoptedbythe29thPlenarymeetingoftheT-PD),Strasbourg,25March2014,TP-PD-BUR(2013)3ENrev5<http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD-BUR(2013)3Rev5%20-%20Draft%20explanatory%20report.pdf> accessed 20 July 2015, latest version available at the time ofwriting.19<http://www.merriam-webster.com/dictionary/biometry>accessed20July2015.20<http://www.merriam-webster.com/dictionary/biometrics>accessed20July2015.21StephenStiegler,‘TheProblematicUnityofBiometrics’(2000)56Biometrics653.

32

UsesoftheTerm‘Biometrics’intheEuropeanDataProtectionContextNeither of the two founding legal texts on data protection andprivacy at the Europeanlevelmentionstheterm‘biometrics’or‘biometricdata’.22ThesetwotextsaretheCouncilof Europe’s Convention 108 (Convention 108)23and Directive 95/46/EC on dataprotection (Data Protection Directive).24 However, different European bodies haveaddressedtheissuesoftheimpactoftheuseofbiometrictechnologiesondataprotectionandprivacyprinciples.AllthedefinitionsmentionedinthissectionarerecappedinTable1.

‘Biometrics’UsedasaSynonymof‘BiometricData’At EU level, the first body to analyse the notion of ‘biometrics’ from a data protectionperspective is the Article 29 Data ProtectionWorking Party (Working Party or Art. 29WP).25ItsworkonbiometricissueshashadamajorinfluenceonotherEuropeanbodies,andinparticularontheEDPS.ThefirstdocumentpublishedbytheArticle29DataProtectionWorkingPartyisaworkingdocument on biometrics in 2003,26followed in 2012 by Opinion 3/2012 on the recentdevelopments in biometric technologies.27In the working document, the Working PartyassessedwhetherandhowtheDataProtectionDirectivecouldapplytotheprocessingofbiometric data. The term ‘biometrics’ is used throughout the report without beingexpresslydefined.Butoneunderstandsthatthewordisconstantlyusedasasynonymof‘biometricdata’.28AtextualanalysisofOpinion3/2012revealsthattheterm‘biometrics’isalsousedasasynonymof‘biometricdata’,29howevernotinaconsistentway.Inseveralparagraphs of the Opinion, theWorking Party used the term ‘biometrics’ to alsomean‘identificationmethod’30and ‘biometric technologies’31. But at no point did theWorking

22Dataprotectionandprivacyas‘separateconcepts’;see,forexample,PeterHustinx,‘EuropeanLeadershipinPrivacy andData Protection’ inArtemiRallo Lombarte andRosarioGarcíaMahamut (eds),HaciaunNuevoDerechoEuropeandeProteccióndeDatos,TowardsaNewEuropeanDataProtectionRegime (Tirant loBlanch2015)15-25.23Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,Strasbourg,28January1981(ETSNo.108)<http://conventions.coe.int/Treaty/EN/Reports/HTML/108.htm>accessed20July2015.24Directive95/46/EContheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata[1995]OJL281/31.25The Working Party is an independent advisory body to the European Commission on data protectionmatters; for the composition and description of the Article 29 Working Party, see<http://ec.europa.eu/justice/data-protection/article-29/index_en.htm>accessed20July2015.26A29WP,‘WorkingDocumentonbiometrics’[2003]WP80.27A29WP,Opinion3/2012(n7).28A29WP,WorkingDocumentonbiometrics(n26);see,forexample,thefollowingsentencesasillustration:‘Thiskindofdata [referring tobiometrics] isof specialnature’ (p.2); ‘Therearediscussionsconcerning theincorporationofbiometricsonIDcards,passports,traveldocumentsandvisa,’p.2,fn2.29See, for example, in Opinion 3/2012 (n 7), the use of ‘biometrics’ in the following sentences: ‘collectingdifferentbiometrics’(p.6), ‘tousebiometricsofanemployee’,(p.11)(…)‘biometricsmustnotbetakenfromsomebodywithouthisknowledge’(p.14).30A29WP,Opinion3/2012(n7);see,forexample;theuseof‘biometrics’inthefollowingsentence:‘Biometricsare,insomecases,replacingorenhancingconventionalidentificationmethods’,p.16.31A29WP,Opinion 3/2012 (n 7); see, for example, the use of ‘biometrics’ in the following sentences: ‘newtrends on biometrics’, p.16, title of Section 4.2 of the Opinion that describes new biometric technologies;‘multi-modalbiometrics(…)canbedefinedasthecombinationofdifferentbiometrictechnologiestoenhancetheaccuracyorperformanceofthesystem’,p.6.

37

2


Parliamentary Assembly of the Council of Europe (PACE) also raised in 2011 theimportance to take into account ‘the human rights implications of biometrics’ throughnotably a standardised definition of ‘biometric data’. For this reason, three documents,Resolution1797(2011),Recommendation1960(2011),andthepreparatoryreportoftheResolution and Recommendation, called theHaibach Report, have been analysed.17Lastbutnotleast,thedraftexplanatoryreportonthemodernisationofConvention108isalsomentioned.18

‘Biometrics’:ACatchallNotion?Inageneraldictionary,suchasMerriam-Webster,theterm‘biometrics’isdefinedintwodifferent ways. It is a synonym of ‘biometry’, understood as ‘the statistical analysis ofbiological observations and phenomena’.19It also means ‘measurement and analysis ofunique physical or behavioural characteristics (as fingerprints or voice patterns)especiallyasameansofverifyingidentity’.20Forscientistsfromdifferentdisciplines(suchas medicine, mathematics, statistics, or biometrics),21the term has more than twomeanings. These multiple meanings have indeed created the need to harmonise thevocabulary used in the biometric field. In the field of data protection and privacy, thedifferentEuropean institutionsandbodies thathaveassessedbiometric issueshavenotalwaysusedtheterm‘biometrics’inaconsistentway.Ultimately,inconclusionofthesection,thearticlewilldeterminewhetherornottheterm‘biometrics’shouldbeusedinadataprotectionandprivacycontext.

July2015.Thereportwasupdatedin2013byanacademicreport,whichhasnotbeenanalysedinthearticlesinceithasnotbeenissuednorendorsedbytheCouncilofEuropeoranyofitsbodies.17ParliamentaryAssemblyoftheCouncilofEurope,CommitteeonLegalAffairsandHumanRights,‘TheNeedforaGlobalConsiderationoftheHumanRightsImplicationsofBiometrics,’RapporteurHHaibach,Doc12522(16February2011)<http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=13103&lang=en>accessed20July2015;ParliamentaryAssemblyoftheCouncilofEurope,Recommendation1960(2011),‘TheNeed for a Global Consideration of the Human Rights Implications of Biometrics’<http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17964&lang=en> accessed 20 July2015; Parliamentary Assembly of the Council of Europe, Resolution 1797 (2011), ‘The Need for a GlobalConsiderationoftheHumanRightsImplicationsofBiometrics’<http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17968&lang=en>accessed20July2015.18CouncilofEurope,BureauoftheConsultativeCommitteeofConvention108fortheprotectionofindividualswith regard to automatic processing of personal data [ETS. No. 108], ‘Draft Explanatory Report of theModernisedVersionofConvention108’(basedontheproposalsadoptedbythe29thPlenarymeetingoftheT-PD),Strasbourg,25March2014,TP-PD-BUR(2013)3ENrev5<http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD-BUR(2013)3Rev5%20-%20Draft%20explanatory%20report.pdf> accessed 20 July 2015, latest version available at the time ofwriting.19<http://www.merriam-webster.com/dictionary/biometry>accessed20July2015.20<http://www.merriam-webster.com/dictionary/biometrics>accessed20July2015.21StephenStiegler,‘TheProblematicUnityofBiometrics’(2000)56Biometrics653.

32

UsesoftheTerm‘Biometrics’intheEuropeanDataProtectionContextNeither of the two founding legal texts on data protection andprivacy at the Europeanlevelmentionstheterm‘biometrics’or‘biometricdata’.22ThesetwotextsaretheCouncilof Europe’s Convention 108 (Convention 108)23and Directive 95/46/EC on dataprotection (Data Protection Directive).24 However, different European bodies haveaddressedtheissuesoftheimpactoftheuseofbiometrictechnologiesondataprotectionandprivacyprinciples.AllthedefinitionsmentionedinthissectionarerecappedinTable1.

‘Biometrics’UsedasaSynonymof‘BiometricData’At EU level, the first body to analyse the notion of ‘biometrics’ from a data protectionperspective is the Article 29 Data ProtectionWorking Party (Working Party or Art. 29WP).25ItsworkonbiometricissueshashadamajorinfluenceonotherEuropeanbodies,andinparticularontheEDPS.ThefirstdocumentpublishedbytheArticle29DataProtectionWorkingPartyisaworkingdocument on biometrics in 2003,26followed in 2012 by Opinion 3/2012 on the recentdevelopments in biometric technologies.27In the working document, the Working PartyassessedwhetherandhowtheDataProtectionDirectivecouldapplytotheprocessingofbiometric data. The term ‘biometrics’ is used throughout the report without beingexpresslydefined.Butoneunderstandsthatthewordisconstantlyusedasasynonymof‘biometricdata’.28AtextualanalysisofOpinion3/2012revealsthattheterm‘biometrics’isalsousedasasynonymof‘biometricdata’,29howevernotinaconsistentway.Inseveralparagraphs of the Opinion, theWorking Party used the term ‘biometrics’ to alsomean‘identificationmethod’30and ‘biometric technologies’31. But at no point did theWorking

22Dataprotectionandprivacyas‘separateconcepts’;see,forexample,PeterHustinx,‘EuropeanLeadershipinPrivacy andData Protection’ inArtemiRallo Lombarte andRosarioGarcíaMahamut (eds),HaciaunNuevoDerechoEuropeandeProteccióndeDatos,TowardsaNewEuropeanDataProtectionRegime (Tirant loBlanch2015)15-25.23Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,Strasbourg,28January1981(ETSNo.108)<http://conventions.coe.int/Treaty/EN/Reports/HTML/108.htm>accessed20July2015.24Directive95/46/EContheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata[1995]OJL281/31.25The Working Party is an independent advisory body to the European Commission on data protectionmatters; for the composition and description of the Article 29 Working Party, see<http://ec.europa.eu/justice/data-protection/article-29/index_en.htm>accessed20July2015.26A29WP,‘WorkingDocumentonbiometrics’[2003]WP80.27A29WP,Opinion3/2012(n7).28A29WP,WorkingDocumentonbiometrics(n26);see,forexample,thefollowingsentencesasillustration:‘Thiskindofdata [referring tobiometrics] isof specialnature’ (p.2); ‘Therearediscussionsconcerning theincorporationofbiometricsonIDcards,passports,traveldocumentsandvisa,’p.2,fn2.29See, for example, in Opinion 3/2012 (n 7), the use of ‘biometrics’ in the following sentences: ‘collectingdifferentbiometrics’(p.6), ‘tousebiometricsofanemployee’,(p.11)(…)‘biometricsmustnotbetakenfromsomebodywithouthisknowledge’(p.14).30A29WP,Opinion3/2012(n7);see,forexample;theuseof‘biometrics’inthefollowingsentence:‘Biometricsare,insomecases,replacingorenhancingconventionalidentificationmethods’,p.16.31A29WP,Opinion 3/2012 (n 7); see, for example, the use of ‘biometrics’ in the following sentences: ‘newtrends on biometrics’, p.16, title of Section 4.2 of the Opinion that describes new biometric technologies;‘multi-modalbiometrics(…)canbedefinedasthecombinationofdifferentbiometrictechnologiestoenhancetheaccuracyorperformanceofthesystem’,p.6.

38

Chapter 2

33

Party specify using different meanings of the term. Besides these few paragraphs, theWorkingPartyseemstohaveconsistentlyandconstantlyusedtheterm‘biometrics’asasynonymof ‘biometricdata’.32Thenotionof ‘biometricdata’hasnotbeendefinedbytheWorkingPartyinitsOpinionsaddressingbiometricissuesbutinOpinion4/2007onthegeneral concept of personal data.33This definition will be reviewed in the section‘Biometricdata:atechnicalandalegalnotion’.InitsownOpinionsrelatingtobiometricissues,34theEDPShasusedtheterm‘biometrics’as a synonym of ‘biometric data’ and has referred to the definition elaborated by theArticle29DataProtectionWorkingParty inOpinion4/2007.35However,asexplained inthe following sub-section, the glossary of the EDPS, available on itswebsite, contains adefinitionof‘biometrics’,whichisnotinlinewiththeWorkingParty’sdefinition.Finally, it should bementioned that the term ‘biometrics’ is notmentioned in the DataProtection Reform Package. The term appears, however, in the impact assessmentdocumentoftheproposals, inwhichit isusedasasynonymof ‘biometricdata’.36Butnofurtherdetailonitsmeaningororiginisprovided.

32Forexample,A29WP,‘OpinionNo7/2004ontheinclusionofbiometricelementsintheresidencepermitsandvisatakingaccountoftheestablishmentoftheEuropeaninformationsystemonvisas(VIS)’[2004]WP96,andA29WP, ‘Opinion3/2005on implementingtheCouncilRegulation(EC)No.2252/2004of13December2004 on standards for security features and biometrics in passports and travelled documents issued byMemberStates’[2005]WP112.33A29WP,‘Opinion4/2007ontheconceptofpersonaldata’[2007]WP136.34See,forexample,EDPS,‘OpiniontheProposalforaRegulationoftheEuropeanParliamentandoftheCouncilconcerningtheVisaInformationSystem(VIS)andtheexchangeofdatabetweenMemberStatesonshortstay-visas(COM(2004)835final)’[2005]OJC181/13.EDPS,‘OpinionontheProposalforaCouncilDecisionontheestablishment,operationanduseofthesecondgenerationSchengeninformationsystem(SISII)(COM(2005)230final)’;theProposalforaRegulationoftheEuropean Parliament and of the Council on the establishment, operation and use of the second generationSchengen information system (SIS II) (COM (2005) 236 final) and the Proposal for a Regulation of theEuropean Parliament and of the Council regarding access to the second generation Schengen InformationSystem(SIS II)by theservices in theMemberStates responsible for issuingvehicle registrationcertificates(COM(2005)237final)’[2005]OJC91/38.EDPS,‘OpinionoftheEuropeanDataProtectionSupervisoronthemodifiedproposalforaCouncilRegulationamendingRegulation(EC)1030/2002layingdownauniformformatforresidencepermitsforthird-countrynationals’[2006]OJC320/21.EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheproposalforaRegulationoftheEuropeanParliament and of the Council amending Council Regulation (EC) No 2252/2004 on standards for securityfeaturesandbiometricsinpassportsandtraveldocumentsissuedbyMemberStates’[2008]OJC200/1.35Seeparagraph18ofEDPS,OpiniononaresearchprojectfundedbytheEuropeanUnionundertheSeventhFramework Programme (FP7) for Research and Technology Development - Turbine (TrUsted RevocableBiometricIdeNtitiEs)[2011]<https://edps.europa.eu/sites/edp/files/publication/11-02-01_fp7_en.pdf>accessed20July2015.36See the following sentence: ‘including biometrics amongst the sensitive data’ (p.115) in EuropeanCommission,‘ImpactAssessmentaccompanyingthedocumentRegulationoftheEuropeanParliamentandoftheCouncil on theprotectionof individualswith regard to theprocessingofpersonaldata andon the freemovementofsuchdata(GeneralDataProtectionRegulation)andDirectiveoftheEuropeanParliamentandofthe Council on the protection of individuals with regard to the processing of personal data by competentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’SEC(2012)72final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012SC0072&from=en>accessed20July2015.

‘Biometrics’UsedasaSynonymof‘BiometricTechnologies’SeveralbodiesbelongingtotheCouncilofEurope’slevelhaveusedtheterm‘biometrics’as synonymsof ‘biometric technologies’ or ‘biometric systems’ in the specific contextofpersonal data and in thebroader context of human rights. In addition, theEDPSand tosome extent the Article 29 Data Protection Working Party have also used the term‘biometrics’inthatsense.AttheCouncilofEurope’slevel,theConsultativeCommitteeofConvention108,inchargeofmonitoringtheimplementationoftheprinciplescontainedintheConvention,hasbeenthe first to define the term ‘biometrics’. In a progress report on the application of theprinciples of Convention 108 to the collection and processing of biometric data,37it hasdefined the term as: ‘(s)ystems that use measurable, physical or physiologicalcharacteristicsorpersonalbehaviourtraitstorecognizetheidentityorverifytheclaimedidentityofanindividual’.38The PACE has reused the definition of the Consultative Committeewhen it tackled theissue of the human rights implications of biometrics in Resolution 1797 andRecommendation 1960. 39 But the preparatory report of these two instrumentsinaccuratelymentionstheglossaryoftheEDPSasthesourceofthedefinitioninsteadoftheprogressreportoftheConsultativeCommittee.40In its glossary of terms available on itswebsite, the EDPS has indeed defined the term‘biometrics’ not as ‘biometric data’, but as amethod of recognition based on biometriccharacteristics (see Table 1 for the exact wording). This definition calls for severalremarks. First of all, the glossary of terms is not legally binding.41It constitutes acompilationof definitionsoriginating fromdifferentEU institutions.The functionof theglossary is to provide readers with a better understanding of data protection issues.Second, as specified on thewebsite,most of the definitions link to their sources. In thecaseofthedefinitionof‘biometrics’,nosourceisindicated.Third,evenifitdoesnothaveany legalvalue, ithasbeenquoted(evenifwrongly).This indicatesthat ithasat leastavalueofreference.

37ProgressReport(n16).38ProgressReport(n16)para16.39Recommendation1960(2011)(n17)andResolution1797(2011)(n17).40HaibachReport(n17).41TheOpinionsoftheEDPSarealsonotbinding,buttheyconstituteauthoritativeadvice.SeeEDPS,‘TheEDPSasanAdvisortoEUInstitutionsonPolicyandLegislations:BuildingonTenYearsofExperience,PolicyPaper’,Brussels,6June2014<https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Papers/PolicyP/14-06-04_PP_EDPSadvisor_EN.pdf>accessed20July2015.

39

2


33

Party specify using different meanings of the term. Besides these few paragraphs, theWorkingPartyseemstohaveconsistentlyandconstantlyusedtheterm‘biometrics’asasynonymof ‘biometricdata’.32Thenotionof ‘biometricdata’hasnotbeendefinedbytheWorkingPartyinitsOpinionsaddressingbiometricissuesbutinOpinion4/2007onthegeneral concept of personal data.33This definition will be reviewed in the section‘Biometricdata:atechnicalandalegalnotion’.InitsownOpinionsrelatingtobiometricissues,34theEDPShasusedtheterm‘biometrics’as a synonym of ‘biometric data’ and has referred to the definition elaborated by theArticle29DataProtectionWorkingParty inOpinion4/2007.35However,asexplained inthe following sub-section, the glossary of the EDPS, available on itswebsite, contains adefinitionof‘biometrics’,whichisnotinlinewiththeWorkingParty’sdefinition.Finally, it should bementioned that the term ‘biometrics’ is notmentioned in the DataProtection Reform Package. The term appears, however, in the impact assessmentdocumentoftheproposals, inwhichit isusedasasynonymof ‘biometricdata’.36Butnofurtherdetailonitsmeaningororiginisprovided.

32Forexample,A29WP,‘OpinionNo7/2004ontheinclusionofbiometricelementsintheresidencepermitsandvisatakingaccountoftheestablishmentoftheEuropeaninformationsystemonvisas(VIS)’[2004]WP96,andA29WP, ‘Opinion3/2005on implementingtheCouncilRegulation(EC)No.2252/2004of13December2004 on standards for security features and biometrics in passports and travelled documents issued byMemberStates’[2005]WP112.33A29WP,‘Opinion4/2007ontheconceptofpersonaldata’[2007]WP136.34See,forexample,EDPS,‘OpiniontheProposalforaRegulationoftheEuropeanParliamentandoftheCouncilconcerningtheVisaInformationSystem(VIS)andtheexchangeofdatabetweenMemberStatesonshortstay-visas(COM(2004)835final)’[2005]OJC181/13.EDPS,‘OpinionontheProposalforaCouncilDecisionontheestablishment,operationanduseofthesecondgenerationSchengeninformationsystem(SISII)(COM(2005)230final)’;theProposalforaRegulationoftheEuropean Parliament and of the Council on the establishment, operation and use of the second generationSchengen information system (SIS II) (COM (2005) 236 final) and the Proposal for a Regulation of theEuropean Parliament and of the Council regarding access to the second generation Schengen InformationSystem(SIS II)by theservices in theMemberStates responsible for issuingvehicle registrationcertificates(COM(2005)237final)’[2005]OJC91/38.EDPS,‘OpinionoftheEuropeanDataProtectionSupervisoronthemodifiedproposalforaCouncilRegulationamendingRegulation(EC)1030/2002layingdownauniformformatforresidencepermitsforthird-countrynationals’[2006]OJC320/21.EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheproposalforaRegulationoftheEuropeanParliament and of the Council amending Council Regulation (EC) No 2252/2004 on standards for securityfeaturesandbiometricsinpassportsandtraveldocumentsissuedbyMemberStates’[2008]OJC200/1.35Seeparagraph18ofEDPS,OpiniononaresearchprojectfundedbytheEuropeanUnionundertheSeventhFramework Programme (FP7) for Research and Technology Development - Turbine (TrUsted RevocableBiometricIdeNtitiEs)[2011]<https://edps.europa.eu/sites/edp/files/publication/11-02-01_fp7_en.pdf>accessed20July2015.36See the following sentence: ‘including biometrics amongst the sensitive data’ (p.115) in EuropeanCommission,‘ImpactAssessmentaccompanyingthedocumentRegulationoftheEuropeanParliamentandoftheCouncil on theprotectionof individualswith regard to theprocessingofpersonaldataandon the freemovementofsuchdata(GeneralDataProtectionRegulation)andDirectiveoftheEuropeanParliamentandofthe Council on the protection of individuals with regard to the processing of personal data by competentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’SEC(2012)72final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012SC0072&from=en>accessed20July2015.

‘Biometrics’UsedasaSynonymof‘BiometricTechnologies’SeveralbodiesbelongingtotheCouncilofEurope’slevelhaveusedtheterm‘biometrics’as synonymsof ‘biometric technologies’ or ‘biometric systems’ in the specific contextofpersonal data and in thebroader context of human rights. In addition, theEDPSand tosome extent the Article 29 Data Protection Working Party have also used the term‘biometrics’inthatsense.AttheCouncilofEurope’slevel,theConsultativeCommitteeofConvention108,inchargeofmonitoringtheimplementationoftheprinciplescontainedintheConvention,hasbeenthe first to define the term ‘biometrics’. In a progress report on the application of theprinciples of Convention 108 to the collection and processing of biometric data,37it hasdefined the term as: ‘(s)ystems that use measurable, physical or physiologicalcharacteristicsorpersonalbehaviourtraitstorecognizetheidentityorverifytheclaimedidentityofanindividual’.38The PACE has reused the definition of the Consultative Committeewhen it tackled theissue of the human rights implications of biometrics in Resolution 1797 andRecommendation 1960. 39 But the preparatory report of these two instrumentsinaccuratelymentionstheglossaryoftheEDPSasthesourceofthedefinitioninsteadoftheprogressreportoftheConsultativeCommittee.40In its glossary of terms available on itswebsite, the EDPS has indeed defined the term‘biometrics’ not as ‘biometric data’, but as amethod of recognition based on biometriccharacteristics (see Table 1 for the exact wording). This definition calls for severalremarks. First of all, the glossary of terms is not legally binding.41It constitutes acompilationof definitionsoriginating fromdifferentEU institutions.The functionof theglossary is to provide readers with a better understanding of data protection issues.Second, as specified on thewebsite,most of the definitions link to their sources. In thecaseofthedefinitionof‘biometrics’,nosourceisindicated.Third,evenifitdoesnothaveany legalvalue, ithasbeenquoted(evenifwrongly).This indicatesthat ithasat leastavalueofreference.

37ProgressReport(n16).38ProgressReport(n16)para16.39Recommendation1960(2011)(n17)andResolution1797(2011)(n17).40HaibachReport(n17).41TheOpinionsoftheEDPSarealsonotbinding,buttheyconstituteauthoritativeadvice.SeeEDPS,‘TheEDPSasanAdvisortoEUInstitutionsonPolicyandLegislations:BuildingonTenYearsofExperience,PolicyPaper’,Brussels,6June2014<https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Papers/PolicyP/14-06-04_PP_EDPSadvisor_EN.pdf>accessed20July2015.

40

Chapter 2

Table1:Definitionof‘Biometrics’intheEuropeanDataProtectionContextEuropeanbodies Definitionsof‘biometrics’

Article29WorkingParty

1.Mainlysynonymofbiometricdata.(Working document on biometrics, Opinion 7/2004,Opinion3/2012)2.Occasionallysynonymofidentificationmethodorbiometrictechnologies.(Opinion3/2012)

EDPS

1.Synonymofbiometricdata.(EDPS’svariousOpinions)2.Methodsforuniquelyrecognisinghumansbasedupononeormoreintrinsicphysicalorbehaviouraltraits.(EDPS’sglossaryofterms)

Consultative Committee of Convention108

Systems that use measurable, physical orphysiologicalcharacteristics,orpersonalbehaviourtraitstorecognizetheidentityorverifytheclaimedidentityofanindividual.(Progressreport,2005)

PACE Same definition as the one contained in the 2005ProgressReport.(Haibachreport,2011)

Definitionsof‘Biometrics’bytheScientificCommunity

Inscienceunderstoodasabroaddiscipline,theterm‘biometrics’hasmultiplemeanings.AccordingtotheEncyclopediaofBiometrics,thereareseveralexplanations.Biometricsisa relatively new field. As a logical consequence, the literature in that area ‘contain(s) avariety of definitions for any single biometric term, as well as a variety of terms forseemingly the sameconcept.’42Glossariesproducedbyseveralassociationsandnationalcouncilshaveaddedsomeconfusionbyproposingdivergingdefinitionsforthesameterm.To provide clarity to the biometric industry, the International Standards Organisation(ISO) together with the Electrotechnical Commission (IEC) has established a specificworking group to harmonise the biometric vocabulary.43This has resulted in thepublication,inDecember2012,ofthefirstversionoftheISO/IEC2382-37Standardontheharmonisationofbiometricvocabulary.ScientificdefinitionsmentionedinthissectioncanbefoundinTable2.

42RenéMcIver, ‘BiometricVocabularyStandardization’ inStanZLi (ed),EncyclopediaofBiometrics (1stedn,Springer2009)158.43A working group, Working Group 1, was established within the Subcommittee 37 (Subcommittee onBiometrics)oftheJointCommittee1oftheISO/IEC,inchargeofstandardisationinthefieldofbiometrics.Forfurtherdetails,see<www.iso.org>accessed20July2015.

SeveralScientificDisciplines,SeveralMeaningsFromanetymologicalpointofview,44theterm ‘biometrics’refers to thewords ‘bio’and‘metrics’, bothderiving fromancientGreek. ‘Bio’ finds its origin in theGreekwordβίος(‘bios’),whichmeans life. ‘Metric’ derives from the Greekwords ‘metrikos’ or ‘metron’,which means measurement. From the etymology of the term, one could infer that‘biometrics’ is the science thatmeasures life attributes.45However, this definition is toosimplisticanddoesnotreflectthemultifacetednatureoftheterm.Glossaries of biometric terms, such as the 1999 Glossary of Biometric Terms of theAssociation forBiometrics (AfB)andof the InternationalComputerSecurityAssociation(ICSA)ortheBiometricGlossaryoftheUSNSTC,showthediversityofsituationsinwhichthetermmightapply.Inthe1999GlossaryofBiometricTerms,‘biometrics’isdefinedinitssingularformasameasurablebiometriccharacteristic,whereasintheGlossaryoftheNSTC,biometricsmeansbothbiometriccharacteristic46andbiometricprocess.47In another reportwritten by a committee under theUSNational Research Council (theWhither Biometrics Committee),48the notion of ‘biometrics’ is deemed to cover twodifferent fields. The first one has emerged at the beginning of the 20th Century as theapplicationofstatisticstothefieldofbiology.Inthatcontext,biometricsisasynonymof‘biometry’.49Thedisciplinehasthenevolved intobiostatistics tocovertheapplicationofstatistical andmathematicalmethods tomanyother fields. These include amongothersmedicine,agriculture,biology,biophysics,andgenetics.50Morerecently,withthegrowinguse of automated systems to identify individuals, a second meaning has appeared.Biometricsisdefinedinthatcontextas‘theautomatedrecognitionofindividualsbasedonbiologicalandbehavioural traits’.51AccordingtotheWhitherBiometricsCommittee, thissecond fielddatesbackto the1980s.52In thecontextof thisarticle, thesecondmeaningonlyisofinterest.In2002, the JointCommittee(JTC1)of the ISO/IECestablishedanewSubcommittee,SC37,onBiometrics.Thegoalof theSubcommittee is todevelopstandards forbiometrics.AmongthesixworkinggroupscreatedtosupportthetasksoftheSubcommittee,Working

44See, forexample,VZorkadisandPDonos, ‘OnBiometrics-BasedAuthenticationand Identification fromaPrivacy-ProtectionPerspective:DerivingPrivacy-EnhancingRequirements’(2004)12IMCS125.SalilPrabhakar,SharathPankanti,andAnilJain,‘BiometricRecognition:SecurityandPrivacyConcerns’(2003)1(2)IEEESecurity&Privacy33.45ibid.46BiometricsGlossary(2006)(n11)4.47ibid.48Composedofmembersfromtheindustryandacademiafromdifferentdisciplines,theWhitherBiometricsCommitteewasappointedtowriteareportonbiometricrecognition.49FrancisGalton,‘Biometry’(1901)1Biometrika7.50ChinLongChiangandMarvinZelen,‘WhatisBiostatistics?’(1985)14(3)Biometrics771.WhitherBiometricsCommittee,BiometricRecognition(n12)16-17.51Forexample,AnilJain,‘BiometricAuthentication’(2008)3(6)Scholarpedia3716.52WhitherBiometricsCommittee,BiometricRecognition(n12)16-18.

41

2


Table1:Definitionof‘Biometrics’intheEuropeanDataProtectionContextEuropeanbodies Definitionsof‘biometrics’

Article29WorkingParty

1.Mainlysynonymofbiometricdata.(Working document on biometrics, Opinion 7/2004,Opinion3/2012)2.Occasionallysynonymofidentificationmethodorbiometrictechnologies.(Opinion3/2012)

EDPS

1.Synonymofbiometricdata.(EDPS’svariousOpinions)2.Methodsforuniquelyrecognisinghumansbasedupononeormoreintrinsicphysicalorbehaviouraltraits.(EDPS’sglossaryofterms)


Systems that use measurable, physical orphysiologicalcharacteristics,orpersonalbehaviourtraitstorecognizetheidentityorverifytheclaimedidentityofanindividual.(Progressreport,2005)

PACE Same definition as the one contained in the 2005ProgressReport.(Haibachreport,2011)

Definitionsof‘Biometrics’bytheScientificCommunity

Inscienceunderstoodasabroaddiscipline,theterm‘biometrics’hasmultiplemeanings.AccordingtotheEncyclopediaofBiometrics,thereareseveralexplanations.Biometricsisa relatively new field. As a logical consequence, the literature in that area ‘contain(s) avariety of definitions for any single biometric term, as well as a variety of terms forseemingly the sameconcept.’42Glossariesproducedbyseveralassociationsandnationalcouncilshaveaddedsomeconfusionbyproposingdivergingdefinitionsforthesameterm.To provide clarity to the biometric industry, the International Standards Organisation(ISO) together with the Electrotechnical Commission (IEC) has established a specificworking group to harmonise the biometric vocabulary.43This has resulted in thepublication,inDecember2012,ofthefirstversionoftheISO/IEC2382-37Standardontheharmonisationofbiometricvocabulary.ScientificdefinitionsmentionedinthissectioncanbefoundinTable2.

42RenéMcIver, ‘BiometricVocabularyStandardization’ inStanZLi (ed),EncyclopediaofBiometrics (1stedn,Springer2009)158.43A working group, Working Group 1, was established within the Subcommittee 37 (Subcommittee onBiometrics)oftheJointCommittee1oftheISO/IEC,inchargeofstandardisationinthefieldofbiometrics.Forfurtherdetails,see<www.iso.org>accessed20July2015.

SeveralScientificDisciplines,SeveralMeaningsFromanetymologicalpointofview,44theterm ‘biometrics’refers to thewords ‘bio’and‘metrics’, bothderiving fromancientGreek. ‘Bio’ finds its origin in theGreekwordβίος(‘bios’),whichmeans life. ‘Metric’ derives from the Greekwords ‘metrikos’ or ‘metron’,which means measurement. From the etymology of the term, one could infer that‘biometrics’ is the science thatmeasures life attributes.45However, this definition is toosimplisticanddoesnotreflectthemultifacetednatureoftheterm.Glossaries of biometric terms, such as the 1999 Glossary of Biometric Terms of theAssociation forBiometrics (AfB)andof the InternationalComputerSecurityAssociation(ICSA)ortheBiometricGlossaryoftheUSNSTC,showthediversityofsituationsinwhichthetermmightapply.Inthe1999GlossaryofBiometricTerms,‘biometrics’isdefinedinitssingularformasameasurablebiometriccharacteristic,whereasintheGlossaryoftheNSTC,biometricsmeansbothbiometriccharacteristic46andbiometricprocess.47In another reportwritten by a committee under theUSNational Research Council (theWhither Biometrics Committee),48the notion of ‘biometrics’ is deemed to cover twodifferent fields. The first one has emerged at the beginning of the 20th Century as theapplicationofstatisticstothefieldofbiology.Inthatcontext,biometricsisasynonymof‘biometry’.49Thedisciplinehasthenevolved intobiostatistics tocovertheapplicationofstatistical andmathematicalmethods tomanyother fields. These include amongothersmedicine,agriculture,biology,biophysics,andgenetics.50Morerecently,withthegrowinguse of automated systems to identify individuals, a second meaning has appeared.Biometricsisdefinedinthatcontextas‘theautomatedrecognitionofindividualsbasedonbiologicalandbehavioural traits’.51AccordingtotheWhitherBiometricsCommittee, thissecond fielddatesbackto the1980s.52In thecontextof thisarticle, thesecondmeaningonlyisofinterest.In2002, the JointCommittee(JTC1)of the ISO/IECestablishedanewSubcommittee,SC37,onBiometrics.Thegoalof theSubcommittee is todevelopstandards forbiometrics.AmongthesixworkinggroupscreatedtosupportthetasksoftheSubcommittee,Working

44See, forexample,VZorkadisandPDonos, ‘OnBiometrics-BasedAuthenticationand Identification fromaPrivacy-ProtectionPerspective:DerivingPrivacy-EnhancingRequirements’(2004)12IMCS125.SalilPrabhakar,SharathPankanti,andAnilJain,‘BiometricRecognition:SecurityandPrivacyConcerns’(2003)1(2)IEEESecurity&Privacy33.45ibid.46BiometricsGlossary(2006)(n11)4.47ibid.48Composedofmembersfromtheindustryandacademiafromdifferentdisciplines,theWhitherBiometricsCommitteewasappointedtowriteareportonbiometricrecognition.49FrancisGalton,‘Biometry’(1901)1Biometrika7.50ChinLongChiangandMarvinZelen,‘WhatisBiostatistics?’(1985)14(3)Biometrics771.WhitherBiometricsCommittee,BiometricRecognition(n12)16-17.51Forexample,AnilJain,‘BiometricAuthentication’(2008)3(6)Scholarpedia3716.52WhitherBiometricsCommittee,BiometricRecognition(n12)16-18.

42

Chapter 2

37

Group 1 (WG 1) is responsible for harmonising the vocabulary used in the field ofbiometrics.53TheInternationalStandardISO/IEC2382-37istheresultofitswork.

TowardsaHarmonisedDefinitionoftheTerm‘Biometrics’inISO/IEC2382-37

The International Standard provides a definition of ‘biometrics’ and clarifies in thatcontextcorrectandincorrectusagesoftheterm.The term ‘biometric(s)’ is mentioned under three different entries: ‘biometric’ as anadjective,54‘biometrics’ as a plural noun (defined under ‘biometric recognition’),55and‘biometric’asasingularnoun(definedunder‘biometriccharacteristic’).56AccordingtotheInternationalStandard, ‘biometric’shouldeitherbeused in itsadjectiveorplural forms.Butitshouldnotbeusedasasingularnoun.57As an adjective, the termmeans ‘of or having to dowith biometrics’.58Biometrics, as aplural noun, is described as the ‘automated recognition of individuals based on theirbiologicalandbehaviouralcharacteristics’.59AccordingtotheStandard,recognitioncoversthe two functions of a biometric system, i.e. the verification of identity and theidentification of an individual.60The adjective ‘automated’ refers to a machine basedsystem(…)eitherforthefullprocessorassistedbyahumanbeing’.61Finally,theStandardacknowledges theexistenceofbiostatistics since it clarifies that ‘thegeneralmeaningofbiometricsencompassescounting,measuringandstatisticalanalysisofanykindofdatainthebiologicalsciencesincludingtherelevantmedicalsciences’.62It should be noted that even if ISO/IEC Standards do not have a binding effect - unlessimposed by law at national level - they are likely to be followed by governments andindustries.63In the case of the International Standard ISO/IEC2382-37, the ItalianDataProtection Authority (‘the Garante’) has already acknowledged the authority of theStandardin itsGuidelinesonBiometricRecognitionandGraphometricSignature. Inthatdocument,theGarante‘considersitnecessarytousethedefinitionstobefoundinISO/EC2382-37(…)inordertorelyontheharmonizedwordinginahighlytechnicalcontext’.64

53For furtherdetailsonthehistoryof ISO/IECJTC1,see<https://jtc1history.wordpress.com/sc-37-r2013/>accessed20July2015.54ISO/IEC2382-37,term37.01.01.55ISO/IEC2382-37,term37.01.03.56ISO/IEC2382-37,term37.01.02.57ISO/IEC 2382-37, term 37.01.01, the use of ‘biometric’ as a synonym of ‘biometric characteristic’ isdeprecated.Asawronguseoftheterm,theStandardgivesthefollowingexample:‘thebiometricrecordedinmypassportisafacialimage.’58ISO/IEC2382-37,term37.01.01.59ISO/IEC2382-37,term37.01.03.60ISO/IEC2382-37,term37.01.03,Note3.61ISO/IEC2382-37,term37.01.03,Note4.62ISO/IEC2382-37,term37.01.03,Note1.63<www.iso.org>accessed20July2015.64Garante(n10)3.

As a consequence, and in accordancewith the International Standard ISO/IEC2387-32,‘biometrics’ as a noun should only be used tomean ‘automated recognition’. Any otheruses,andinparticularasasynonymof‘biometriccharacteristic’,shouldbeexcluded.ThetwoglossariesmentionedabovethereforecontaindefinitionsthatdonotcomplywiththeInternationalStandard.65Table2:Definitionsof‘Biometrics’bytheScientificCommunityScientificsources Definitionsof‘biometrics’

1999 Glossary of BiometricTerms

(Singular form):Ameasurable,physical characteristicorpersonalbehavioural traitused to recognise the identityorverifytheclaimidentityofanenrolee

BiometricGlossary 1. Characteristic: measurable biological or behaviouralaspects of the person that can be used for automatedrecognition2. Process: automated methods of recognising anindividual based on measurable biological andbehaviouralcharacteristics

ReportonBiometricRecognition

1.Synonymofbiometry2.Automatedrecognitionofindividualsbasedonbiologicalandbehaviouralcharacteristics

ISO/IEC2382-37Standard

1.Asanadjective:oforhavingtodowithbiometrics2. As a noun (plural): automated recognition ofindividuals based on their biological and behaviouralcharacteristics

Toconcludethissection,onthescientificside,theexistenceofseveraldefinitionsfortheterm‘biometrics’reflectsnotonlytheexistenceofdifferentdisciplines,butalsodifferentunderstandingsaboutthefunctionofbiometrictechnologies.However,withtheadoptionoftheInternationalStandardISO/IEC2382-37,thetermshouldonlybeusedtomeanthe‘automated recognition of individuals based on their biological and behaviouralcharacteristics’.Onthelegalside,themultipledefinitionsofthetermcreateconfusionandfuzziness.ItistruethattheArticle29DataProtectionWorkingPartyhas(almost)alwaysusedtheterm‘biometrics’ as a synonym of ‘biometric data’. Yet, there are a few exceptions in its

65Here it should be noted that theBiometricsGlossary of theUSNational Science andTechnology Councilshouldhavebeenadjusted to the International ISO/IECStandardas itprovided in its introduction that ‘thesubcommittee(inchargeoftheGlossary)w(ould)reviewth(e)Glossaryforconsistencyasstandards(ietheonesbyISO/IEC)arepassed’,andBiometricsGlossary(n11)1.

43

2


37

Group 1 (WG 1) is responsible for harmonising the vocabulary used in the field ofbiometrics.53TheInternationalStandardISO/IEC2382-37istheresultofitswork.

TowardsaHarmonisedDefinitionoftheTerm‘Biometrics’inISO/IEC2382-37

The International Standard provides a definition of ‘biometrics’ and clarifies in thatcontextcorrectandincorrectusagesoftheterm.The term ‘biometric(s)’ is mentioned under three different entries: ‘biometric’ as anadjective,54‘biometrics’ as a plural noun (defined under ‘biometric recognition’),55and‘biometric’asasingularnoun(definedunder‘biometriccharacteristic’).56AccordingtotheInternationalStandard, ‘biometric’shouldeitherbeused in itsadjectiveorplural forms.Butitshouldnotbeusedasasingularnoun.57As an adjective, the termmeans ‘of or having to dowith biometrics’.58Biometrics, as aplural noun, is described as the ‘automated recognition of individuals based on theirbiologicalandbehaviouralcharacteristics’.59AccordingtotheStandard,recognitioncoversthe two functions of a biometric system, i.e. the verification of identity and theidentification of an individual.60The adjective ‘automated’ refers to a machine basedsystem(…)eitherforthefullprocessorassistedbyahumanbeing’.61Finally,theStandardacknowledges theexistenceofbiostatistics since it clarifies that ‘thegeneralmeaningofbiometricsencompassescounting,measuringandstatisticalanalysisofanykindofdatainthebiologicalsciencesincludingtherelevantmedicalsciences’.62It should be noted that even if ISO/IEC Standards do not have a binding effect - unlessimposed by law at national level - they are likely to be followed by governments andindustries.63In the case of the International Standard ISO/IEC2382-37, the ItalianDataProtection Authority (‘the Garante’) has already acknowledged the authority of theStandardin itsGuidelinesonBiometricRecognitionandGraphometricSignature. Inthatdocument,theGarante‘considersitnecessarytousethedefinitionstobefoundinISO/EC2382-37(…)inordertorelyontheharmonizedwordinginahighlytechnicalcontext’.64

53For furtherdetailsonthehistoryof ISO/IECJTC1,see<https://jtc1history.wordpress.com/sc-37-r2013/>accessed20July2015.54ISO/IEC2382-37,term37.01.01.55ISO/IEC2382-37,term37.01.03.56ISO/IEC2382-37,term37.01.02.57ISO/IEC 2382-37, term 37.01.01, the use of ‘biometric’ as a synonym of ‘biometric characteristic’ isdeprecated.Asawronguseoftheterm,theStandardgivesthefollowingexample:‘thebiometricrecordedinmypassportisafacialimage.’58ISO/IEC2382-37,term37.01.01.59ISO/IEC2382-37,term37.01.03.60ISO/IEC2382-37,term37.01.03,Note3.61ISO/IEC2382-37,term37.01.03,Note4.62ISO/IEC2382-37,term37.01.03,Note1.63<www.iso.org>accessed20July2015.64Garante(n10)3.

As a consequence, and in accordancewith the International Standard ISO/IEC2387-32,‘biometrics’ as a noun should only be used tomean ‘automated recognition’. Any otheruses,andinparticularasasynonymof‘biometriccharacteristic’,shouldbeexcluded.ThetwoglossariesmentionedabovethereforecontaindefinitionsthatdonotcomplywiththeInternationalStandard.65Table2:Definitionsof‘Biometrics’bytheScientificCommunityScientificsources Definitionsof‘biometrics’

1999 Glossary of BiometricTerms

(Singular form):Ameasurable,physical characteristicorpersonalbehavioural traitused to recognise the identityorverifytheclaimidentityofanenrolee

BiometricGlossary 1. Characteristic: measurable biological or behaviouralaspects of the person that can be used for automatedrecognition2. Process: automated methods of recognising anindividual based on measurable biological andbehaviouralcharacteristics

ReportonBiometricRecognition

1.Synonymofbiometry2.Automatedrecognitionofindividualsbasedonbiologicalandbehaviouralcharacteristics


1.Asanadjective:oforhavingtodowithbiometrics2. As a noun (plural): automated recognition ofindividuals based on their biological and behaviouralcharacteristics

Toconcludethissection,onthescientificside,theexistenceofseveraldefinitionsfortheterm‘biometrics’reflectsnotonlytheexistenceofdifferentdisciplines,butalsodifferentunderstandingsaboutthefunctionofbiometrictechnologies.However,withtheadoptionoftheInternationalStandardISO/IEC2382-37,thetermshouldonlybeusedtomeanthe‘automated recognition of individuals based on their biological and behaviouralcharacteristics’.Onthelegalside,themultipledefinitionsofthetermcreateconfusionandfuzziness.ItistruethattheArticle29DataProtectionWorkingPartyhas(almost)alwaysusedtheterm‘biometrics’ as a synonym of ‘biometric data’. Yet, there are a few exceptions in its

65Here it should be noted that theBiometricsGlossary of theUSNational Science andTechnology Councilshouldhavebeenadjusted to the International ISO/IECStandardas itprovided in its introduction that ‘thesubcommittee(inchargeoftheGlossary)w(ould)reviewth(e)Glossaryforconsistencyasstandards(ietheonesbyISO/IEC)arepassed’,andBiometricsGlossary(n11)1.

44

Chapter 2

Opinionsthatcreateconfusion.66AsfortheEDPS,theEuropeanbodyseemstofollowtheanalysismadeby theArticle29WorkingParty in its ownOpinions.But this ispartiallytrue as its glossary of terms contains a different definition for the term ‘biometrics’.Finally,bodiesrelatedtotheCouncilofEuropedefine ‘biometrics’ inawayclosertothescientific definition of the term. As a result to avoid any confusion, when the term‘biometrics’ isusedinadataprotectionandprivacycontext,thetermshouldexclusivelyrefer to the definition contained in the International Standard, i.e. it should mean‘automatedrecognition’. Inothercases,thetermshouldnotbeused.Someauthorshaveevenarguedthattheterm‘biometrics’shouldnotbeusedatallbecauseoftheconfusionthat its historical and traditional meanings can create. Instead, the term should beexclusivelyreplacedbytheexpression‘biometricrecognition’.67Afterhavingclarifiedthemeaningof‘biometrics’andtheconditionsunderwhichthetermshould be used in a data protection and privacy context, the article investigates themeaningsof‘biometricdata’forthebiometricandEuropeandataprotectioncommunities.

BiometricData:ATechnicalandaLegalNotionThesecondsectionofthearticleexploreshowtheterm‘biometricdata’hasbeendefinedandconceivedfromascientificperspectiveandadataprotectionandprivacyperspective.It will also assess whether the legal definition of the term should reflect the technicalprocessingofanindividual’sdataandifso,whichtechnicalcriteriaaremissinginthelegaldefinition(s)oftheterm.Defining the notion of ‘biometric data’ is essential to determine the regime of dataprotectionandprivacythatcanapplytothistypeof(personal)data.

NotionDefinedbytheBiometricCommunityInthedifferentscientificsources,68theterm‘biometricdata’relatestoor isdefinedasa‘biometric sample’ or ‘aggregation of biometric samples’. The Biometric GlossaryelaboratedbytheUSNSTCprovidesabroaderdefinitionasitconsiders‘biometricdata’as‘acatch-allphraseforcomputerdatacreatedduringabiometricprocess.Itencompassesrawsensorobservations,biometric samples,models, templatesand/or similarity scores(…).’69AllrelevantdefinitionsarerecappedinTable3.Thedifferent scientificdefinitions (glossaries, encyclopaedia)are linked to the technicaltransformationofthebiometriccharacteristicsintotemplates.Thedefinitioncontainedin66SeeOpinion3/2012(n7)andexamplesprovidedinfootnotes30and31ofthisarticle.67Anil Jain, Arun Ross,and Karthik Nandakumar, Introduction toBiometrics (1st edn, Springer, New York,Dordrecht,Heidelberg,London,2011)2.68‘BiometricData’,inSZLi(ed.),EncyclopediaofBiometrics(1stedn,Springer,NewYork,2009)81.ISO/IEC2383-37,term37.03.06.GlossaryofBiometricTerms(n11).69BiometricsGlossary(n11)5.

the ISO/IEC2382-37refers inparticular to thedifferentphasesofabiometricsystem.70Biometric data are therein described as ‘biometric sample or aggregation of biometricsamples at any stage of processing, e.g. biometric reference, biometric probe, biometricfeatureorbiometricproperty’.TheISO/IECStandardthereforeconsidersthefollowingasbiometricdata:(a)thecaptureof thedata (‘biometric sample’),71(b) theextractionof thedatacontained in thesample(‘biometric feature’),72(c) the attribution of stored biometric samples to a specificindividual for comparison use (‘biometric reference’), 73 and (d) the comparison(‘biometricprobe’).74Thedescriptionof‘biometricdata’intheInternationalStandardleadstoseveralremarks.Firstofall,theStandarddoesnotprovidemuchdetailonthedefinitionitselfexceptthatitexpresslyspecifiesthatthenotion‘needsnottobeattributabletoaspecificindividual’.75This is precisely this non-criterion that distinguishes the notion of ‘biometric data’ in adata protection context from the notion in the scientific context. That link between anindividual andhis orherbiometric characteristics is at theheart of thedataprotectionframework.Itallowstheidentificationofindividuals.Theidentification,orbettersaidtheidentifiability,76of an individual is fundamental to the notion of ‘biometric data’ in apersonaldatacontext.77Second, as defined in the Standard, the terms ‘biometric features’ and ‘biometriccharacteristics’ are absolutely not synonymous. ‘Biometric feature’ corresponds to‘numbers or labels extracted frombiometric samples and used for comparison’78and isthus limited to the information extracted from the biometric sample. ‘Biometriccharacteristic’existsindependentlyofthetechnicalprocessofinformationextraction.Thetermisdefinedas‘biologicalandbehaviouralcharacteristicsofanindividualfromwhichdistinguishing,repeatablebiometricfeaturescanbeextractedforthepurposeofbiometricrecognition’.79Examples of biometric characteristics are finger topography, finger ridgepatterns,andretinalpatterns.80

70Thesephasesareusuallytheenrolment,storage,acquisition,andmatchingofthedata.71ISO/IEC2382-37, term37.03.21; defined as “analog or digital representation of biometric characteristicspriortobiometricfeature‘extraction’.”72ISO/IEC2382-37,term37.03.11;definedas‘numbersorlabelsextractedfrombiometricsamplesandusedforcomparison.’73ISO/IEC2382-37,term37.03.16;definedas‘oneormorestoredbiometricsamples,biometrictemplatesorbiometricmodelsattributedtoabiometricdatasubjectandusedastheobjectofbiometriccomparison.’74ISO/IEC2382-37,term37.03.14;definedas‘biometricsampleofbiometricfeaturesetinputtoanalgorithmforuseasthesubjectofbiometriccomparisontoabiometricreference.’75ISO/IEC2382-37,term37.03.06.76Theidentifiabilityistheabilitytoidentifyanindividualfromhisorherdata.77Opinion4/2007(n33).78ISO/IEC2382-37,term37.03.11.79ISO/IEC2382-37,term37.01.02.80ISO/IEC2382-37,examplesunderterm37.01.02.

45

2


Opinionsthatcreateconfusion.66AsfortheEDPS,theEuropeanbodyseemstofollowtheanalysismadeby theArticle29WorkingParty in its ownOpinions.But this ispartiallytrue as its glossary of terms contains a different definition for the term ‘biometrics’.Finally,bodiesrelatedtotheCouncilofEuropedefine ‘biometrics’ inawayclosertothescientific definition of the term. As a result to avoid any confusion, when the term‘biometrics’ isusedinadataprotectionandprivacycontext,thetermshouldexclusivelyrefer to the definition contained in the International Standard, i.e. it should mean‘automatedrecognition’. Inothercases,thetermshouldnotbeused.Someauthorshaveevenarguedthattheterm‘biometrics’shouldnotbeusedatallbecauseoftheconfusionthat its historical and traditional meanings can create. Instead, the term should beexclusivelyreplacedbytheexpression‘biometricrecognition’.67Afterhavingclarifiedthemeaningof‘biometrics’andtheconditionsunderwhichthetermshould be used in a data protection and privacy context, the article investigates themeaningsof‘biometricdata’forthebiometricandEuropeandataprotectioncommunities.

BiometricData:ATechnicalandaLegalNotionThesecondsectionofthearticleexploreshowtheterm‘biometricdata’hasbeendefinedandconceivedfromascientificperspectiveandadataprotectionandprivacyperspective.It will also assess whether the legal definition of the term should reflect the technicalprocessingofanindividual’sdataandifso,whichtechnicalcriteriaaremissinginthelegaldefinition(s)oftheterm.Defining the notion of ‘biometric data’ is essential to determine the regime of dataprotectionandprivacythatcanapplytothistypeof(personal)data.

NotionDefinedbytheBiometricCommunityInthedifferentscientificsources,68theterm‘biometricdata’relatestoor isdefinedasa‘biometric sample’ or ‘aggregation of biometric samples’. The Biometric GlossaryelaboratedbytheUSNSTCprovidesabroaderdefinitionasitconsiders‘biometricdata’as‘acatch-allphraseforcomputerdatacreatedduringabiometricprocess.Itencompassesrawsensorobservations,biometric samples,models, templatesand/or similarity scores(…).’69AllrelevantdefinitionsarerecappedinTable3.Thedifferent scientificdefinitions (glossaries, encyclopaedia)are linked to the technicaltransformationofthebiometriccharacteristicsintotemplates.Thedefinitioncontainedin66SeeOpinion3/2012(n7)andexamplesprovidedinfootnotes30and31ofthisarticle.67Anil Jain, Arun Ross,and Karthik Nandakumar, Introduction toBiometrics (1st edn, Springer, New York,Dordrecht,Heidelberg,London,2011)2.68‘BiometricData’,inSZLi(ed.),EncyclopediaofBiometrics(1stedn,Springer,NewYork,2009)81.ISO/IEC2383-37,term37.03.06.GlossaryofBiometricTerms(n11).69BiometricsGlossary(n11)5.

the ISO/IEC2382-37refers inparticular to thedifferentphasesofabiometricsystem.70Biometric data are therein described as ‘biometric sample or aggregation of biometricsamples at any stage of processing, e.g. biometric reference, biometric probe, biometricfeatureorbiometricproperty’.TheISO/IECStandardthereforeconsidersthefollowingasbiometricdata:(a)thecaptureof thedata (‘biometric sample’),71(b) theextractionof thedatacontained in thesample(‘biometric feature’),72(c) the attribution of stored biometric samples to a specificindividual for comparison use (‘biometric reference’), 73 and (d) the comparison(‘biometricprobe’).74Thedescriptionof‘biometricdata’intheInternationalStandardleadstoseveralremarks.Firstofall,theStandarddoesnotprovidemuchdetailonthedefinitionitselfexceptthatitexpresslyspecifiesthatthenotion‘needsnottobeattributabletoaspecificindividual’.75This is precisely this non-criterion that distinguishes the notion of ‘biometric data’ in adata protection context from the notion in the scientific context. That link between anindividual andhis orherbiometric characteristics is at theheart of thedataprotectionframework.Itallowstheidentificationofindividuals.Theidentification,orbettersaidtheidentifiability,76of an individual is fundamental to the notion of ‘biometric data’ in apersonaldatacontext.77Second, as defined in the Standard, the terms ‘biometric features’ and ‘biometriccharacteristics’ are absolutely not synonymous. ‘Biometric feature’ corresponds to‘numbers or labels extracted frombiometric samples and used for comparison’78and isthus limited to the information extracted from the biometric sample. ‘Biometriccharacteristic’existsindependentlyofthetechnicalprocessofinformationextraction.Thetermisdefinedas‘biologicalandbehaviouralcharacteristicsofanindividualfromwhichdistinguishing,repeatablebiometricfeaturescanbeextractedforthepurposeofbiometricrecognition’.79Examples of biometric characteristics are finger topography, finger ridgepatterns,andretinalpatterns.80

70Thesephasesareusuallytheenrolment,storage,acquisition,andmatchingofthedata.71ISO/IEC2382-37, term37.03.21; defined as “analog or digital representation of biometric characteristicspriortobiometricfeature‘extraction’.”72ISO/IEC2382-37,term37.03.11;definedas‘numbersorlabelsextractedfrombiometricsamplesandusedforcomparison.’73ISO/IEC2382-37,term37.03.16;definedas‘oneormorestoredbiometricsamples,biometrictemplatesorbiometricmodelsattributedtoabiometricdatasubjectandusedastheobjectofbiometriccomparison.’74ISO/IEC2382-37,term37.03.14;definedas‘biometricsampleofbiometricfeaturesetinputtoanalgorithmforuseasthesubjectofbiometriccomparisontoabiometricreference.’75ISO/IEC2382-37,term37.03.06.76Theidentifiabilityistheabilitytoidentifyanindividualfromhisorherdata.77Opinion4/2007(n33).78ISO/IEC2382-37,term37.03.11.79ISO/IEC2382-37,term37.01.02.80ISO/IEC2382-37,examplesunderterm37.01.02.

46

Chapter 2

41

Table3:Notionof‘BiometricData’asdefinedbytheBiometricCommunityScientificsources Definitionsof‘biometricdata’

1999GlossaryofBiometricTerms

Information extracted from the biometric sampleand used either to build a reference template(templatedata)ortocompareagainstapreviouslycreatedreferencetemplate(comparisondata).

TheBiometricGlossary Acatchallphraseforcomputerdatacreatedduringa biometric process. It encompasses raw sensorobservations,biometricsamples,models,templatesand/or similarity scores.Biometricdata is used todescribe the information collected during anenrolment, verification, or identification process,butdoesnotapplytoenduserinformationsuchasuser name, demographic information andauthorizations.

EncyclopediaofBiometrics

Any data record containing a biometric sample ofanymodality(ormultiplemodalities),whetherthatdatahasbeenprocessedornot.Biometricdatamaybe formatted (encoded) in accordance with astandard or may be vendor specific (proprietary)and may or may not be encapsulated with themetadata.


Biometricsampleoraggregationofbiometricsampleatanystageofprocessing,e.g.biometricreference,biometricprobe,biometricfeatureorbiometricproperty.

NotionDefinedbytheLegalCommunityintheDataProtectionandPrivacy

ContextNot surprisingly Convention 108 and the Data Protection Directive do notmention theterm‘biometricdata’.Atthetimeoftheirrespectiveadoption(1980and1995),thetopicof ‘biometricdata’andtheapplicationofdataprotectionrulestobiometric technologieswerenotwidelydiscussed.Oneofthefirstdocumentstoaddressbiometric issuesistheworking document on biometrics released in 2003 by the Article 29 Data ProtectionWorking Party.81But it is not until 2007 that the Working Party defines the term‘biometricdata’initsgenericOpinionontheconceptofpersonaldata,Opinion4/2007.82ThatdefinitionhasbeenreferredbytheEDPS,inparticularinitsOpinionontheTurbineproject.83In 2012, the European Commission proposed to add a definition of ‘biometric

81A29WP,Workingdocumentonbiometrics(n26).82A29WP,Opinion4/2007(n33).83A29WP,OpinionontheTurbineProject(n35).

42

data’inthefutureregulatoryframeworkofdataprotection.84BoththeEPandtheCounciloftheEUhaveamendedtheproposeddefinitionduringtheirrespectivevoteandpoliticalagreementontheproposaloftheGDPR.85Inparallel,attheleveloftheCouncilofEurope,theConsultativeCommitteeofConvention108hastakenadifferentstance. In the latestdraft explanatory report of the modernisation of Convention 108, the ConsultativeCommittee has defined the term by reference to the technical process of extraction ofbiometricinformation.86The exact wording of the different definitions proposed by the European bodies andinstitutionscanbefoundinTable4.Insteadofpresentingeachoftheminachronologicalor linearorder, common criteriahavebeenextracted and their relevance assessed.Thefollowing three criteria are discussed below: (1) the qualification of ‘biometric data’ aspersonal data, (2) their link to biometric characteristics, and (3) their characteristic of‘uniqueness’. In addition, at the end of the section, the article exploreswhether one orseveralcriteria,extractedfromthetechnicaldefinitionoftheterm,shouldbeaddedtothelegaldefinitionoftheterm.

a. QualificationasPersonalDataAmongthedifferent legaldefinitionsreviewed,onlytheoneamendedbytheEPandtheCouncil of the EU explicitly link biometric data to the notion of ‘personal data’. In theoriginalproposalsoftheDataProtectionReformPackage,theEuropeanCommissionhasbroadly defined ‘biometric data’ as ‘any data relating to (biometric) characteristics’(underlineadded).87During thenumerousdiscussionsonthemanyEP’samendments totheEuropeanCommission’sproposals,theadjective‘personal’wasaddedtothedefinitionfor a ‘linguistic clarification’.88This is the unique justification that can be found in thewritten reports of the parliamentary amendments. In the impact assessmentaccompanying both proposals of the Data Protection Reform Package, the EuropeanCommissionhas implicitlyrecognised ‘biometricdata’asacategoryof ‘personaldata’. Itstatesthatoneofthepossiblelegislativeoptionstorevisethedataprotectionframeworkcould be to add, among others, ‘biometric data’ to the category of sensitive data.89Yet,sensitivedataareaspecificcategoryofpersonaldata.90

84DataProtectionReformPackage(n1).85European Parliament, legislative resolutions on the data protection reform package (2014) (n 4), andCounciloftheEU,politicalagreement(n5).86CouncilofEurope,ConsultativeCommittee,DraftExplanatoryReport(2013)(n18).87See,respectively,originalart4(11)oftheproposedGeneralDataProtectionRegulationandoriginalart3(11)oftheproposedDirectiveonlawenforcement(n2andn3).88SeeJPAlbrecht(rapporteur),Draftreporton‘theproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualwithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)’,PE506.145v01-00,amendment778proposedbyAlexanderAlvaro,101.<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-506.145+01+DOC+PDF+V0//EN&language=EN>accessed20July2015.89SEC(2012)72final(n36)52and56.90art8,para1,Directive95/46EC.

47

2


41

Table3:Notionof‘BiometricData’asdefinedbytheBiometricCommunityScientificsources Definitionsof‘biometricdata’

1999GlossaryofBiometricTerms

Information extracted from the biometric sampleand used either to build a reference template(templatedata)ortocompareagainstapreviouslycreatedreferencetemplate(comparisondata).

TheBiometricGlossary Acatchallphraseforcomputerdatacreatedduringa biometric process. It encompasses raw sensorobservations,biometricsamples,models,templatesand/or similarity scores.Biometricdata is used todescribe the information collected during anenrolment, verification, or identification process,butdoesnotapplytoenduserinformationsuchasuser name, demographic information andauthorizations.

EncyclopediaofBiometrics

Any data record containing a biometric sample ofanymodality(ormultiplemodalities),whetherthatdatahasbeenprocessedornot.Biometricdatamaybe formatted (encoded) in accordance with astandard or may be vendor specific (proprietary)and may or may not be encapsulated with themetadata.


Biometricsampleoraggregationofbiometricsampleatanystageofprocessing,e.g.biometricreference,biometricprobe,biometricfeatureorbiometricproperty.

NotionDefinedbytheLegalCommunityintheDataProtectionandPrivacy

ContextNot surprisingly Convention 108 and the Data Protection Directive do notmention theterm‘biometricdata’.Atthetimeoftheirrespectiveadoption(1980and1995),thetopicof ‘biometricdata’andtheapplicationofdataprotectionrulestobiometric technologieswerenotwidelydiscussed.Oneofthefirstdocumentstoaddressbiometric issuesistheworking document on biometrics released in 2003 by the Article 29 Data ProtectionWorking Party.81But it is not until 2007 that the Working Party defines the term‘biometricdata’initsgenericOpinionontheconceptofpersonaldata,Opinion4/2007.82ThatdefinitionhasbeenreferredbytheEDPS,inparticularinitsOpinionontheTurbineproject.83In 2012, the European Commission proposed to add a definition of ‘biometric

81A29WP,Workingdocumentonbiometrics(n26).82A29WP,Opinion4/2007(n33).83A29WP,OpinionontheTurbineProject(n35).

42

data’inthefutureregulatoryframeworkofdataprotection.84BoththeEPandtheCounciloftheEUhaveamendedtheproposeddefinitionduringtheirrespectivevoteandpoliticalagreementontheproposaloftheGDPR.85Inparallel,attheleveloftheCouncilofEurope,theConsultativeCommitteeofConvention108hastakenadifferentstance. In the latestdraft explanatory report of the modernisation of Convention 108, the ConsultativeCommittee has defined the term by reference to the technical process of extraction ofbiometricinformation.86The exact wording of the different definitions proposed by the European bodies andinstitutionscanbefoundinTable4.Insteadofpresentingeachoftheminachronologicalor linearorder, common criteriahavebeenextracted and their relevance assessed.Thefollowing three criteria are discussed below: (1) the qualification of ‘biometric data’ aspersonal data, (2) their link to biometric characteristics, and (3) their characteristic of‘uniqueness’. In addition, at the end of the section, the article exploreswhether one orseveralcriteria,extractedfromthetechnicaldefinitionoftheterm,shouldbeaddedtothelegaldefinitionoftheterm.

a. QualificationasPersonalDataAmongthedifferent legaldefinitionsreviewed,onlytheoneamendedbytheEPandtheCouncil of the EU explicitly link biometric data to the notion of ‘personal data’. In theoriginalproposalsoftheDataProtectionReformPackage,theEuropeanCommissionhasbroadly defined ‘biometric data’ as ‘any data relating to (biometric) characteristics’(underlineadded).87During thenumerousdiscussionsonthemanyEP’samendments totheEuropeanCommission’sproposals,theadjective‘personal’wasaddedtothedefinitionfor a ‘linguistic clarification’.88This is the unique justification that can be found in thewritten reports of the parliamentary amendments. In the impact assessmentaccompanying both proposals of the Data Protection Reform Package, the EuropeanCommissionhas implicitlyrecognised ‘biometricdata’asacategoryof ‘personaldata’. Itstatesthatoneofthepossiblelegislativeoptionstorevisethedataprotectionframeworkcould be to add, among others, ‘biometric data’ to the category of sensitive data.89Yet,sensitivedataareaspecificcategoryofpersonaldata.90

84DataProtectionReformPackage(n1).85European Parliament, legislative resolutions on the data protection reform package (2014) (n 4), andCounciloftheEU,politicalagreement(n5).86CouncilofEurope,ConsultativeCommittee,DraftExplanatoryReport(2013)(n18).87See,respectively,originalart4(11)oftheproposedGeneralDataProtectionRegulationandoriginalart3(11)oftheproposedDirectiveonlawenforcement(n2andn3).88SeeJPAlbrecht(rapporteur),Draftreporton‘theproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualwithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)’,PE506.145v01-00,amendment778proposedbyAlexanderAlvaro,101.<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-506.145+01+DOC+PDF+V0//EN&language=EN>accessed20July2015.89SEC(2012)72final(n36)52and56.90art8,para1,Directive95/46EC.

48

Chapter 2

Without labelling ‘biometric data’ of ‘personal data’, other institutions have, however,acknowledged the nature of ‘biometric data’. This is the case of the Article 29 DataProtectionWorkingParty,whichhasstatedthat‘biometricdataareinmostcasespersonaldata’.91The EDPS has also reproduced the argument of the Working Party in its ownOpinions.92AttheleveloftheCouncilofEurope,thedifferentbodiesinvolvedinbiometricissueshavemade thorough analysis and claimed for aneed to clarify thedefinition and the typeoflegislation covering these data.93Finally, it should be mentioned that the ConsultativeCommittee of Convention 108 has refused to take position on the issue in its ProgressReport of 2005, quoting arguments pro and con the qualification of ‘biometric data’ as‘personaldata’.94Yet,theConsultativeCommitteehasconcludedthat‘assoonasbiometricdataarecollectedwithaviewtoautomaticprocessingthere is thepossibility that thesedatacanberelatedtoanidentifiedoridentifiableindividual’95andthusbepersonaldata.Whatdoesitmeantoclassifybiometricdataaspersonaldata?Tounderstandit,across-referencetothedefinitionofpersonaldataisnecessary.IntheresolutionsadoptedbytheEPandthepoliticalagreementoftheCouncilontheGeneralDataProtectionRegulation,personaldataisdefinedas‘anyinformationrelatingtoanidentifiedoridentifiableperson(…) (underline added); an identifiable person is one who can be identified, directly orindirectly, in particular by reference to an identifier such as a name, an identificationnumber, location data, unique identifier or to one or more factors specific to physical,physiological, genetic, mental, economic, cultural or social or gender identity of thatperson’.96This definition of personal data is very similar to the definition contained incurrentArticle2(a)of theDataProtectionDirective.97Classifyingbiometricdataamongpersonaldatathereforemeansthatbiometricdatahavetheabilitytoidentifyindividuals.The definition proposed by the European Commission and amended by theEP and theCouncildoesnotreflect thepositionof theArticle29DataProtectionWorkingPartyonthe specificities of ‘biometric data’. In its Opinion on the concept of personal data, theWorkingPartyhascharacterised‘biometricdata’asboth‘contentofinformation’aboutanindividualand‘alinkbetweenonepieceofinformationandtheindividual’.98TheWorkingParty has also introduced a flimsy distinction between ‘biometric data’ and the source

91SeeA29WP,Opinion3/2012(n7)3,makingreferencetoitsWorkingDocumentonbiometrics.92See,forexample,A29WP,OpinionontheTurbineproject(n35).93See,forexample,HaibachReport(n17)para64.94ProgressReport(n16)para50.95ProgressReport(n16)para51.96See respectively amended art 4(2) of the proposed General Data Protection Regulation by the EuropeanParliament(n4)andamendedart4(2)oftheproposedGeneralDataProtectionRegulationasagreedbytheCouncilinJune2015(n5).97Currentart2(a)Directive95/46/ECreadsasfollows:“'personaldata'shallmeananyinformationrelatingto an identified or identifiable natural person ('data subject'); an identifiable person is one who can beidentified, directly or indirectly, in particular by reference to an identification number or to one or morefactorsspecifictohisphysical,physiological,mental,economic,culturalorsocialidentity.”98A29WP,Opinion4/2007(n33)8.

fromwhichtheyareextracted.AccordingtotheWorkingParty,thesourcesthemselves–suchashumantissues–shouldnotbeconsideredas ‘biometricdata’andshouldnotbesubject to data protection rules.99As observed by some authors, this distinction is,however, very questionable since it does not take into account progress of biometrictechnologies thatmight allow in the future thedirect extractionof identifying elementsfromthehumantissuesthemselves.100Butassaid,neithertheEuropeanCommissionnortheEuropeanParliamenthasfollowedthisposition.Regarding the format underwhich biometric data are available (i.e. raw data, capturedimage,orbiometrictemplate),noneofthedefinitionsunderreviewmakesareferencetoit. In its Opinion 4/2007 ontheconceptofpersonaldata, the Article 29 Data ProtectionWorking Party has considered that any format on which personal data are stored orcontained is relevant.101Concerningmore specificallybiometricdata, theWorkingPartyseems to have introduced in itsworkingdocumentonbiometrics a distinction betweenbiometric information ina raw formandbiometric informationcapturedona template.Whilerawbiometricinformationwouldqualifyaspersonaldata,informationcontainedinabiometrictemplatewouldbeconsideredaspersonaldataunless ‘noreasonablemeansc(ould)beusedtoidentifythedatasubject’.102TheWorkingPartyhasaddedtheconditioninafootnotewithoutprovidingfurtherexplanationonitsmeaningoronthecriterionof‘reasonablemeans.’103Intheend,whetherornotbiometrictemplatesarepersonaldata isnotveryrelevanttothedefinitionofbiometricdata.Itismorerelevantfortheassessmentofthelegalregimeof protection applicable to them. But this issue is not covered in the current article. Inaddition,thedefinitionofbiometricdatashouldnotcontainanyreferencetotheexistingformats.Firstofall,referringtospecificformatsinthedefinitionwilllimittheapplicationof the data protection rules to these formats. Second, no one can forecast the state ofscienceinacoupleofyears.Formatsthatarecurrentlyunknownwillbeusedinthefuture.

b. FromBiometricCharacteristicsto‘Datarelatingto’BiometricCharacteristics

Through the different reports, opinions, and legislative proposals, the term ‘biometricdata’hasbeendescribedaseither‘biometriccharacteristic’or‘datarelatingtobiometriccharacteristic’.DefinitionsoftheArticle29DataProtectionWorkingParty,104theEDPS105-byreferencetotheWorkingParty’sworks,andthePACE106areallfocusedonbiometriccharacteristics.

99A29WP,Opinion4/2007(n33)9.100Forfurtherreading,seecriticisminKindt(n15)107,fn71.101A29WP,Opinion4/2007(n33)7.102A29WP,WorkingDocumentonBiometrics(n26),seefn11ofthedocument.103Forfurtherreading,seeanalysismadeinKindt(n15)111-114.104A29WP,Opinion4/2007(n33)8.105See,forexample,A29WP,OpiniononTurbine(n35).

49

2


Without labelling ‘biometric data’ of ‘personal data’, other institutions have, however,acknowledged the nature of ‘biometric data’. This is the case of the Article 29 DataProtectionWorkingParty,whichhasstatedthat‘biometricdataareinmostcasespersonaldata’.91The EDPS has also reproduced the argument of the Working Party in its ownOpinions.92AttheleveloftheCouncilofEurope,thedifferentbodiesinvolvedinbiometricissueshavemade thorough analysis and claimed for aneed to clarify thedefinition and the typeoflegislation covering these data.93Finally, it should be mentioned that the ConsultativeCommittee of Convention 108 has refused to take position on the issue in its ProgressReport of 2005, quoting arguments pro and con the qualification of ‘biometric data’ as‘personaldata’.94Yet,theConsultativeCommitteehasconcludedthat‘assoonasbiometricdataarecollectedwithaviewtoautomaticprocessingthere is thepossibility that thesedatacanberelatedtoanidentifiedoridentifiableindividual’95andthusbepersonaldata.Whatdoesitmeantoclassifybiometricdataaspersonaldata?Tounderstandit,across-referencetothedefinitionofpersonaldataisnecessary.IntheresolutionsadoptedbytheEPandthepoliticalagreementoftheCouncilontheGeneralDataProtectionRegulation,personaldataisdefinedas‘anyinformationrelatingtoanidentifiedoridentifiableperson(…) (underline added); an identifiable person is one who can be identified, directly orindirectly, in particular by reference to an identifier such as a name, an identificationnumber, location data, unique identifier or to one or more factors specific to physical,physiological, genetic, mental, economic, cultural or social or gender identity of thatperson’.96This definition of personal data is very similar to the definition contained incurrentArticle2(a)of theDataProtectionDirective.97Classifyingbiometricdataamongpersonaldatathereforemeansthatbiometricdatahavetheabilitytoidentifyindividuals.The definition proposed by the European Commission and amended by theEP and theCouncildoesnotreflect thepositionof theArticle29DataProtectionWorkingPartyonthe specificities of ‘biometric data’. In its Opinion on the concept of personal data, theWorkingPartyhascharacterised‘biometricdata’asboth‘contentofinformation’aboutanindividualand‘alinkbetweenonepieceofinformationandtheindividual’.98TheWorkingParty has also introduced a flimsy distinction between ‘biometric data’ and the source

91SeeA29WP,Opinion3/2012(n7)3,makingreferencetoitsWorkingDocumentonbiometrics.92See,forexample,A29WP,OpinionontheTurbineproject(n35).93See,forexample,HaibachReport(n17)para64.94ProgressReport(n16)para50.95ProgressReport(n16)para51.96See respectively amended art 4(2) of the proposed General Data Protection Regulation by the EuropeanParliament(n4)andamendedart4(2)oftheproposedGeneralDataProtectionRegulationasagreedbytheCouncilinJune2015(n5).97Currentart2(a)Directive95/46/ECreadsasfollows:“'personaldata'shallmeananyinformationrelatingto an identified or identifiable natural person ('data subject'); an identifiable person is one who can beidentified, directly or indirectly, in particular by reference to an identification number or to one or morefactorsspecifictohisphysical,physiological,mental,economic,culturalorsocialidentity.”98A29WP,Opinion4/2007(n33)8.

fromwhichtheyareextracted.AccordingtotheWorkingParty,thesourcesthemselves–suchashumantissues–shouldnotbeconsideredas ‘biometricdata’andshouldnotbesubject to data protection rules.99As observed by some authors, this distinction is,however, very questionable since it does not take into account progress of biometrictechnologies thatmight allow in the future thedirect extractionof identifying elementsfromthehumantissuesthemselves.100Butassaid,neithertheEuropeanCommissionnortheEuropeanParliamenthasfollowedthisposition.Regarding the format underwhich biometric data are available (i.e. raw data, capturedimage,orbiometrictemplate),noneofthedefinitionsunderreviewmakesareferencetoit. In its Opinion 4/2007 ontheconceptofpersonaldata, the Article 29 Data ProtectionWorking Party has considered that any format on which personal data are stored orcontained is relevant.101Concerningmore specificallybiometricdata, theWorkingPartyseems to have introduced in itsworkingdocumentonbiometrics a distinction betweenbiometric information ina raw formandbiometric informationcapturedona template.Whilerawbiometricinformationwouldqualifyaspersonaldata,informationcontainedinabiometrictemplatewouldbeconsideredaspersonaldataunless ‘noreasonablemeansc(ould)beusedtoidentifythedatasubject’.102TheWorkingPartyhasaddedtheconditioninafootnotewithoutprovidingfurtherexplanationonitsmeaningoronthecriterionof‘reasonablemeans.’103Intheend,whetherornotbiometrictemplatesarepersonaldata isnotveryrelevanttothedefinitionofbiometricdata.Itismorerelevantfortheassessmentofthelegalregimeof protection applicable to them. But this issue is not covered in the current article. Inaddition,thedefinitionofbiometricdatashouldnotcontainanyreferencetotheexistingformats.Firstofall,referringtospecificformatsinthedefinitionwilllimittheapplicationof the data protection rules to these formats. Second, no one can forecast the state ofscienceinacoupleofyears.Formatsthatarecurrentlyunknownwillbeusedinthefuture.

b. FromBiometricCharacteristicsto‘Datarelatingto’BiometricCharacteristics

Through the different reports, opinions, and legislative proposals, the term ‘biometricdata’hasbeendescribedaseither‘biometriccharacteristic’or‘datarelatingtobiometriccharacteristic’.DefinitionsoftheArticle29DataProtectionWorkingParty,104theEDPS105-byreferencetotheWorkingParty’sworks,andthePACE106areallfocusedonbiometriccharacteristics.

99A29WP,Opinion4/2007(n33)9.100Forfurtherreading,seecriticisminKindt(n15)107,fn71.101A29WP,Opinion4/2007(n33)7.102A29WP,WorkingDocumentonBiometrics(n26),seefn11ofthedocument.103Forfurtherreading,seeanalysismadeinKindt(n15)111-114.104A29WP,Opinion4/2007(n33)8.105See,forexample,A29WP,OpiniononTurbine(n35).

50

Chapter 2

Examplesof thesedataareconstitutedby ‘fingerprints, retinalpatterns, facialstructure,voices, but also hand geometry, vein patterns or even some deeply ingrained skills orother behavioural characteristic (such as handwritten signature, keystrokes, particularway to walk or to speak)’.107These ‘typical’ examples provided by the Working Partycontrast with the list of examples provided in the Haibach report. The report containsexamples of representations (such as images, pictures, or recording) of biometriccharacteristics and not examples of biometric characteristics themselves.108One couldarguethatbiometricdata,asunderstoodandillustratedintheHaibachreport,are ‘data’aboutbiometriccharacteristicsandnotbiometriccharacteristicsthemselves.TheEuropeanCommission,theEPandtheCouncilintheirrespectivevoteandagreementontheGDPR,andtheCouncilofEuropehaveallunderstood‘biometricdata’as‘[personal]data relating to’ biometric characteristics. The use of the preposition ‘relating to’ raisessomeissuesastothescopeofthedefinitions:Dobiometriccharacteristicsalsofallwithinscope of the definition? Or should only data about biometric characteristics (such asimages,recording,oralgorithmsofbiometriccharacteristics) fallwithinthatscope?TheanswertothequestionsisnoteasyasnoneofthepreparatorydocumentsoftheEuropeanCommission,theEP,ortheConsultativeCommitteeinchargeofrevisingConvention108providesclarityontheseissues.109TheonlyhintthattheEuropeanCommissionprovidesis contained in thedefinitionof ‘biometricdata’. In theproposalsof theDataProtectionReform Package, the European Commission illustrates the definition of ‘biometric data’with the examples of ‘facial images and dactyloscopic data’.110Dactyloscopic data havebeenelsewheredefinedas‘fingerprintimages,imagesoffingerprintlatents,palmprints,palm print latents and templates of such images’.111The examples only relate torepresentationsofbiometriccharacteristics.Asaconsequence,onlythoserepresentationsandnot thebiometriccharacteristics themselveswould logically fallwithin thescopeofbiometricdataandthuspersonaldata.Intheend,itisnotthefingerprintitself–definedas‘theuniquepatternsthatexistontheundersideofeveryhumanfinger’-buttheimageofthat fingerprint (also called ‘fingerprinting’ or ‘finger scanning’)112that matters from apersonaldataperspective.

106HaibachReport(n17).107A29WP,Opinion4/2007(n33)8.108Haibach Report (n 17) 6, para 5: ‘fingerprint images, pictures of the iris or the retina, but also voicerecording,individualgaitortypingrhythmduringlogon’.109See,forexample,SEC(2012)72final(n36).CouncilofEurope,ConsultativeCommittee,Draftexplanatoryreport(2013)(n18).110Respectivelyart4(11)oftheproposedGeneralDataProtectionRegulationandart3(11)oftheproposedDirectiveonlawenforcement(n2andn3).111CouncilDecision2008/616/JHAof23June2008ontheimplementationofDecision2008/615/JHAonthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/12,seeart2(i).112SeeYueLiu(n14)39.

c. UniquenessThe legaldefinitionsunder reviewrefer to the ‘uniqueness’ofbiometric characteristics.Before explaining itsmeaning from a scientific point of view, one should note that thedifferent European bodies and institutions have merely stated that biometriccharacteristicsareuniqueorthattheycanbeusedfor‘uniqueidentification’.Butnoneofthemhasexplainedordemonstratedit.Theyhaveallreferredtoitasanestablishedfact.In the biometric literature, it is commonly accepted and asserted that biometriccharacteristics areunique.113Andbecause they areunique, they canbeused for humanrecognition, i.e. to authenticate individuals or identify them. However, many forensicscholars have criticized this assumption.114According to them, it has never beendemonstrated, forexample, that fingerprintsareunique.Thisassumptionmightevenbe‘unprovable’.115Nancy Yue Lui, a legal scholar, takes a different stance in the debate.Accordingtoher,iftheassumptionfollowingwhichbiometriccharacteristicsare‘unique’hasneverbeenproven, ‘thereisnotyetanysolidproofthatthisassumptionisincorrecteither’.116She, therefore, considers that the ‘uniqueness’ of biometric data is relative.Forensic scholars on their side believe that the issue for identification is not so muchwhetherbiometric characteristics areuniquebutwhether theyoriginate from the samesource.IntheDataProtectionReformPackageaswellinthelatestversionofthedraftexplanatoryreport of revision of Convention 108, the emphasis is not put on the uniqueness ofbiometric characteristics but on their function. Biometric characteristics are thereindefinedas‘allow[ing]theuniqueidentificationof[anindividual]’.117PreviouslymentionedintheworksoftheArticle29DataProtectionWorkingParty,118thisfunctionhasnotbeenfurther explained. It has been considered by some that biometric data, due to theiruniqueness,couldbeusedas ‘unique identifiers’andcould linkall informationaboutanindividual.119The author of the article considers the expression ‘unique identification’unfortunate.Itmightconveythewrongimpressionaboutthefunctionsofbiometricdataby reducing their role to the identification of individuals (i.e. the establishment of their

113Seeamongothers,Li(n13).114Forexample,MarkPage,JaneTaylorandMattBlenkin,‘UniquenessintheForensicIdentificationSciences:Factoffiction?’(2011)206ForensicScienceInternational12;DavidKaye,‘QuestioningaCourtroomProofofthe Uniqueness of Fingerprints’ (2003) 71 International Statistical Review 521; Michael Saks, ‘ForensicIdentification:FromaFaith-Based“Science”toaScientificScience’(2010)201ForensicScienceInternational14.115SimonCole,‘IsFingerprintIdentificationValid?RhetoricsofReliabilityinFingerprintProponents?’(2006)28(1)Law&Policy109.116YueLiu(n14)67.117Seeart4(11)oftheproposedGeneralDataProtectionRegulationandart3(11)oftheproposedDirectiveonlawenforcement(n2andn3).CouncilofEurope,ConsultativeCommittee,Draftexplanatoryreport(2013)(n16)para56,13.118A29WP,Workingdocumentonbiometrics(n26),andA29WP,Opinion4/2007(n33).119A29WP,Workingdocumentonbiometrics(n26).DataProtectionandPrivacyCommissioners,‘ResolutionontheUseofBiometricsinPassports,IdentityCardsandTravelDocuments’,27thConference,Montreux,16September2005.<http://www.cnpd.pt/bin/actividade/Outros/biometrie_resolution_e.pdf>accessed20July2015.

51

2


Examplesof thesedataareconstitutedby ‘fingerprints, retinalpatterns, facialstructure,voices, but also hand geometry, vein patterns or even some deeply ingrained skills orother behavioural characteristic (such as handwritten signature, keystrokes, particularway to walk or to speak)’.107These ‘typical’ examples provided by the Working Partycontrast with the list of examples provided in the Haibach report. The report containsexamples of representations (such as images, pictures, or recording) of biometriccharacteristics and not examples of biometric characteristics themselves.108One couldarguethatbiometricdata,asunderstoodandillustratedintheHaibachreport,are ‘data’aboutbiometriccharacteristicsandnotbiometriccharacteristicsthemselves.TheEuropeanCommission,theEPandtheCouncilintheirrespectivevoteandagreementontheGDPR,andtheCouncilofEuropehaveallunderstood‘biometricdata’as‘[personal]data relating to’ biometric characteristics. The use of the preposition ‘relating to’ raisessomeissuesastothescopeofthedefinitions:Dobiometriccharacteristicsalsofallwithinscope of the definition? Or should only data about biometric characteristics (such asimages,recording,oralgorithmsofbiometriccharacteristics) fallwithinthatscope?TheanswertothequestionsisnoteasyasnoneofthepreparatorydocumentsoftheEuropeanCommission,theEP,ortheConsultativeCommitteeinchargeofrevisingConvention108providesclarityontheseissues.109TheonlyhintthattheEuropeanCommissionprovidesis contained in thedefinitionof ‘biometricdata’. In theproposalsof theDataProtectionReform Package, the European Commission illustrates the definition of ‘biometric data’with the examples of ‘facial images and dactyloscopic data’.110Dactyloscopic data havebeenelsewheredefinedas‘fingerprintimages,imagesoffingerprintlatents,palmprints,palm print latents and templates of such images’.111The examples only relate torepresentationsofbiometriccharacteristics.Asaconsequence,onlythoserepresentationsandnot thebiometriccharacteristics themselveswould logically fallwithin thescopeofbiometricdataandthuspersonaldata.Intheend,itisnotthefingerprintitself–definedas‘theuniquepatternsthatexistontheundersideofeveryhumanfinger’-buttheimageofthat fingerprint (also called ‘fingerprinting’ or ‘finger scanning’)112that matters from apersonaldataperspective.

106HaibachReport(n17).107A29WP,Opinion4/2007(n33)8.108Haibach Report (n 17) 6, para 5: ‘fingerprint images, pictures of the iris or the retina, but also voicerecording,individualgaitortypingrhythmduringlogon’.109See,forexample,SEC(2012)72final(n36).CouncilofEurope,ConsultativeCommittee,Draftexplanatoryreport(2013)(n18).110Respectivelyart4(11)oftheproposedGeneralDataProtectionRegulationandart3(11)oftheproposedDirectiveonlawenforcement(n2andn3).111CouncilDecision2008/616/JHAof23June2008ontheimplementationofDecision2008/615/JHAonthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/12,seeart2(i).112SeeYueLiu(n14)39.

c. UniquenessThe legaldefinitionsunder reviewrefer to the ‘uniqueness’ofbiometric characteristics.Before explaining itsmeaning from a scientific point of view, one should note that thedifferent European bodies and institutions have merely stated that biometriccharacteristicsareuniqueorthattheycanbeusedfor‘uniqueidentification’.Butnoneofthemhasexplainedordemonstratedit.Theyhaveallreferredtoitasanestablishedfact.In the biometric literature, it is commonly accepted and asserted that biometriccharacteristics areunique.113Andbecause they areunique, they canbeused for humanrecognition, i.e. to authenticate individuals or identify them. However, many forensicscholars have criticized this assumption.114According to them, it has never beendemonstrated, forexample, that fingerprintsareunique.Thisassumptionmightevenbe‘unprovable’.115Nancy Yue Lui, a legal scholar, takes a different stance in the debate.Accordingtoher,iftheassumptionfollowingwhichbiometriccharacteristicsare‘unique’hasneverbeenproven, ‘thereisnotyetanysolidproofthatthisassumptionisincorrecteither’.116She, therefore, considers that the ‘uniqueness’ of biometric data is relative.Forensic scholars on their side believe that the issue for identification is not so muchwhetherbiometric characteristics areuniquebutwhether theyoriginate from the samesource.IntheDataProtectionReformPackageaswellinthelatestversionofthedraftexplanatoryreport of revision of Convention 108, the emphasis is not put on the uniqueness ofbiometric characteristics but on their function. Biometric characteristics are thereindefinedas‘allow[ing]theuniqueidentificationof[anindividual]’.117PreviouslymentionedintheworksoftheArticle29DataProtectionWorkingParty,118thisfunctionhasnotbeenfurther explained. It has been considered by some that biometric data, due to theiruniqueness,couldbeusedas ‘unique identifiers’andcould linkall informationaboutanindividual.119The author of the article considers the expression ‘unique identification’unfortunate.Itmightconveythewrongimpressionaboutthefunctionsofbiometricdataby reducing their role to the identification of individuals (i.e. the establishment of their

113Seeamongothers,Li(n13).114Forexample,MarkPage,JaneTaylorandMattBlenkin,‘UniquenessintheForensicIdentificationSciences:Factoffiction?’(2011)206ForensicScienceInternational12;DavidKaye,‘QuestioningaCourtroomProofofthe Uniqueness of Fingerprints’ (2003) 71 International Statistical Review 521; Michael Saks, ‘ForensicIdentification:FromaFaith-Based“Science”toaScientificScience’(2010)201ForensicScienceInternational14.115SimonCole,‘IsFingerprintIdentificationValid?RhetoricsofReliabilityinFingerprintProponents?’(2006)28(1)Law&Policy109.116YueLiu(n14)67.117Seeart4(11)oftheproposedGeneralDataProtectionRegulationandart3(11)oftheproposedDirectiveonlawenforcement(n2andn3).CouncilofEurope,ConsultativeCommittee,Draftexplanatoryreport(2013)(n16)para56,13.118A29WP,Workingdocumentonbiometrics(n26),andA29WP,Opinion4/2007(n33).119A29WP,Workingdocumentonbiometrics(n26).DataProtectionandPrivacyCommissioners,‘ResolutionontheUseofBiometricsinPassports,IdentityCardsandTravelDocuments’,27thConference,Montreux,16September2005.<http://www.cnpd.pt/bin/actividade/Outros/biometrie_resolution_e.pdf>accessed20July2015.

52

Chapter 2

identity). Besides identification, biometric data are also largely used to authenticateindividuals(i.e.verifytheiridentity).120As a consequence, and because the ‘uniqueness’ of biometric characteristics is notestablished, the legal definition of ‘biometric data’ should not refer to this criterion. Inaddition, if the assumptionwere true,whywould the legal definition only refer to thatcriterion? There are at least seven other criteria used to assess whether biometriccharacteristicsarefitforhumanrecognition.121‘Uniqueness’isonlyoneofthem.From the analysis of the three common criteria, it can be concluded the importance ofidentifyingbiometricdataaspersonaldataandlimitingthescopeoftheirdefinitiontothe‘data relating’ to biometric characteristics. For the reasons explained above, the thirdcriterionrelatingtothequestionable‘uniqueness’ofbiometriccharacteristicsshouldnotbepartofthedefinition.Afterhavingassessedthecriteriacontainedinthedifferentlegaldefinitions,thequestionbecomeswhethercriteriaextractedfromthescientificdefinitionshouldbeusedinthelegaldefinition.

d. LinktotheBiometricProcessingoftheData,MissingCriterion?AsshowninTable4,mostoftheproposedregulatorydefinitionsfortheterm‘biometricdata’donotmentionthetechnicalprocessofextractionofbiometricinformationanditstransformationintoadigitaltemplate.OnlythedefinitionsproposedbytheConsultativeCommitteeofConvention108andbytheCouncilofEUinitspoliticalagreementrefertothe ‘specifictechnicalprocessing’ofbiometricdata.However,noneofthemreferstotheautomaticprocessthatallowsthe identificationof individualsortheverificationoftheiridentity.Some authors consider that the proposed legal definitions fail to take into account, inparticular, the use of ‘automatedmeans’ to process biometric data and the purposes ofbiometric characteristics.Basedon these twomissing elements, ElsKindthasproposedthefollowingnewlegaldefinitiontotheterm‘biometricdata’:‘allpersonaldatawhich(a)relate directly or indirectly to unique or distinctive biological or behaviouralcharacteristicsofhumanbeingsand(b)areusedorfittobeusedbyautomatedmeans(c)for purposes of identification, identity verification or verification of a claim of a livingnaturalperson’.122Herdefinition calls for several comments. First of all, should thedefinitionofbiometricdataspecifythatbiometricdataareprocessedbyautomatedmeans?Thisseemsat leastnot necessary in the context of the revision of Convention 108 as the Convention only

120JamesLWayman, ‘BiometricVerification/Identification/Authentication/Recognition:TheTerminology’ inStanZLi(ed.),EncyclopediaofBiometrics(1stedn,Springer2009),153-157.121Jain,RossandNandakumar(n67),seeuniversality,uniqueness,permanence,measurability,performance,acceptabilityandcircumvention,29-30.122Kindt(n15)149.

appliestoautomaticprocessingofpersonaldata.123Thisprecisionis,however,debatableinthecontextofthecurrentDataProtectionDirectiveasthetextappliestobothautomaticprocessing and paper-based processing of data. 124 The advantage of referring to‘automated means’ is to avoid ambiguity while allowing future technologicaldevelopments. The term is indeed technologically neutral. 125 Second, should thepurpose(s)ofbiometriccharacteristicsbespelledout inthe legaldefinitionofbiometricdata? The way Els Kindt describes the purposes of biometric characteristics is moreaccurate than in the proposals of definitions contained in the Data Protection ReformPackageandintheDraftexplanatoryreportofrevisionofConvention108.Theproposeddefinitions are limited to the purpose of ‘identification’. But should the definition bespecificaboutthepurposesanddescribethem?Bydoingso,thereisariskthatfuturewayof recognising individuals might not be taken into account. Instead, the regulatorydefinition(s)shouldrefertothegenerictermof‘recognition’,whichismeanttocoverbothidentification and verification of individuals.126Adding the purposes of biometric datawouldaccuratelyreflecttheircurrentusesbythedifferentcommunities(i.e.scientific,lawenforcementorforensicones).Finally, it is legitimate to question whether the formats of biometric data (raw data,sample, template)shouldbeadded to thedefinition.Bydoingso, there isa risk to limitbiometricdata to thecurrentlyexisting formats.Asanyreference to the formatsshouldinstead remain technologyneutral, the regulatorydefinitions shouldat thebest refer totheexpression‘biometricdata,whatevertheirform’.Thedefinitionof‘biometricdata’proposedbytheEuropeanCommissionandamendedbytheEPandtheCouncilof theEUdoesnotrefer to the technicalprocessofextractionofinformationanditstransformationintoabiometrictemplate.Neitherdoesitrefertotheautomatic processing that allows the identification or the verification of identity. Thesetechnicalaspectsarecompletelyabsentfromtheproposedlegaldefinition.However, forthe reasons explained above, the legal definition of ‘biometric data’ should remaintechnologically neutral andnotmention any format or the technical processing of data.Finally, itshouldbenotedthatintheabsenceofadoptionoftheDataProtectionReformPackage,127the legaldefinition thatprevails for the timebeingat theEU level is theoneprovided by the Article 29 Working Party. At the level of the Council of Europe, nodefinitionprevailsintheabsenceofauthoritativesources.

123art3,scope,Convention108.124art3,scope,Directive95/46/EC.125JeroenTerstegge,‘Article3Directive95/46/EC’inAlfredBüllesbach,SergeGijrath,YvesPoulletandCorienPrins(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010),42-43.126ISO/IEC2382-37,term37.01.03,entry‘biometricrecognition’,Note3.127ThenegotiationsarecurrentlyattheleveloftheCouncil.

53

2


identity). Besides identification, biometric data are also largely used to authenticateindividuals(i.e.verifytheiridentity).120As a consequence, and because the ‘uniqueness’ of biometric characteristics is notestablished, the legal definition of ‘biometric data’ should not refer to this criterion. Inaddition, if the assumptionwere true,whywould the legal definition only refer to thatcriterion? There are at least seven other criteria used to assess whether biometriccharacteristicsarefitforhumanrecognition.121‘Uniqueness’isonlyoneofthem.From the analysis of the three common criteria, it can be concluded the importance ofidentifyingbiometricdataaspersonaldataandlimitingthescopeoftheirdefinitiontothe‘data relating’ to biometric characteristics. For the reasons explained above, the thirdcriterionrelatingtothequestionable‘uniqueness’ofbiometriccharacteristicsshouldnotbepartofthedefinition.Afterhavingassessedthecriteriacontainedinthedifferentlegaldefinitions,thequestionbecomeswhethercriteriaextractedfromthescientificdefinitionshouldbeusedinthelegaldefinition.

d. LinktotheBiometricProcessingoftheData,MissingCriterion?AsshowninTable4,mostoftheproposedregulatorydefinitionsfortheterm‘biometricdata’donotmentionthetechnicalprocessofextractionofbiometricinformationanditstransformationintoadigitaltemplate.OnlythedefinitionsproposedbytheConsultativeCommitteeofConvention108andbytheCouncilofEUinitspoliticalagreementrefertothe ‘specifictechnicalprocessing’ofbiometricdata.However,noneofthemreferstotheautomaticprocessthatallowsthe identificationof individualsortheverificationoftheiridentity.Some authors consider that the proposed legal definitions fail to take into account, inparticular, the use of ‘automatedmeans’ to process biometric data and the purposes ofbiometric characteristics.Basedon these twomissing elements, ElsKindthasproposedthefollowingnewlegaldefinitiontotheterm‘biometricdata’:‘allpersonaldatawhich(a)relate directly or indirectly to unique or distinctive biological or behaviouralcharacteristicsofhumanbeingsand(b)areusedorfittobeusedbyautomatedmeans(c)for purposes of identification, identity verification or verification of a claim of a livingnaturalperson’.122Herdefinition calls for several comments. First of all, should thedefinitionofbiometricdataspecifythatbiometricdataareprocessedbyautomatedmeans?Thisseemsat leastnot necessary in the context of the revision of Convention 108 as the Convention only

120JamesLWayman, ‘BiometricVerification/Identification/Authentication/Recognition:TheTerminology’ inStanZLi(ed.),EncyclopediaofBiometrics(1stedn,Springer2009),153-157.121Jain,RossandNandakumar(n67),seeuniversality,uniqueness,permanence,measurability,performance,acceptabilityandcircumvention,29-30.122Kindt(n15)149.

appliestoautomaticprocessingofpersonaldata.123Thisprecisionis,however,debatableinthecontextofthecurrentDataProtectionDirectiveasthetextappliestobothautomaticprocessing and paper-based processing of data. 124 The advantage of referring to‘automated means’ is to avoid ambiguity while allowing future technologicaldevelopments. The term is indeed technologically neutral. 125 Second, should thepurpose(s)ofbiometriccharacteristicsbespelledout inthe legaldefinitionofbiometricdata? The way Els Kindt describes the purposes of biometric characteristics is moreaccurate than in the proposals of definitions contained in the Data Protection ReformPackageandintheDraftexplanatoryreportofrevisionofConvention108.Theproposeddefinitions are limited to the purpose of ‘identification’. But should the definition bespecificaboutthepurposesanddescribethem?Bydoingso,thereisariskthatfuturewayof recognising individuals might not be taken into account. Instead, the regulatorydefinition(s)shouldrefertothegenerictermof‘recognition’,whichismeanttocoverbothidentification and verification of individuals.126Adding the purposes of biometric datawouldaccuratelyreflecttheircurrentusesbythedifferentcommunities(i.e.scientific,lawenforcementorforensicones).Finally, it is legitimate to question whether the formats of biometric data (raw data,sample, template)shouldbeadded to thedefinition.Bydoingso, there isa risk to limitbiometricdata to thecurrentlyexisting formats.Asanyreference to the formatsshouldinstead remain technologyneutral, the regulatorydefinitions shouldat thebest refer totheexpression‘biometricdata,whatevertheirform’.Thedefinitionof‘biometricdata’proposedbytheEuropeanCommissionandamendedbytheEPandtheCouncilof theEUdoesnotrefer to the technicalprocessofextractionofinformationanditstransformationintoabiometrictemplate.Neitherdoesitrefertotheautomatic processing that allows the identification or the verification of identity. Thesetechnicalaspectsarecompletelyabsentfromtheproposedlegaldefinition.However, forthe reasons explained above, the legal definition of ‘biometric data’ should remaintechnologically neutral andnotmention any format or the technical processing of data.Finally, itshouldbenotedthatintheabsenceofadoptionoftheDataProtectionReformPackage,127the legaldefinition thatprevails for the timebeingat theEU level is theoneprovided by the Article 29 Working Party. At the level of the Council of Europe, nodefinitionprevailsintheabsenceofauthoritativesources.

123art3,scope,Convention108.124art3,scope,Directive95/46/EC.125JeroenTerstegge,‘Article3Directive95/46/EC’inAlfredBüllesbach,SergeGijrath,YvesPoulletandCorienPrins(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010),42-43.126ISO/IEC2382-37,term37.01.03,entry‘biometricrecognition’,Note3.127ThenegotiationsarecurrentlyattheleveloftheCouncil.

54

Chapter 2

Table 4: Notion of ‘Biometric Data’ as defined by the Legal Community in the DataProtectionandPrivacyContextEuropeanbodies/institutions Definitionsof‘biometricdata’

Article29WorkingPartyandEDPS

Biological properties, physiological characteristics,living traits, or repeatable actions where thosefeatures and/or actions are both unique to thatindividual and measurable, even if the patternsused in practice to technically measure theminvolveacertaindegreeofprobability.(Opinion 4/2007), Definition quoted by the EDPS inOpinionontheTurbineproject(2011)

PACE

Uniquephysicalorbehaviouralcharacteristicsthatdiffer from one human being to another and thatremain,inmostcases,unalteredforlife.(Haibachreport,2011)


Data resulting froma specific technical processingof data concerning the physical, biological, orphysiologicalcharacteristicsofanindividualwhichallowstheuniqueidentificationofthelatter.(DraftexplanatoryreportofthemodernisedversionofConvention108,10July2013)

EuropeanCommissionandEP

Any personal data relating to the physical,physiological, or behavioural characteristics of anindividual which allow their unique identification,suchasfacialimages,ordactyloscopicdata.(Text added by the European Parliament indicated initalic.)(Article 4(11) of the proposed General DataProtectionRegulationandArticle3(11)of theproposedDirective on data protection and law enforcement,2012)(Resolutionsof12March2014ontwoproposalsoftheEuropeanCommission)

European Commission and Council oftheEU

Anypersonaldataresultingfromspecifictechnicalprocessingrelatingtothephysical,physiological,orbehaviouralcharacteristicsofanindividualwhichallowsorconfirmstheuniqueidentificationofthatindividual,suchasfacialimages,ordactyloscopicdata.(Text added by the Council indicated in italic)(Article4(11) of the proposed General Data ProtectionRegulation)(PoliticalAgreement of 15 June2015on theGeneralDataProtectionRegulation)

ConclusionsThisarticlehasapproached twonotions regularlyused in theEuropeandataprotectionfieldwhenaddressingissueslinkedtobiometrictechnologies:theterms‘biometrics’and‘biometric data’. Although often used as synonyms by several European bodies andinstitutions,thetwotermshavedifferentmeanings.Toclarifytheirrespectivemeanings,this article has explored their definitions from a data protection perspective andcompared them with the definitions provided by the biometric community. From thiscomparisonandanalysis,itresultsthatmostoftheEuropeanbodiesandinstitutionsusetheterm‘biometrics’inaveryconfusingway:asasynonymof‘biometricdata’butalsoasasynonymofbiometric technologies.However, itappears that theterm ‘biometrics’hasmainlyatechnicalmeaning.Asaconsequence,whenusedinadataprotectioncontext,thetermshouldrefertoitstechnicalmeaningassetbythebiometriccommunity.Thetextofreference is the current version of the International Standard ISO/IEC 2382-37. In thatdocument,‘biometrics’referstotheautomaticrecognitionofindividuals.The second term, ‘biometric data’ is more complex as it covers two different realities.Fromtheperspectiveofthebiometriccommunity,itcoversthetechnicalprocessthroughwhichthebiometricinformationiscapturedandtransformedintoadigitalformat.Fromtheperspectiveofthedataprotectionandprivacycommunity,thetermisapproachedasatypeofpersonaldatarelatingtobiometriccharacteristicsandlinkedtotheidentificationoridentifiabilityofanindividual.Thelinktoanindividualiswherethescientificandthelegal definitions differ. Fundamental in a data protection and privacy context, that linkbecomes meaningless in the context of the International Standard. However, the legaldefinitionproposedbytheEuropeaninstitutionsfortheterm‘biometricdata’appearstobeincomplete:itdoesnottakeintoaccountthetechnicalprocessingofbiometricdata.Butshould not the legal and the technical definitions remain distinct as they relate to twodifferentcontexts?Ifnot,towhichextentshouldthescientificdefinitionbereflectedinthelegaldefinition?Althoughthearticlehasnotexploredthequestion,itwouldbelogicaltoalsowonderwhether the legal definition should be reflected in the scientific definition.This would open up another way of approaching the notion of ‘biometric data’ andpossibly the relationship between the biometric field and theEuropeandata protectionfield.

55

2


Table 4: Notion of ‘Biometric Data’ as defined by the Legal Community in the DataProtectionandPrivacyContextEuropeanbodies/institutions Definitionsof‘biometricdata’

Article29WorkingPartyandEDPS

Biological properties, physiological characteristics,living traits, or repeatable actions where thosefeatures and/or actions are both unique to thatindividual and measurable, even if the patternsused in practice to technically measure theminvolveacertaindegreeofprobability.(Opinion 4/2007), Definition quoted by the EDPS inOpinionontheTurbineproject(2011)

PACE

Uniquephysicalorbehaviouralcharacteristicsthatdiffer from one human being to another and thatremain,inmostcases,unalteredforlife.(Haibachreport,2011)


Data resulting froma specific technical processingof data concerning the physical, biological, orphysiologicalcharacteristicsofanindividualwhichallowstheuniqueidentificationofthelatter.(DraftexplanatoryreportofthemodernisedversionofConvention108,10July2013)

EuropeanCommissionandEP

Any personal data relating to the physical,physiological, or behavioural characteristics of anindividual which allow their unique identification,suchasfacialimages,ordactyloscopicdata.(Text added by the European Parliament indicated initalic.)(Article 4(11) of the proposed General DataProtectionRegulationandArticle3(11)of theproposedDirective on data protection and law enforcement,2012)(Resolutionsof12March2014ontwoproposalsoftheEuropeanCommission)

European Commission and Council oftheEU

Anypersonaldataresultingfromspecifictechnicalprocessingrelatingtothephysical,physiological,orbehaviouralcharacteristicsofanindividualwhichallowsorconfirmstheuniqueidentificationofthatindividual,suchasfacialimages,ordactyloscopicdata.(Text added by the Council indicated in italic)(Article4(11) of the proposed General Data ProtectionRegulation)(PoliticalAgreement of 15 June2015on theGeneralDataProtectionRegulation)

ConclusionsThisarticlehasapproached twonotions regularlyused in theEuropeandataprotectionfieldwhenaddressingissueslinkedtobiometrictechnologies:theterms‘biometrics’and‘biometric data’. Although often used as synonyms by several European bodies andinstitutions,thetwotermshavedifferentmeanings.Toclarifytheirrespectivemeanings,this article has explored their definitions from a data protection perspective andcompared them with the definitions provided by the biometric community. From thiscomparisonandanalysis,itresultsthatmostoftheEuropeanbodiesandinstitutionsusetheterm‘biometrics’inaveryconfusingway:asasynonymof‘biometricdata’butalsoasasynonymofbiometric technologies.However, itappears that theterm ‘biometrics’hasmainlyatechnicalmeaning.Asaconsequence,whenusedinadataprotectioncontext,thetermshouldrefertoitstechnicalmeaningassetbythebiometriccommunity.Thetextofreference is the current version of the International Standard ISO/IEC 2382-37. In thatdocument,‘biometrics’referstotheautomaticrecognitionofindividuals.The second term, ‘biometric data’ is more complex as it covers two different realities.Fromtheperspectiveofthebiometriccommunity,itcoversthetechnicalprocessthroughwhichthebiometricinformationiscapturedandtransformedintoadigitalformat.Fromtheperspectiveofthedataprotectionandprivacycommunity,thetermisapproachedasatypeofpersonaldatarelatingtobiometriccharacteristicsandlinkedtotheidentificationoridentifiabilityofanindividual.Thelinktoanindividualiswherethescientificandthelegal definitions differ. Fundamental in a data protection and privacy context, that linkbecomes meaningless in the context of the International Standard. However, the legaldefinitionproposedbytheEuropeaninstitutionsfortheterm‘biometricdata’appearstobeincomplete:itdoesnottakeintoaccountthetechnicalprocessingofbiometricdata.Butshould not the legal and the technical definitions remain distinct as they relate to twodifferentcontexts?Ifnot,towhichextentshouldthescientificdefinitionbereflectedinthelegaldefinition?Althoughthearticlehasnotexploredthequestion,itwouldbelogicaltoalsowonderwhether the legal definition should be reflected in the scientific definition.This would open up another way of approaching the notion of ‘biometric data’ andpossibly the relationship between the biometric field and theEuropeandata protectionfield.

Chapter 3Legal Nature of Biometric Data:

From ‘Generic’ Personal Data to Sensitive Data

58

Chapter 3: Legal Nature of Biometric Data: From ‘Generic’ Personal Data toSensitiveData

WhichChangesDoestheNewDataProtectionFrameworkIntroduce?*Abstract:Formanyyears, the statusofbiometricdata fromaEuropeandataprotectionperspectivegenerateda lotofdiscussionsamongEuropeanbodiesandlegalexperts.Finally,after fouryearsoflengthynegotiations,theEuropeaninstitutionshaveadoptedanewdataprotectionframework. For the first time, the concept of biometric data is introduced in a Europeanlegislativetext.Beyondbeingdefined,biometricdataarealsotreatedassensitivedata.Thechangesintroducedbythenewdataprotectionframeworkandtheissuestheyraisewillbeassessedinthisarticle.Inafirstsection,thearticlewillintroducethetopicandclarifysometerminological aspects. In a second section, itwill summarise the slow introduction of thenotionof ‘biometricdata’intotheEuropeandataprotectionlandscapebeforetheadoptionof the Data Protection Reform Package. The next section will deconstruct the concept ofbiometricdatawith thehelpof thedefinitionofpersonaldata. Itwill thenargue that thethreshold of identification required for biometric data is higher than the one required for‘generic’personaldata.Inafourthsection,thearticlewillassessthe‘sensitivedata’regimethat is applicable tobiometricdata. Itwill alsoquestion the elementof the context of theprocessing,whichhasbeenaddedastheconditionthattriggerstheextraprotectiongrantedto sensitive data. The last section will conclude on the changes introduced by the newprovisions.

IntroductionPayment processing companies, such as MasterCard, are working on developingtechnologies that use facial images and fingerprints to replace passwords in paymenttransactions.1Other payment companies seem to be working on yet more futuristicpasswords,basedonedibleandembeddablebiometrictechnologies.InApril2015,oneof

*ArticlepublishedintheEuropeanDataProtectionLawreview(EDPL),volume2, issue3,September2016,pages297-311;theauthorwishestothankProf JeanneMifsudBonniciandProfLaurenceGormleyfortheircomments inanearlierdraft, thepeer reviewers for theirveryvaluable reviewswhichhelped improve thequalityof thearticleandChristinaAngelopoulos forher careful readingandediting suggestions.Theviewsexpressedinthisarticlearesolelythoseoftheauthor.Allremainingerrorsaretheauthor’ssoleresponsibility.This research was partly carried out under the European Union’s Seventh Framework Programme forresearch,technologicaldevelopmentanddemonstrationinthecontextoftheINGRESSproject(www.ingress-project.eu)undergrantagreementno312792.1AlannaPetroff,‘MasterCardlaunchingselfiepayments’CNN(22February2016)<http://money.cnn.com/2016/02/22/technology/mastercard-selfie-pay-fingerprint-payments/>accessed30May2016.

theexecutivesofPayPalexplainedthatsuchtechnologieswereunderdevelopment.2InaninterviewtotheWallStreetJournal,hementionedashift inidentificationmethodsfromthe ‘external body methods like fingerprints, towards internal body functions likeheartbeatandveinrecognition,whereembeddedandingestibledeviceswillallow‘naturalbodyidentification’.3Whilethecompanyatstakedenieddevelopingsuchtechnologiesanddissociated itself fromthepositionof itsemployee, thisexamplenevertheless illustratesthe growing and widespread use of biometric data by private parties. Against thisbackgroundandtrends,theestablishmentofalegaldefinitionandstatusofbiometricdatainthenewEUdataprotectionframeworkiswelcome.Theconceptofbiometricdata isabsent fromtheEuropeanfoundingtexts inthefieldofpersonal data protection, i.e. Convention 1084and theData ProtectionDirective.5At thetimeoftheirrespectiveadoption,theimpactofbiometrictechnologiesondataprotectionruleswasnotwidelydiscussed.Theissuebecameahottopicintheearly2000s.In2003,theArticle29DataProtectionWorkingParty(theA29WP)6issuedaWorkingDocumentonbiometrics, in which it addressed the application of data protection rules to biometricsystems.7Lateron,itpursueditsanalysisinOpinion3/3012ondevelopmentsinbiometrictechnologies.8Inparallel, theEuropeanDataProtectionSupervisor(theEDPS)9discussedthelegalstatusofbiometricdatafromadataprotectionperspectiveinthecontextofthePassport Regulation (Council Regulation 2252/2004)10and also of border controlinstruments(inrelation to theestablishmentof large-scalebiometricdatabases, suchasEURODAC,VISorSIS).11

2Jonathan LeBlanc, ‘Kill All Passwords’ (2015)<http://www.slideshare.net/jcleblanc/kill-all-passwords>accessed30May2016.3AmirMizroch,‘PayPalwantsyoutoinjectyourusernameandeatyourpassword’TheWallStreetJournal(17April2015)<http://money.cnn.com/2016/02/22/technology/mastercard-selfie-pay-fingerprint-payments/>accessed30May2016.4ConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,ETS,No.108,28January1981,Strasbourg(Convention108).5EuropeanParliamentandCouncilDirective95/46/ECof24October1995on theprotectionof individualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,OJL281/23(Directive95/46/ECorDataProtectionDirective).6TheArticle29DataProtectionWorkingPartyisanindependentadvisorybodytotheEuropeanCommissionon data protection matters, composed of representatives of national data protection authorities, of theEuropeaninstitutions,andoftheEuropeanCommission<http://ec.europa.eu/justice/data-protection/article-29/index_en.htm>accessed30May2016.7A29WP,‘WorkingDocumentonBiometrics’[2003]WP80.8A29WP,‘Opinion3/2012onDevelopmentsinBiometricTechnologies’[2012]WP193.9Independentsupervisoryauthority,whichmonitors theprocessingofpersonaldataby theEU institutionsandbodies,andadvisesonpoliciesandlegislativeinstrumentsthatimpactdataprotection<https://secure.edps.europa.eu/EDPSWEB/edps/cache/offonce/EDPS/Membersmission>accessed30May2016.10Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features andbiometricsinpassportsandtraveldocumentsissuedbyMemberStates[2004]OJL385(PassportRegulationor Regulation No.2252/2004); see EDPS, ‘Opinion on the proposal to amend Council Regulation No2252/2004’[2008]OJC200/1.11EURODAC is the EUROpean DACtyloscopic database, established in 2000 for the comparison of thefingerprintsofasylumseekers;theVisaInformationSystemallowstheMemberStatesoftheSchengenareatoexchangevisadata(suchasfingerprints)since2004andtheSchengenInformationSystem(SIS)wassetuptosupporttheexchangeofinformation.

59

3

Legal Nature of Biometric Data: From ‘Generic’ Personal Data to Sensitive Data

Chapter 3: Legal Nature of Biometric Data: From ‘Generic’ Personal Data toSensitiveData

WhichChangesDoestheNewDataProtectionFrameworkIntroduce?*Abstract:Formanyyears, the statusofbiometricdata fromaEuropeandataprotectionperspectivegenerateda lotofdiscussionsamongEuropeanbodiesandlegalexperts.Finally,after fouryearsoflengthynegotiations,theEuropeaninstitutionshaveadoptedanewdataprotectionframework. For the first time, the concept of biometric data is introduced in a Europeanlegislativetext.Beyondbeingdefined,biometricdataarealsotreatedassensitivedata.Thechangesintroducedbythenewdataprotectionframeworkandtheissuestheyraisewillbeassessedinthisarticle.Inafirstsection,thearticlewillintroducethetopicandclarifysometerminological aspects. In a second section, itwill summarise the slow introduction of thenotionof ‘biometricdata’intotheEuropeandataprotectionlandscapebeforetheadoptionof the Data Protection Reform Package. The next section will deconstruct the concept ofbiometricdatawith thehelpof thedefinitionofpersonaldata. Itwill thenargue that thethreshold of identification required for biometric data is higher than the one required for‘generic’personaldata.Inafourthsection,thearticlewillassessthe‘sensitivedata’regimethat is applicable tobiometricdata. Itwill alsoquestion the elementof the context of theprocessing,whichhasbeenaddedastheconditionthattriggerstheextraprotectiongrantedto sensitive data. The last section will conclude on the changes introduced by the newprovisions.

IntroductionPayment processing companies, such as MasterCard, are working on developingtechnologies that use facial images and fingerprints to replace passwords in paymenttransactions.1Other payment companies seem to be working on yet more futuristicpasswords,basedonedibleandembeddablebiometrictechnologies.InApril2015,oneof

*ArticlepublishedintheEuropeanDataProtectionLawreview(EDPL),volume2, issue3,September2016,pages297-311;theauthorwishestothankProf JeanneMifsudBonniciandProfLaurenceGormleyfortheircomments inanearlierdraft, thepeer reviewers for theirveryvaluable reviewswhichhelped improve thequalityof thearticleandChristinaAngelopoulos forher careful readingandediting suggestions.Theviewsexpressedinthisarticlearesolelythoseoftheauthor.Allremainingerrorsaretheauthor’ssoleresponsibility.This research was partly carried out under the European Union’s Seventh Framework Programme forresearch,technologicaldevelopmentanddemonstrationinthecontextoftheINGRESSproject(www.ingress-project.eu)undergrantagreementno312792.1AlannaPetroff,‘MasterCardlaunchingselfiepayments’CNN(22February2016)<http://money.cnn.com/2016/02/22/technology/mastercard-selfie-pay-fingerprint-payments/>accessed30May2016.

theexecutivesofPayPalexplainedthatsuchtechnologieswereunderdevelopment.2InaninterviewtotheWallStreetJournal,hementionedashift inidentificationmethodsfromthe ‘external body methods like fingerprints, towards internal body functions likeheartbeatandveinrecognition,whereembeddedandingestibledeviceswillallow‘naturalbodyidentification’.3Whilethecompanyatstakedenieddevelopingsuchtechnologiesanddissociated itself fromthepositionof itsemployee, thisexamplenevertheless illustratesthe growing and widespread use of biometric data by private parties. Against thisbackgroundandtrends,theestablishmentofalegaldefinitionandstatusofbiometricdatainthenewEUdataprotectionframeworkiswelcome.Theconceptofbiometricdata isabsent fromtheEuropeanfoundingtexts inthefieldofpersonal data protection, i.e. Convention 1084and theData ProtectionDirective.5At thetimeoftheirrespectiveadoption,theimpactofbiometrictechnologiesondataprotectionruleswasnotwidelydiscussed.Theissuebecameahottopicintheearly2000s.In2003,theArticle29DataProtectionWorkingParty(theA29WP)6issuedaWorkingDocumentonbiometrics, in which it addressed the application of data protection rules to biometricsystems.7Lateron,itpursueditsanalysisinOpinion3/3012ondevelopmentsinbiometrictechnologies.8Inparallel, theEuropeanDataProtectionSupervisor(theEDPS)9discussedthelegalstatusofbiometricdatafromadataprotectionperspectiveinthecontextofthePassport Regulation (Council Regulation 2252/2004)10and also of border controlinstruments(inrelation to theestablishmentof large-scalebiometricdatabases, suchasEURODAC,VISorSIS).11

2Jonathan LeBlanc, ‘Kill All Passwords’ (2015)<http://www.slideshare.net/jcleblanc/kill-all-passwords>accessed30May2016.3AmirMizroch,‘PayPalwantsyoutoinjectyourusernameandeatyourpassword’TheWallStreetJournal(17April2015)<http://money.cnn.com/2016/02/22/technology/mastercard-selfie-pay-fingerprint-payments/>accessed30May2016.4ConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,ETS,No.108,28January1981,Strasbourg(Convention108).5EuropeanParliamentandCouncilDirective95/46/ECof24October1995on theprotectionof individualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,OJL281/23(Directive95/46/ECorDataProtectionDirective).6TheArticle29DataProtectionWorkingPartyisanindependentadvisorybodytotheEuropeanCommissionon data protection matters, composed of representatives of national data protection authorities, of theEuropeaninstitutions,andoftheEuropeanCommission<http://ec.europa.eu/justice/data-protection/article-29/index_en.htm>accessed30May2016.7A29WP,‘WorkingDocumentonBiometrics’[2003]WP80.8A29WP,‘Opinion3/2012onDevelopmentsinBiometricTechnologies’[2012]WP193.9Independentsupervisoryauthority,whichmonitors theprocessingofpersonaldataby theEU institutionsandbodies,andadvisesonpoliciesandlegislativeinstrumentsthatimpactdataprotection<https://secure.edps.europa.eu/EDPSWEB/edps/cache/offonce/EDPS/Membersmission>accessed30May2016.10Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features andbiometricsinpassportsandtraveldocumentsissuedbyMemberStates[2004]OJL385(PassportRegulationor Regulation No.2252/2004); see EDPS, ‘Opinion on the proposal to amend Council Regulation No2252/2004’[2008]OJC200/1.11EURODAC is the EUROpean DACtyloscopic database, established in 2000 for the comparison of thefingerprintsofasylumseekers;theVisaInformationSystemallowstheMemberStatesoftheSchengenareatoexchangevisadata(suchasfingerprints)since2004andtheSchengenInformationSystem(SIS)wassetuptosupporttheexchangeofinformation.

60

Chapter 3

The entry into force of the Lisbon Treaty, in 2009, abolished the pillar structure12andchangedthewaydataprotectionisapproachedatEUlevel.PriortothatTreaty,duetothepillarstructure,apatchworkofinstrumentsregulatedtheprocessingofpersonaldataindifferent sectors.Themain instrumentondataprotection for internalmarket activities,fallingunderthe‘firstpillar’,wastheDataProtectionDirective(Directive95/46/EC).13In‘thethirdpillar’areaofpoliceandjudicialcooperation, theCouncilFrameworkDecision2008/977/JHAon theprotectionofpersonaldataprocessed in the frameworkofpoliceandjudicialcooperationincriminalmatterswasthemaininstrumentondataprotection.14Many sector-based regimes complemented these two instruments.15With the entry intoforceof theLisbonTreaty, theCharterofFundamentalRightsbecamebinding, grantingthe status of fundamental right to the right to theprotectionof personal data, as set inArticle 8 of the Charter. In addition, the Treaty of Lisbon introduced a new legal basis,Article 16 of the Treaty on the Functioning of the European Union. That Article givesgeneralcompetencetotheEUinstitutionstolegislateondataprotectionmattersacrossallsectors. Between 2009 and 2011, the European Commission launched two publicconsultationson the futureofdataprotectionregime.16Amongthe issuesdiscussedwastheintroductionoftheconceptofbiometricdatawithinthedataprotectionframework.InJanuary 2012, the European Commission proposed a comprehensive data protectionframework, the Data Protection Reform Package, regulating all sectors including policeand judicial cooperation in criminal matters. The Data Protection Reform Package iscomposedofaproposalforaGeneralDataProtectionRegulation(knownastheGDPRandreplacingtheDataProtectionDirective)17andaproposalforaDirectiveondataprotectionrulesapplicabletolawenforcementactivities(replacingtheCouncilFrameworkDecision2008/977/JHA).18After four years of intensive and lengthy discussions, the new Data

12Between1993and2009,theEUwascomposedofthreepillars:thethreecommunitiesweregatheredunderthefirstpillar,CommonForeign&SecurityPolicyunderthesecondpillar,andPoliceandJudicialCooperationunderthethirdpillar.13Directive95/46/EC(n5).14CouncilFrameworkDecision2008/977/JHAontheprotectionofpersonaldataprocessedintheframeworkof police and judicial cooperation in criminal matters [2008] OJ L350/60 (Council Framework Decision2008/977/JHA).15egCouncilRegulation(EC)No2725/2000of11December2000concerningtheestablishmentof‘Eurodac’for the comparison of fingerprints for the effective application of theDublin Convention [2000]OJ L316/1(repealed by European Parliament and Council Regulation (EU) No 603/2013 of 26 June 2013); CouncilDecisionof8 June2004establishing theVisa InformationSystem(VIS) [2004]OJL213/5;CouncilDecision2007/533/JHAof12June2007ontheestablishment,operationanduseof thesecondgenerationSchengenInformationSystem(SISII)[2007]OJL205/63.16TheEuropeanCommissionlaunchedtwopublicconsultations.Thefirstone,in2009,concernedthefuturelegal framework for the fundamental right to protection of personal data in the European Union. Thisconsultation resulted into a Communication by the European Commission, ‘A comprehensive approach onpersonaldataprotectionintheEuropeanUnion,publishedon4November2010(COM(2010)609final)).TheEuropeanCommissionconsultedasecondtimestakeholdersontheproposalsmadeintheCommunication.<http://ec.europa.eu/justice/newsroom/data-protection/opinion/090501_en.htm>accessed30May2016.17European Commission, Proposal for a Regulation of the European Parliament and of the Council on theprotectionofindividualswithregardtotheprocessingofpersonaldataandofthefreemovementofsuchdata(GeneralDataProtectionRegulation),COM(2012)11final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN>accessed30May2016.18European Commission, Proposal for a Directive of the European Parliament and of the competentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesorthe

Protection frameworkwas officially adopted in April 2016.19In both the GDPR and theDirectiveonlawenforcement,20theconceptofbiometricdataisdefinedandaddedtothelistofsensitivedata.This article will address the legal status of biometric data from an EU data protectionperspectiveandassesstheimpactoftheadoptionoftheDataProtectionReformrulesontheirstatus. Itwill reviewtheprovisionscontained in theDataProtectionDirectiveandcomparethemwiththoseoftheGDPR.TheprovisionsoftheDataProtectionDirectivewillremainapplicableuntiltheentryintoforceoftheDataProtectionReformPackage.21Thearticleprimarily focusesontheprovisionsof theGDPR.However,referencesto thenewdataprotectionframeworkasawholemightalsobemade.ReferencestoConvention108anditsdraftrevisionwillalsobemadeasapointofcomparison,inparticularinrelationtothequalificationofbiometricdataassensitivedata.22Thearticlebuildsonexistinglegal literaturepertainingtothestatusandqualificationofbiometric data from a data protection perspective. It will analyse, among others, thecontributions by Prins, Grijpink, Yue Liu andKindt.23Since the topic is highly technical,references to thescientific literatureandterminologyused in thebiometric fieldwillbemade. Inparticular, thedefinitionsadopted intheInternationalStandardISO/IEC2382-37:2012onaHarmonizedBiometricVocabularywillbementioned.24Itshouldbenotedthat, even though the process of standardization is not complete yet, the InternationalStandardcanneverthelessbeusedasareference.Ithasalreadybeenquoted,inparticular,by the Italian Data Protection Authority (Il Garante) in its Guidelines on Biometric

executionofcriminalpenalties,andthefreemovementofsuchdata,COM(2012)10final;thenewDirectivedoesnothaveanyofficialacronymandisreferredtoas‘theDirectiveonlawenforcement’inthisarticle.19Adoptionof theGeneralDataProtectionRegulationandof theDirectiveon lawenforcementon14April2016 <http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era>accessed30May2016.20European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection ofindividualswithregardtotheprocessingofpersonaldataandofthefreemovementofsuchdataandrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1;EuropeanParliamentandCouncilDirective(EU)2016/680of27April2016,ontheprotectionofnaturalpersonswithregardtotheprocessingof personal data by competent authorities for the purposes of the prevention, investigation, detection orprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA[2016]OJL119/89(Directive2016/680).21TheRegulationwillapplyfrom25May2018whileMemberStatesshouldhavetransposedintonationallawtheprovisionsoftheDirectiveby6May2018;seeArt99GDPRandArt63Directive2016/680.22Convention 108 (n 4); Draft Explanatory Report to themodernised version of Convention 108, workingdocumentof2June2016<http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/Draft%20Explanatory%20report_En.pdf>accessed30May2016.23See Corien Prins, ‘Biometric Technology Law, Making Our Body Identify for us: Legal Implications ofBiometricTechnologies’(1998)14(3)ComputerLawandSecurityReport159,163;JanGrijpink,‘PrivacyLaw:Biometrics andPrivacy’ (2001)17(3)ComputerLaw&SecurityReview154,156-157;YueLiu, ‘IdentifyingLegal Concerns in the Biometric Context’ (2008) 3(1) Journal of International Commercial Law andTechnology 45; Els Kindt, PrivacyandDataProtection IssuesofBiometricApplications,AComparativeLegalAnalysis(Springer2013).24 ISO/IEC 2382-37: 2012 (E)—Information Technology—Vocabulary—Part 37: Biometrics<http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=55194> accessed 30May2016.

61

3


The entry into force of the Lisbon Treaty, in 2009, abolished the pillar structure12andchangedthewaydataprotectionisapproachedatEUlevel.PriortothatTreaty,duetothepillarstructure,apatchworkofinstrumentsregulatedtheprocessingofpersonaldataindifferent sectors.Themain instrumentondataprotection for internalmarket activities,fallingunderthe‘firstpillar’,wastheDataProtectionDirective(Directive95/46/EC).13In‘thethirdpillar’areaofpoliceandjudicialcooperation, theCouncilFrameworkDecision2008/977/JHAon theprotectionofpersonaldataprocessed in the frameworkofpoliceandjudicialcooperationincriminalmatterswasthemaininstrumentondataprotection.14Many sector-based regimes complemented these two instruments.15With the entry intoforceof theLisbonTreaty, theCharterofFundamentalRightsbecamebinding, grantingthe status of fundamental right to the right to theprotectionof personal data, as set inArticle 8 of the Charter. In addition, the Treaty of Lisbon introduced a new legal basis,Article 16 of the Treaty on the Functioning of the European Union. That Article givesgeneralcompetencetotheEUinstitutionstolegislateondataprotectionmattersacrossallsectors. Between 2009 and 2011, the European Commission launched two publicconsultationson the futureofdataprotectionregime.16Amongthe issuesdiscussedwastheintroductionoftheconceptofbiometricdatawithinthedataprotectionframework.InJanuary 2012, the European Commission proposed a comprehensive data protectionframework, the Data Protection Reform Package, regulating all sectors including policeand judicial cooperation in criminal matters. The Data Protection Reform Package iscomposedofaproposalforaGeneralDataProtectionRegulation(knownastheGDPRandreplacingtheDataProtectionDirective)17andaproposalforaDirectiveondataprotectionrulesapplicabletolawenforcementactivities(replacingtheCouncilFrameworkDecision2008/977/JHA).18After four years of intensive and lengthy discussions, the new Data

12Between1993and2009,theEUwascomposedofthreepillars:thethreecommunitiesweregatheredunderthefirstpillar,CommonForeign&SecurityPolicyunderthesecondpillar,andPoliceandJudicialCooperationunderthethirdpillar.13Directive95/46/EC(n5).14CouncilFrameworkDecision2008/977/JHAontheprotectionofpersonaldataprocessedintheframeworkof police and judicial cooperation in criminal matters [2008] OJ L350/60 (Council Framework Decision2008/977/JHA).15egCouncilRegulation(EC)No2725/2000of11December2000concerningtheestablishmentof‘Eurodac’for the comparison of fingerprints for the effective application of theDublin Convention [2000]OJ L316/1(repealed by European Parliament and Council Regulation (EU) No 603/2013 of 26 June 2013); CouncilDecisionof8 June2004establishing theVisa InformationSystem(VIS) [2004]OJL213/5;CouncilDecision2007/533/JHAof12June2007ontheestablishment,operationanduseof thesecondgenerationSchengenInformationSystem(SISII)[2007]OJL205/63.16TheEuropeanCommissionlaunchedtwopublicconsultations.Thefirstone,in2009,concernedthefuturelegal framework for the fundamental right to protection of personal data in the European Union. Thisconsultation resulted into a Communication by the European Commission, ‘A comprehensive approach onpersonaldataprotectionintheEuropeanUnion,publishedon4November2010(COM(2010)609final)).TheEuropeanCommissionconsultedasecondtimestakeholdersontheproposalsmadeintheCommunication.<http://ec.europa.eu/justice/newsroom/data-protection/opinion/090501_en.htm>accessed30May2016.17European Commission, Proposal for a Regulation of the European Parliament and of the Council on theprotectionofindividualswithregardtotheprocessingofpersonaldataandofthefreemovementofsuchdata(GeneralDataProtectionRegulation),COM(2012)11final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN>accessed30May2016.18European Commission, Proposal for a Directive of the European Parliament and of the competentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesorthe

Protection frameworkwas officially adopted in April 2016.19In both the GDPR and theDirectiveonlawenforcement,20theconceptofbiometricdataisdefinedandaddedtothelistofsensitivedata.This article will address the legal status of biometric data from an EU data protectionperspectiveandassesstheimpactoftheadoptionoftheDataProtectionReformrulesontheirstatus. Itwill reviewtheprovisionscontained in theDataProtectionDirectiveandcomparethemwiththoseoftheGDPR.TheprovisionsoftheDataProtectionDirectivewillremainapplicableuntiltheentryintoforceoftheDataProtectionReformPackage.21Thearticleprimarily focusesontheprovisionsof theGDPR.However,referencesto thenewdataprotectionframeworkasawholemightalsobemade.ReferencestoConvention108anditsdraftrevisionwillalsobemadeasapointofcomparison,inparticularinrelationtothequalificationofbiometricdataassensitivedata.22Thearticlebuildsonexistinglegal literaturepertainingtothestatusandqualificationofbiometric data from a data protection perspective. It will analyse, among others, thecontributions by Prins, Grijpink, Yue Liu andKindt.23Since the topic is highly technical,references to thescientific literatureandterminologyused in thebiometric fieldwillbemade. Inparticular, thedefinitionsadopted intheInternationalStandardISO/IEC2382-37:2012onaHarmonizedBiometricVocabularywillbementioned.24Itshouldbenotedthat, even though the process of standardization is not complete yet, the InternationalStandardcanneverthelessbeusedasareference.Ithasalreadybeenquoted,inparticular,by the Italian Data Protection Authority (Il Garante) in its Guidelines on Biometric

executionofcriminalpenalties,andthefreemovementofsuchdata,COM(2012)10final;thenewDirectivedoesnothaveanyofficialacronymandisreferredtoas‘theDirectiveonlawenforcement’inthisarticle.19Adoptionof theGeneralDataProtectionRegulationandof theDirectiveon lawenforcementon14April2016 <http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era>accessed30May2016.20European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection ofindividualswithregardtotheprocessingofpersonaldataandofthefreemovementofsuchdataandrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1;EuropeanParliamentandCouncilDirective(EU)2016/680of27April2016,ontheprotectionofnaturalpersonswithregardtotheprocessingof personal data by competent authorities for the purposes of the prevention, investigation, detection orprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA[2016]OJL119/89(Directive2016/680).21TheRegulationwillapplyfrom25May2018whileMemberStatesshouldhavetransposedintonationallawtheprovisionsoftheDirectiveby6May2018;seeArt99GDPRandArt63Directive2016/680.22Convention 108 (n 4); Draft Explanatory Report to themodernised version of Convention 108, workingdocumentof2June2016<http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/Draft%20Explanatory%20report_En.pdf>accessed30May2016.23See Corien Prins, ‘Biometric Technology Law, Making Our Body Identify for us: Legal Implications ofBiometricTechnologies’(1998)14(3)ComputerLawandSecurityReport159,163;JanGrijpink,‘PrivacyLaw:Biometrics andPrivacy’ (2001)17(3)ComputerLaw&SecurityReview154,156-157;YueLiu, ‘IdentifyingLegal Concerns in the Biometric Context’ (2008) 3(1) Journal of International Commercial Law andTechnology 45; Els Kindt, PrivacyandDataProtection IssuesofBiometricApplications,AComparativeLegalAnalysis(Springer2013).24 ISO/IEC 2382-37: 2012 (E)—Information Technology—Vocabulary—Part 37: Biometrics<http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=55194> accessed 30May2016.

62

Chapter 3

Recognition and Graphometric Signature. 25 Biometric characteristics from whichbiometricdataareextractedarephysicalorbehaviouralattributes.Theseattributes(suchas face, fingerprints, voice or gait) show some distinctive and repeatable features (i.e.patterns)thatcanbemeasuredandcomparedsoastorecogniseanindividual.Biometricrecognitionisthegeneraltermusedtocoverthefunctionsofabiometricsystembasedonbiometricdata.Thesefunctionscanbesplitbetween‘biometricidentification’,wheretheidentity of an unknown individual is (or is not) established, and ‘identity verification’,where that individual’s identity does not need to be established, but only verified. Toperformbiometricrecognition,biometriccharacteristicsaretransformedintodataunderdifferent formats: a sample (such as the image of a fingerprint, a facial image) and atemplate(areduced formof thesample translated intocodes,numbers).26Thetechnicaltermsarefurtherexplainedinthebodyofthearticle.Althoughthisarticlereliesonscientific literatureandterminology, it isnotwrittenbyascientificexpertanditwillnotassessthequalityofthescientificpaperstowhichitrefers.Thearticleusesthemasdescriptiveelements.The article is structured as follows. The next section, Section II, describes the slowintroductionof thenotionofbiometricdata in thedataprotection fieldat theEuropeanlevelbeforetheadoptionoftheDataProtectionReformPackage.SectionIIIdeconstructstheconceptofbiometricdataasdefined in theGDPR.To thisend, thesectiondescribeseachcomponentofthedefinitionandassessesinparticulartheroleplayedbythefunctionofidentification.Onthisissue,thearticledistinguishesthemeaningofidentificationfromadataprotectionperspectivefromthatfromabiometricrecognitionperspective.SectionIV is dedicated to the status of biometric data as sensitive data. It also discusses therelevanceofthepurposeofprocessingasaconditionforapplyingtheregimeofsensitivedatatobiometricdata.ThelastsectionconcludesonthechangesthattheGDPRintroducesforthelegalqualificationandstatusofbiometricdatafromadataprotectionperspectiveatEUlevel,aswellasontheremaininguncertainties.

TheSlowIntroductionoftheNotionofBiometricDataintheEUDataProtectionField

This section retraces the progressive recognition of biometric data as a category ofpersonaldataatEUlevelpriortotheadoptionoftheDataProtectionReformPackage.27

25SeeIlGarante(2014),AnnexAtotheGarante’sOrderof12November2014,3<http://194.242.234.211/documents/10160/0/GUIDELINES+ON+BIOMETRIC+RECOGNITION> accessed 30May2016.26Foranoverviewofbiometricrecognition,seeforinstanceYiChenandJeanChristopheFondeur,‘BiometricAlgorithms’inStanZLi&AnilKJain(eds),EncyclopediaofBiometrics(Springer2015)156-161.27Thissectionisbasedonthefindingsofapreviousarticle,seeCatherineJasserand,‘AvoidingTerminologicalConfusionbetweentheNotionsof‘Biometrics’and‘BiometricData’:anInvestigationintotheMeaningsofthe

56

The concept of biometric data cannot be found in Convention 10828nor in the DataProtection Directive,29the two European founding texts in the field of personal dataprotection.30This is logical, since at the time of their respective adoption, in 1981 and1995,theimpactofbiometrictechnologiesondataprotectionatEuropeanlevelwasnotwidely discussed. It was not until the early 2000s that the European bodies started todiscussthetopic.31Thefirstdocumentsandreportsonthetopicshowtheirhesitationsastotheexactstatusanddefinitionofbiometricdata.In 2003, theA29WP issuedaworkingdocumentonbiometricsinwhich it addressed theapplicationofdataprotectionrulestobiometricsystems.WhilediscussingtheapplicationoftheDataProtectionDirectivetobiometricdata,itassessedtheirstatusfromapersonaldata perspective. Its early findings on the nature of biometric data are unclear. On oneside, itacknowledgedthatbiometricdataarebynaturepersonaldata,sincetheyalwaysrelatetoanindividualwhois‘generallyidentifiable’.32Butontheotherside,itconsideredthat biometric data arenot alwayspersonal data. It referred, in particular, to biometrictemplates,whichmightnot constitutepersonaldata if they ‘are stored inaway thatnoreasonablemeanscanbeusedbythecontrollerorbyanyotherpersontoidentifythedatasubject.’33As observed by Kindt, the A29WP did not provide any clear criteria todistinguish cases where biometric data (in particular under the form of biometrictemplate)arepersonaldatafromthecaseswheretheyarenot.InthesubsequentOpinionon developments in biometric technologies, Opinion 3/2012, the Working Party did notprovide further explanations. Itmerely repeated that ‘inmost cases biometric data arepersonal data’without further analysis on thedefinitionor on the formats of biometricdata.34Whenreviewingthevariousopinionsandreportsondataprotectionandbiometricdata,whatisstrikingistheabsenceofadefinitionforthenotion‘biometricdata’.Adefinitionofthe term emerged quite late in the discussions on biometric data and technologies.35Inparticular, the A29WP investigated the status of biometric data from a data protectionperspectiveevenbeforedefining thenotion. Itwasonly in2007that theWorkingPartygaveadefinitiontotheconceptinOpinion4/2007ontheconceptofpersonaldata.InthatOpinion, biometric data are approached from a scientific perspective and defined as‘biological properties, physiological characteristics, living traits or repeatable actionsTermsfromaEuropeandataprotectionandaScientificPerspective’(2016)6(1) InternationalDataPrivacyLaw63.28Convention108(n4).29Directive95/46/EC(n5).30The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (updated in2013)arealsoanon-bindingsource<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>accessed30May2016.31Inliterature,someauthorshaveaddressedtheissueearlier,egPrins(n23).32A29WP,Workingdocumentonbiometrics(n7)10.33ibidfn11,5.34A29WP,Opinion3/2012(n8)7.35ForacompleteoverviewofthedefinitionsproposedbytheEuropeanbodies,seeJasserand(n27).

63

3


Recognition and Graphometric Signature. 25 Biometric characteristics from whichbiometricdataareextractedarephysicalorbehaviouralattributes.Theseattributes(suchas face, fingerprints, voice or gait) show some distinctive and repeatable features (i.e.patterns)thatcanbemeasuredandcomparedsoastorecogniseanindividual.Biometricrecognitionisthegeneraltermusedtocoverthefunctionsofabiometricsystembasedonbiometricdata.Thesefunctionscanbesplitbetween‘biometricidentification’,wheretheidentity of an unknown individual is (or is not) established, and ‘identity verification’,where that individual’s identity does not need to be established, but only verified. Toperformbiometricrecognition,biometriccharacteristicsaretransformedintodataunderdifferent formats: a sample (such as the image of a fingerprint, a facial image) and atemplate(areduced formof thesample translated intocodes,numbers).26Thetechnicaltermsarefurtherexplainedinthebodyofthearticle.Althoughthisarticlereliesonscientific literatureandterminology, it isnotwrittenbyascientificexpertanditwillnotassessthequalityofthescientificpaperstowhichitrefers.Thearticleusesthemasdescriptiveelements.The article is structured as follows. The next section, Section II, describes the slowintroductionof thenotionofbiometricdata in thedataprotection fieldat theEuropeanlevelbeforetheadoptionoftheDataProtectionReformPackage.SectionIIIdeconstructstheconceptofbiometricdataasdefined in theGDPR.To thisend, thesectiondescribeseachcomponentofthedefinitionandassessesinparticulartheroleplayedbythefunctionofidentification.Onthisissue,thearticledistinguishesthemeaningofidentificationfromadataprotectionperspectivefromthatfromabiometricrecognitionperspective.SectionIV is dedicated to the status of biometric data as sensitive data. It also discusses therelevanceofthepurposeofprocessingasaconditionforapplyingtheregimeofsensitivedatatobiometricdata.ThelastsectionconcludesonthechangesthattheGDPRintroducesforthelegalqualificationandstatusofbiometricdatafromadataprotectionperspectiveatEUlevel,aswellasontheremaininguncertainties.

TheSlowIntroductionoftheNotionofBiometricDataintheEUDataProtectionField

This section retraces the progressive recognition of biometric data as a category ofpersonaldataatEUlevelpriortotheadoptionoftheDataProtectionReformPackage.27

25SeeIlGarante(2014),AnnexAtotheGarante’sOrderof12November2014,3<http://194.242.234.211/documents/10160/0/GUIDELINES+ON+BIOMETRIC+RECOGNITION> accessed 30May2016.26Foranoverviewofbiometricrecognition,seeforinstanceYiChenandJeanChristopheFondeur,‘BiometricAlgorithms’inStanZLi&AnilKJain(eds),EncyclopediaofBiometrics(Springer2015)156-161.27Thissectionisbasedonthefindingsofapreviousarticle,seeCatherineJasserand,‘AvoidingTerminologicalConfusionbetweentheNotionsof‘Biometrics’and‘BiometricData’:anInvestigationintotheMeaningsofthe

56

The concept of biometric data cannot be found in Convention 10828nor in the DataProtection Directive,29the two European founding texts in the field of personal dataprotection.30This is logical, since at the time of their respective adoption, in 1981 and1995,theimpactofbiometrictechnologiesondataprotectionatEuropeanlevelwasnotwidely discussed. It was not until the early 2000s that the European bodies started todiscussthetopic.31Thefirstdocumentsandreportsonthetopicshowtheirhesitationsastotheexactstatusanddefinitionofbiometricdata.In 2003, theA29WP issuedaworkingdocumentonbiometricsinwhich it addressed theapplicationofdataprotectionrulestobiometricsystems.WhilediscussingtheapplicationoftheDataProtectionDirectivetobiometricdata,itassessedtheirstatusfromapersonaldata perspective. Its early findings on the nature of biometric data are unclear. On oneside, itacknowledgedthatbiometricdataarebynaturepersonaldata,sincetheyalwaysrelatetoanindividualwhois‘generallyidentifiable’.32Butontheotherside,itconsideredthat biometric data arenot alwayspersonal data. It referred, in particular, to biometrictemplates,whichmightnot constitutepersonaldata if they ‘are stored inaway thatnoreasonablemeanscanbeusedbythecontrollerorbyanyotherpersontoidentifythedatasubject.’33As observed by Kindt, the A29WP did not provide any clear criteria todistinguish cases where biometric data (in particular under the form of biometrictemplate)arepersonaldatafromthecaseswheretheyarenot.InthesubsequentOpinionon developments in biometric technologies, Opinion 3/2012, the Working Party did notprovide further explanations. Itmerely repeated that ‘inmost cases biometric data arepersonal data’without further analysis on thedefinitionor on the formats of biometricdata.34Whenreviewingthevariousopinionsandreportsondataprotectionandbiometricdata,whatisstrikingistheabsenceofadefinitionforthenotion‘biometricdata’.Adefinitionofthe term emerged quite late in the discussions on biometric data and technologies.35Inparticular, the A29WP investigated the status of biometric data from a data protectionperspectiveevenbeforedefining thenotion. Itwasonly in2007that theWorkingPartygaveadefinitiontotheconceptinOpinion4/2007ontheconceptofpersonaldata.InthatOpinion, biometric data are approached from a scientific perspective and defined as‘biological properties, physiological characteristics, living traits or repeatable actionsTermsfromaEuropeandataprotectionandaScientificPerspective’(2016)6(1) InternationalDataPrivacyLaw63.28Convention108(n4).29Directive95/46/EC(n5).30The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (updated in2013)arealsoanon-bindingsource<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>accessed30May2016.31Inliterature,someauthorshaveaddressedtheissueearlier,egPrins(n23).32A29WP,Workingdocumentonbiometrics(n7)10.33ibidfn11,5.34A29WP,Opinion3/2012(n8)7.35ForacompleteoverviewofthedefinitionsproposedbytheEuropeanbodies,seeJasserand(n27).

64

Chapter 3

57

where those featuresand/oractionsarebothunique to that individualandmeasurable,evenifthepatternsusedinpracticetotechnicallymeasuretheminvolveacertaindegreeofprobability.’36Inthatsameopinion,theA29WParguedthatbiometricdatahaveadualnature:theyarebothapieceofinformationaboutanindividualandconstitutea(unique)linkbetweenthatindividualandhisorherbiometriccharacteristics.ThisdefinitionwasquotedseveraltimesbytheEDPS37andtheA29WPitself.38However,thatdefinitiondoesnot link ‘biometricdata’ to ‘personaldata’. It is interesting tonote that thedefinitionofbiometricdataoriginallycontainedintheproposalsforaDataProtectionReformPackagealsohadnolinktopersonaldata.39In their opinions and reports, the European bodies have indistinctly used the terms‘biometric data’ and ‘biometrics’. However, a systematic analysis of the two notionsrevealsthat‘biometricdata’isbothatechnicalandalegalnotion,whereas‘biometrics’isonlyatechnicalnotion.40Inanycase,thetwoarenotsynonymous.Theterm‘biometrics’has been borrowed from the biometric recognition field. As such, in a data protectioncontext,itshouldonlybeusedinthewaydefinedbythebiometriccommunity,i.e.asan‘automaticrecognitionmethod’basedonbiometriccharacteristics.41Theterm‘biometricdata’, on its side, covers the technical transformation of biometric characteristics intoformats that can be used for biometric recognition. The technical definition does notrequirealinktoaspecificindividual.42Bycontrast,inadataprotectioncontext,thislinkiscrucialtodeterminewhetherthetechnical ‘biometricdata’constitutepersonaldata.Thenext section deconstructs the legal concept of ‘biometric data’ introduced in the DataProtectionReformPackage.

DeconstructionoftheLegalConceptofBiometricDataUntiltheadoptionoftheDataProtectionReformPackage,therewasnoexpressprovisionontheconceptofbiometricdatanorspecificrulestoregulatetheprocessingofbiometricdatainEuropeandataprotectioninstruments.Article4(14)GDPRnowdefines‘biometricdata’as:

‘Personal data’ resulting from a specific technical processing relating to thephysical, physiological or behavioural characteristics of a natural person, which

36A29WP,‘Opinion4/2007ontheconceptofpersonaldata’[2007]WP136,8.37EDPS, ‘Opinion on a Research Project Funded by the European Union under the Seventh FrameworkProgramme (FP7) for Research and Technology Development - Turbine (TrUsted Revocable BiometricIdeNtitiEs)’[2011](hereinafterOpiniononTurbineProject).38A29WP,Opinion3/2012(n8).39EuropeanCommission,ProposalfortheGeneralDataProtectionRegulation(n17),Art4(11)thatreadsasfollows:‘dataresultingfrom…’(emphasisadded).40SeeJasserand(n27).41ISO/IEC2382-37(n24),Term37.01.03.42ISO/IEC 2382-37 (n 24), Note below term 37.03.06 that reads as follows: ‘biometric data need not beattributabletoaspecificindividual.’

58

allow or confirm the unique identification of that natural person, such as facialimagesordactyloscopicdata.

Theconceptcanbefurtheranalysedthroughitsdifferentcomponents.

PersonalData‘Biometricdata’arefirstofallpersonaldata.Thismeansthat,beforelegallyqualifyingas‘biometric’, this typeofdataneeds to complywith the criteria applicable to thegeneralcategoryofpersonaldata.The definition of personal data in Article 4(1) GDPR is very similar to the originaldefinitioncontainedinArticle2(a)oftheDataProtectionDirective.43Thenotionisindeeddefined in identical terms, as ‘any information relating to an identified or identifiablenaturalperson(‘datasubject’).’Thedifferencebetweenthetwoliesinthedescriptionofwhat an ‘identifiable person’ is. Article 4(1) GDPR contains a broader list of possibleidentifying factors (includinggenetic identity)andaddsexamplesof identifiers (suchasname, identification number, location data and online identifier). The definition does,however,notrefertothenotionofabiometricidentityorbiometricidentifier.Thethresholdaccordingtowhichtheidentificationofanindividualisdeterminedremainslow: the individual does not need to be identified, but only made identifiable. Like inArticle 2(a) of the Data Protection Directive, the adjective ‘identified’ is undefined.44Asinterpreted by the A29WP in Opinion 4/2007, ‘identified’ should be understood asmeaning to be ‘singled out’ or ‘distinguished’ from a group of people.45Identifyingsomeone in adataprotection context thereforedoesnot require establishinghisorheridentity.‘Identifiable’isdifferentfrom‘identified’,astheformerreferstoanindividualwhohasnotbeenidentifiedyet,butwhocanbe,throughthecombinationofotherinformation.Recital26GDPRreiteratesthetestof ‘identifiability’,originallycontainedintheDataProtectionDirective.46Thattestrelatesto“allthemeanslikelyreasonablytobeused”toidentifyanindividual.Recital26GDPRalsosetsalistoffactorstobetakenintoaccounttoassesstheidentifiability of an individual. That list is based on factors suggested by theA29WP in

43art2(a)oftheDataProtectionDirective(n5)readsasfollows: ‘personaldatashallmeananyinformationrelatingtoanidentifiedoridentifiablenaturalperson(‘datasubject’);anidentifiablepersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortoonemorefactorsspecifictothephysical,physiological,mental,economic,culturalorsocialidentity.’44See also analysis made byWaltraut Kotschy, ‘Article 2, Directive 95/46/EC’ in Alfred Büllesbach, SergeGijrath, Yves Poullet andCorienPrins (eds),ConciseofEuropeanITlaw (2nd edn,Kluwer Law International2010),35.45A29WP,Opinion4/2007(n36)12-13.46Recital 26 of the Data Protection Directive reads as follows: ‘Whereas the principles of protectionmustapply to any information concerning an identified or identifiable person;whereas, to determinewhether aperson is identifiable, account should be taken of all themeans likely reasonably to be used either by thecontrollerorbyanyotherpersontoidentifythesaidperson(…).’

65

3


57

where those featuresand/oractionsarebothunique to that individualandmeasurable,evenifthepatternsusedinpracticetotechnicallymeasuretheminvolveacertaindegreeofprobability.’36Inthatsameopinion,theA29WParguedthatbiometricdatahaveadualnature:theyarebothapieceofinformationaboutanindividualandconstitutea(unique)linkbetweenthatindividualandhisorherbiometriccharacteristics.ThisdefinitionwasquotedseveraltimesbytheEDPS37andtheA29WPitself.38However,thatdefinitiondoesnot link ‘biometricdata’ to ‘personaldata’. It is interesting tonote that thedefinitionofbiometricdataoriginallycontainedintheproposalsforaDataProtectionReformPackagealsohadnolinktopersonaldata.39In their opinions and reports, the European bodies have indistinctly used the terms‘biometric data’ and ‘biometrics’. However, a systematic analysis of the two notionsrevealsthat‘biometricdata’isbothatechnicalandalegalnotion,whereas‘biometrics’isonlyatechnicalnotion.40Inanycase,thetwoarenotsynonymous.Theterm‘biometrics’has been borrowed from the biometric recognition field. As such, in a data protectioncontext,itshouldonlybeusedinthewaydefinedbythebiometriccommunity,i.e.asan‘automaticrecognitionmethod’basedonbiometriccharacteristics.41Theterm‘biometricdata’, on its side, covers the technical transformation of biometric characteristics intoformats that can be used for biometric recognition. The technical definition does notrequirealinktoaspecificindividual.42Bycontrast,inadataprotectioncontext,thislinkiscrucialtodeterminewhetherthetechnical ‘biometricdata’constitutepersonaldata.Thenext section deconstructs the legal concept of ‘biometric data’ introduced in the DataProtectionReformPackage.

DeconstructionoftheLegalConceptofBiometricDataUntiltheadoptionoftheDataProtectionReformPackage,therewasnoexpressprovisionontheconceptofbiometricdatanorspecificrulestoregulatetheprocessingofbiometricdatainEuropeandataprotectioninstruments.Article4(14)GDPRnowdefines‘biometricdata’as:

‘Personal data’ resulting from a specific technical processing relating to thephysical, physiological or behavioural characteristics of a natural person, which

36A29WP,‘Opinion4/2007ontheconceptofpersonaldata’[2007]WP136,8.37EDPS, ‘Opinion on a Research Project Funded by the European Union under the Seventh FrameworkProgramme (FP7) for Research and Technology Development - Turbine (TrUsted Revocable BiometricIdeNtitiEs)’[2011](hereinafterOpiniononTurbineProject).38A29WP,Opinion3/2012(n8).39EuropeanCommission,ProposalfortheGeneralDataProtectionRegulation(n17),Art4(11)thatreadsasfollows:‘dataresultingfrom…’(emphasisadded).40SeeJasserand(n27).41ISO/IEC2382-37(n24),Term37.01.03.42ISO/IEC 2382-37 (n 24), Note below term 37.03.06 that reads as follows: ‘biometric data need not beattributabletoaspecificindividual.’

58

allow or confirm the unique identification of that natural person, such as facialimagesordactyloscopicdata.

Theconceptcanbefurtheranalysedthroughitsdifferentcomponents.

PersonalData‘Biometricdata’arefirstofallpersonaldata.Thismeansthat,beforelegallyqualifyingas‘biometric’, this typeofdataneeds to complywith the criteria applicable to thegeneralcategoryofpersonaldata.The definition of personal data in Article 4(1) GDPR is very similar to the originaldefinitioncontainedinArticle2(a)oftheDataProtectionDirective.43Thenotionisindeeddefined in identical terms, as ‘any information relating to an identified or identifiablenaturalperson(‘datasubject’).’Thedifferencebetweenthetwoliesinthedescriptionofwhat an ‘identifiable person’ is. Article 4(1) GDPR contains a broader list of possibleidentifying factors (includinggenetic identity)andaddsexamplesof identifiers (suchasname, identification number, location data and online identifier). The definition does,however,notrefertothenotionofabiometricidentityorbiometricidentifier.Thethresholdaccordingtowhichtheidentificationofanindividualisdeterminedremainslow: the individual does not need to be identified, but only made identifiable. Like inArticle 2(a) of the Data Protection Directive, the adjective ‘identified’ is undefined.44Asinterpreted by the A29WP in Opinion 4/2007, ‘identified’ should be understood asmeaning to be ‘singled out’ or ‘distinguished’ from a group of people.45Identifyingsomeone in adataprotection context thereforedoesnot require establishinghisorheridentity.‘Identifiable’isdifferentfrom‘identified’,astheformerreferstoanindividualwhohasnotbeenidentifiedyet,butwhocanbe,throughthecombinationofotherinformation.Recital26GDPRreiteratesthetestof ‘identifiability’,originallycontainedintheDataProtectionDirective.46Thattestrelatesto“allthemeanslikelyreasonablytobeused”toidentifyanindividual.Recital26GDPRalsosetsalistoffactorstobetakenintoaccounttoassesstheidentifiability of an individual. That list is based on factors suggested by theA29WP in

43art2(a)oftheDataProtectionDirective(n5)readsasfollows: ‘personaldatashallmeananyinformationrelatingtoanidentifiedoridentifiablenaturalperson(‘datasubject’);anidentifiablepersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortoonemorefactorsspecifictothephysical,physiological,mental,economic,culturalorsocialidentity.’44See also analysis made byWaltraut Kotschy, ‘Article 2, Directive 95/46/EC’ in Alfred Büllesbach, SergeGijrath, Yves Poullet andCorienPrins (eds),ConciseofEuropeanITlaw (2nd edn,Kluwer Law International2010),35.45A29WP,Opinion4/2007(n36)12-13.46Recital 26 of the Data Protection Directive reads as follows: ‘Whereas the principles of protectionmustapply to any information concerning an identified or identifiable person;whereas, to determinewhether aperson is identifiable, account should be taken of all themeans likely reasonably to be used either by thecontrollerorbyanyotherpersontoidentifythesaidperson(…).’

66

Chapter 3

Opinion4/2007.47Among those factorsare thoserelating to ‘available technologyat thetimeofprocessingandtechnologicaldevelopment.’48

ResultingfromaSpecificTechnicalProcessingLike theDataProtectionDirective, theGeneralDataProtectionRegulation regulates theprocessing of personal data.49Theprocessing of personal data is defined inArticle 4(2)GDPRasfollows:

Anyoperationorsetofoperationswhichisperformedonpersonaldataoronsetsof personal data, whether or not by automated means, such as collection,recording, organisation, structuring, storage, adaptation or alteration, retrieval,consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.

Theregulatorydefinitionofbiometricdatacontainsareferencetotechnicalprocessing.Itdoesnot specifywhat shouldbeunderstoodby ‘specific technicalprocessing’, except tostatethatthepurposeof thatprocessingshouldbetouniquely identifyan individual. Inorder to understand the technical processing to which biometric characteristics aresubjected and their transformation into data, the following paragraphs explain thetechnicalstagesofbiometricrecognitionandthebiometrictemplatesresultingfromthem.

a. TechnicalStepsofBiometricRecognition

The first stage of the processing is the enrolment of the biometric characteristics in abiometricsystem.Thebiometriccharacteristicsare‘captured’undertheformofanimage,such as a fingerprint image. The format resulting from this phase is called a biometricsample.50In a second stage, the information contained in a sample is extracted, reduced, andtransformed into labels or numbers via an algorithm.51This phase is called featureextraction.52Only the ‘the salient discriminatory information that is essential forrecognizing the person’ will be kept.53The extracted features are kept in a biometric

47A29WP,Opinion4/2007(n36)15.48Recital26GDPRreadsasfollows:‘Todeterminewhetherapersonisidentifiable,accountshouldbetakentoallthemeansreasonablylikelytobeused,suchassinglingout,eitherbythecontrollerorbyanotherpersontoidentifythenaturalpersondirectlyorindirectly.Toascertainwhethermeansarereasonablylikelytobeusedto identify thenaturalperson, account shouldbe takenof all objective factors, suchas the costsof and theamountoftimerequiredforidentification,takingintoconsiderationtheavailabletechnologyatthetimeoftheprocessingandtechnologicaldevelopments.’49Seematerialscope,art3(1)oftheDataProtectionDirectiveandArt2(1)GDPR.50ISO/IEC2382-37(n24),Term37.03.21,Definitionofbiometricsampleas:‘analogordigitalrepresentationofbiometriccharacteristicspriortobiometricfeatureextraction.’51Thisisaverysimplifiedpresentationoftheformats.Forfurthertechnicaldetails,seeKindt(n23)43-47.52ISO/IEC2382-37(n24),Term37.03.21.53eg DavideMaltoni, Dario Maio, Anil Jain, and Salil Prabhakar (eds),HandbookofFingerprintRecognition(Springer2003)26.

60

template under the form of a ‘mathematical representation of the original [biometric]characteristic.’54Thereferencetemplateisthenstoredforcomparison.55In a third stage, a biometric sample (such as a fingertip) presented at a sensorwill becomparedwithapreviouslyrecordedtemplate(suchasthetemplateofafingerprint).Insomecases,thecomparisonwillbeestablishedwithanotherbiometricsampleinsteadofatemplate.Comparisonbetweensamplesishoweverlesscommon.56From thesedifferent technical steps and the transformationof biometric characteristicsintobiometricinformation,severalprocessingoperations,asdefinedinArticle4(2)GDPR,can be identified:57in a first phase (enrolment), data are collected; during the secondphase (feature extraction), data are organised, structured, adapted and stored; the finalphaseofcomparisonentailsspecifically theretrieval,consultation,useanddisclosureofthedata.

b. BiometricFormatsResultingfromtheTechnicalProcessingTwoformatsresultfromthetechnicalprocessing:thebiometricsampleandthebiometrictemplate. As already described, a sample is the image of a biometric characteristic,whereasatemplateisareducedandencodedformofinformationcontainedinasample.Some authors, aswell as the A29WP,wrongly use the phrase ‘raw (biometric) data’ todesignate a biometric sample.58Raw (biometric) data are, for example, a fingerprint,fingertip,iris,voice,etc.Intheabsenceofanytechnicalprocessingthroughwhichtherawdata are obtained, these fall outside the scope of biometric data. The term ‘raw data’shouldonlybeusedasasynonymofbiometriccharacteristics.UndertheregimeoftheDataProtectionDirective, the issueofbiometric formatsplayedan important role in the debate on the legal qualification of ‘biometric data’. Notmuchdoubtwasexpressedonthestatusofbiometricsamples,whichwereconsideredpersonaldata.59Incontrast, thestatusofbiometrictemplateshasgeneratedmorediscussion.Thepositionofthelegalliteraturehasalsochangedovertime,takingintoaccountthestateoftheartinbiometricrecognition.Inearlydiscussionsonthenatureofbiometrictemplatesfromadataprotectionperspective,itwasbelievedthatbiometrictemplatescouldnotbe‘translated back’ into the biometric samples from which they originated. This was the

54EmmaWollacott, ‘Protection when Tech Gets Rather Personal’, Biometrics and IdentityManagement, LeRaconteur(30April2015)10<https://www.raconteur.net/biometrics-2015>accessed30May2016.55Encyclopedia of Biometrics (n 26), ‘Biometric Template’, 152, and Andy Adler and Stephan Schuckers,‘BiometricVulnerabilities,Overview’inEncyclopediaofBiometrics(n26)164.56Kindt(n23).57Art4(2)GDPR, theprocessingofpersonaldata isdefinedas ‘anyoperationor setofoperationswhich isperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchacollection,recording,organisation, structuring, storage, adaptationoralteration, retrieval, consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.’58SeecriticismsbyKindtinKindt(n23),fn100,43andfn39,98.59Liu (n 23) 45-54; Paul De Hert, ‘Biometrics: Legal Issues and Implications’, Background Paper for theInstituteofProspectiveTechnologicalStudies,DGJRC-SevillaEuropeanCommission(2005)13.

67

3


Opinion4/2007.47Among those factorsare thoserelating to ‘available technologyat thetimeofprocessingandtechnologicaldevelopment.’48

ResultingfromaSpecificTechnicalProcessingLike theDataProtectionDirective, theGeneralDataProtectionRegulation regulates theprocessing of personal data.49Theprocessing of personal data is defined inArticle 4(2)GDPRasfollows:

Anyoperationorsetofoperationswhichisperformedonpersonaldataoronsetsof personal data, whether or not by automated means, such as collection,recording, organisation, structuring, storage, adaptation or alteration, retrieval,consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.

Theregulatorydefinitionofbiometricdatacontainsareferencetotechnicalprocessing.Itdoesnot specifywhat shouldbeunderstoodby ‘specific technicalprocessing’, except tostatethatthepurposeof thatprocessingshouldbetouniquely identifyan individual. Inorder to understand the technical processing to which biometric characteristics aresubjected and their transformation into data, the following paragraphs explain thetechnicalstagesofbiometricrecognitionandthebiometrictemplatesresultingfromthem.

a. TechnicalStepsofBiometricRecognition

The first stage of the processing is the enrolment of the biometric characteristics in abiometricsystem.Thebiometriccharacteristicsare‘captured’undertheformofanimage,such as a fingerprint image. The format resulting from this phase is called a biometricsample.50In a second stage, the information contained in a sample is extracted, reduced, andtransformed into labels or numbers via an algorithm.51This phase is called featureextraction.52Only the ‘the salient discriminatory information that is essential forrecognizing the person’ will be kept.53The extracted features are kept in a biometric

47A29WP,Opinion4/2007(n36)15.48Recital26GDPRreadsasfollows:‘Todeterminewhetherapersonisidentifiable,accountshouldbetakentoallthemeansreasonablylikelytobeused,suchassinglingout,eitherbythecontrollerorbyanotherpersontoidentifythenaturalpersondirectlyorindirectly.Toascertainwhethermeansarereasonablylikelytobeusedto identify thenaturalperson, account shouldbe takenof all objective factors, suchas the costsof and theamountoftimerequiredforidentification,takingintoconsiderationtheavailabletechnologyatthetimeoftheprocessingandtechnologicaldevelopments.’49Seematerialscope,art3(1)oftheDataProtectionDirectiveandArt2(1)GDPR.50ISO/IEC2382-37(n24),Term37.03.21,Definitionofbiometricsampleas:‘analogordigitalrepresentationofbiometriccharacteristicspriortobiometricfeatureextraction.’51Thisisaverysimplifiedpresentationoftheformats.Forfurthertechnicaldetails,seeKindt(n23)43-47.52ISO/IEC2382-37(n24),Term37.03.21.53eg DavideMaltoni, Dario Maio, Anil Jain, and Salil Prabhakar (eds),HandbookofFingerprintRecognition(Springer2003)26.

60

template under the form of a ‘mathematical representation of the original [biometric]characteristic.’54Thereferencetemplateisthenstoredforcomparison.55In a third stage, a biometric sample (such as a fingertip) presented at a sensorwill becomparedwithapreviouslyrecordedtemplate(suchasthetemplateofafingerprint).Insomecases,thecomparisonwillbeestablishedwithanotherbiometricsampleinsteadofatemplate.Comparisonbetweensamplesishoweverlesscommon.56From thesedifferent technical steps and the transformationof biometric characteristicsintobiometricinformation,severalprocessingoperations,asdefinedinArticle4(2)GDPR,can be identified:57in a first phase (enrolment), data are collected; during the secondphase (feature extraction), data are organised, structured, adapted and stored; the finalphaseofcomparisonentailsspecifically theretrieval,consultation,useanddisclosureofthedata.

b. BiometricFormatsResultingfromtheTechnicalProcessingTwoformatsresultfromthetechnicalprocessing:thebiometricsampleandthebiometrictemplate. As already described, a sample is the image of a biometric characteristic,whereasatemplateisareducedandencodedformofinformationcontainedinasample.Some authors, aswell as the A29WP,wrongly use the phrase ‘raw (biometric) data’ todesignate a biometric sample.58Raw (biometric) data are, for example, a fingerprint,fingertip,iris,voice,etc.Intheabsenceofanytechnicalprocessingthroughwhichtherawdata are obtained, these fall outside the scope of biometric data. The term ‘raw data’shouldonlybeusedasasynonymofbiometriccharacteristics.UndertheregimeoftheDataProtectionDirective, the issueofbiometric formatsplayedan important role in the debate on the legal qualification of ‘biometric data’. Notmuchdoubtwasexpressedonthestatusofbiometricsamples,whichwereconsideredpersonaldata.59Incontrast, thestatusofbiometrictemplateshasgeneratedmorediscussion.Thepositionofthelegalliteraturehasalsochangedovertime,takingintoaccountthestateoftheartinbiometricrecognition.Inearlydiscussionsonthenatureofbiometrictemplatesfromadataprotectionperspective,itwasbelievedthatbiometrictemplatescouldnotbe‘translated back’ into the biometric samples from which they originated. This was the

54EmmaWollacott, ‘Protection when Tech Gets Rather Personal’, Biometrics and IdentityManagement, LeRaconteur(30April2015)10<https://www.raconteur.net/biometrics-2015>accessed30May2016.55Encyclopedia of Biometrics (n 26), ‘Biometric Template’, 152, and Andy Adler and Stephan Schuckers,‘BiometricVulnerabilities,Overview’inEncyclopediaofBiometrics(n26)164.56Kindt(n23).57Art4(2)GDPR, theprocessingofpersonaldata isdefinedas ‘anyoperationor setofoperationswhich isperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchacollection,recording,organisation, structuring, storage, adaptationoralteration, retrieval, consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.’58SeecriticismsbyKindtinKindt(n23),fn100,43andfn39,98.59Liu (n 23) 45-54; Paul De Hert, ‘Biometrics: Legal Issues and Implications’, Background Paper for theInstituteofProspectiveTechnologicalStudies,DGJRC-SevillaEuropeanCommission(2005)13.

68

Chapter 3

positiondefendedbyPrinsandGrijpink.60Grijpinkevenarguedthatbiometrictemplateswere anonymous data. Since Prins’ and Grijpink’s papers were first published, thescientists Adler, 61 Bromba, 62 Ross, Shah, 63 Cain and Jain64 have demonstrated thatbiometric templates are in fact partially reversible and could possibly regenerateinformationcontainedinbiometricsamples. Inrecentlegalstudiesonthelegalstatusofbiometricdata, authorshave concluded thatbiometric templates are reversible, at leastpartially,andmaynotbeconsideredasanonymousdataanymore.65Thenewdataprotection frameworkdoesnot refer tobiometric formats.This is logical,since the legislative instruments are technology-neutral and the legal definitions shouldnotbetiedtoanyspecificformat.Inanycase,thenotionof‘information’containedinthedefinition of personal data and as interpreted by theA29WP,66covers any type of formandformat.67Asaresult,ifdiscussionsontheformatsdonothavetheirplaceintheDataProtectionReformPackage,theEuropeanDataProtectionBoard68couldprovideguidanceto stakeholders and national data protection authorities on the legal qualification ofbiometricformats.

RelatingtothePhysical,PhysiologicalorBehaviouralCharacteristicsofaNaturalPerson

This criterion relates to the definition of biometric characteristics. It acknowledges thebroad spectrum of measurable human characteristics that can be used for biometricrecognition:thiscoversphysicalandphysiologicalattributes(suchasafingerprint,faceoriris),aswellasbehaviouralattributes(suchasvoice,gaitorsignature).69Thedifferencebetween physiological and physical characteristics is not very clear. Many experts inbiometric recognition only refer to two types of characteristics: either physical andbehavioural characteristics, or physiological and behavioural characteristics.70They

60RespectivelyPrins(n23)andGrijpink(n23).61AndyAdler, ‘CanSampleImagesbeRegeneratedfromBiometricTemplates?’(BiometricsConference,22-23 September 2003) <http://www.sce.carleton.ca/faculty/adler/publications/2003/adler-2003-biometrics-conf-regenerate-templates.pdf>accessed30May2016.62 Manfred Bromba, ‘On the Reconstruction of Biometric Raw Data from Template Data’ (2006)<http://www.bromba.com/knowhow/temppriv.htm>accessed30May2016.63ArunRoss,JidnyaShah,andAnilJain,‘FromTemplatetoImage:ReconstructingFingerprintsfromMinutiaePoints’(2007)29(4)IEEETransactionsonPatternsAnalysisandMachineIntelligence544.Inaverydetailedpaper,theauthorsshowwhichinformationa‘minutiaetemplate’canrevealaboutafingerprintsample.Theyconclude that ‘the reconstructed image can be used to generate synthetic prints that can be used tocompromisethesecurityofabiometricsystem. Ifother information(…)areavailable in the template, then,perhaps,theoriginalfingerprintcanbereconstructedinitsentirety.’64Kai Cao and Anil Jain, ‘Learning Fingerprint Reconstruction: fromMinutiae to Image’ (2015) 10(1) IEEETransactions on Information Forensics and Security 104. Cao and Jain have pursued the research on thepossibility to reconstructa fingerprint image froma templateandconclude that thereconstructed image isveryclosetotheoriginalsample,eveniftooperfecttofoolafingerprintexpert.65SeeLiu(n23)andKindt(n23).66A29WP,Opinion4/2007(n36)6.67ibid7-8.68Establishedbyart68GDPR.69Seeeg,Anil Jain,ArunRoss, andSalilPrabhakar ‘An Introduction toBiometricRecognition’ (2004)14(1)IEEETransactionsonCircuitsandSystemsforVideoTechnology4.70ibid;seealsoEncyclopediaofBiometrics(n26),definitionofBehaviouralBiometrics,62.

provide the same examples for physical and physiological ones: fingerprints, face, palmgeometry.

AllowingorConfirmingtheUniqueIdentificationofthatIndividualThiscriterionisakeyelementinthelegalqualificationofbiometricdata.Itdescribesthepurposesofuseofthebiometriccharacteristics,fromwhichbiometricdataareextracted.It also sets the threshold for identification applicable tobiometricdata as a categoryofpersonal data. It builds on an understanding of the difference of meaning betweenbiometricidentificationandidentificationinadataprotectioncontext.

a. TheDifferentMeaningsofIdentification

For the biometric community, identification has a very specific and narrowmeaning. Itreferstotheprocessofestablishingtheidentityofanindividualbycomparingabiometricsamplewithpreviouslystoredbiometrictemplatesthatexistacrossdifferentdatabases.71This is the ‘one-to-many’ matching.72Identity in a biometric context does not requireestablishingthecivilorlegalidentityofanindividual,butdeterminingthatasampleandapreviously recorded template originate from the same person. Identity is established,whenamatchisfoundbetweenabiometriccharacteristicandabiometrictemplate.Biometric identification is generally opposed to identity verification (or biometricverification). Identity verification is often called ‘authentication’, but this is an incorrectusage of the term according to the biometric community.73As observed by Kindt,authentication is used as a synonym of verification, identification and biometricrecognition.74But because one cannot deduce the functionality to which it refers,75theterm ‘authentication’ should be avoided. This is important for terminological precision,since Recital 51 GDPR mentions the term ‘authentication’ in opposition to ‘uniqueidentification’.This issue is furtherdeveloped in thenextsub-section.Verification is theprocess of verifying if an individual is who she or he claims to be.76The purpose istherefore not to establish the identity of an individual, but solely to verify it. Thecomparison process in that case is known as ‘one-to-one’ matching.77The biometricsampleofanindividualisonlycomparedwiththebiometricinformationcontainedinonedevice,suchasasmartcard,anIDcard,apassport,orinasingledatabase.Until the introduction of the concept of ‘biometric data’ within the scope of the dataprotection legislation, there was no reason to distinguish the general meaning of

71ISO/IEC2382-37(n24),Term37.08.03,definingbiometricidentificationas‘processofsearchingagainstabiometricenrolmentdatabasetofindandreturnthebiometricreferenceidentifier(s)attributabletoasingleindividual.’72Opinion3/2012(n8)5.73ISO/IEC2382-37(n24),Term37.08.03.74Kindt(n23).75ibid42.76ISO/IEC 2382-37 (n 24), Term 37.08.02, defining biometric verification as: ‘process of confirming abiometricclaimthroughbiometriccomparison.’77A29WP,Opinion3/2012(n8)6.

69

3


positiondefendedbyPrinsandGrijpink.60Grijpinkevenarguedthatbiometrictemplateswere anonymous data. Since Prins’ and Grijpink’s papers were first published, thescientists Adler, 61 Bromba, 62 Ross, Shah, 63 Cain and Jain64 have demonstrated thatbiometric templates are in fact partially reversible and could possibly regenerateinformationcontainedinbiometricsamples. Inrecentlegalstudiesonthelegalstatusofbiometricdata, authorshave concluded thatbiometric templates are reversible, at leastpartially,andmaynotbeconsideredasanonymousdataanymore.65Thenewdataprotection frameworkdoesnot refer tobiometric formats.This is logical,since the legislative instruments are technology-neutral and the legal definitions shouldnotbetiedtoanyspecificformat.Inanycase,thenotionof‘information’containedinthedefinition of personal data and as interpreted by theA29WP,66covers any type of formandformat.67Asaresult,ifdiscussionsontheformatsdonothavetheirplaceintheDataProtectionReformPackage,theEuropeanDataProtectionBoard68couldprovideguidanceto stakeholders and national data protection authorities on the legal qualification ofbiometricformats.

RelatingtothePhysical,PhysiologicalorBehaviouralCharacteristicsofaNaturalPerson

This criterion relates to the definition of biometric characteristics. It acknowledges thebroad spectrum of measurable human characteristics that can be used for biometricrecognition:thiscoversphysicalandphysiologicalattributes(suchasafingerprint,faceoriris),aswellasbehaviouralattributes(suchasvoice,gaitorsignature).69Thedifferencebetween physiological and physical characteristics is not very clear. Many experts inbiometric recognition only refer to two types of characteristics: either physical andbehavioural characteristics, or physiological and behavioural characteristics.70They

60RespectivelyPrins(n23)andGrijpink(n23).61AndyAdler, ‘CanSampleImagesbeRegeneratedfromBiometricTemplates?’(BiometricsConference,22-23 September 2003) <http://www.sce.carleton.ca/faculty/adler/publications/2003/adler-2003-biometrics-conf-regenerate-templates.pdf>accessed30May2016.62 Manfred Bromba, ‘On the Reconstruction of Biometric Raw Data from Template Data’ (2006)<http://www.bromba.com/knowhow/temppriv.htm>accessed30May2016.63ArunRoss,JidnyaShah,andAnilJain,‘FromTemplatetoImage:ReconstructingFingerprintsfromMinutiaePoints’(2007)29(4)IEEETransactionsonPatternsAnalysisandMachineIntelligence544.Inaverydetailedpaper,theauthorsshowwhichinformationa‘minutiaetemplate’canrevealaboutafingerprintsample.Theyconclude that ‘the reconstructed image can be used to generate synthetic prints that can be used tocompromisethesecurityofabiometricsystem. Ifother information(…)areavailable in the template, then,perhaps,theoriginalfingerprintcanbereconstructedinitsentirety.’64Kai Cao and Anil Jain, ‘Learning Fingerprint Reconstruction: fromMinutiae to Image’ (2015) 10(1) IEEETransactions on Information Forensics and Security 104. Cao and Jain have pursued the research on thepossibility to reconstructa fingerprint image froma templateandconclude that thereconstructed image isveryclosetotheoriginalsample,eveniftooperfecttofoolafingerprintexpert.65SeeLiu(n23)andKindt(n23).66A29WP,Opinion4/2007(n36)6.67ibid7-8.68Establishedbyart68GDPR.69Seeeg,Anil Jain,ArunRoss, andSalilPrabhakar ‘An Introduction toBiometricRecognition’ (2004)14(1)IEEETransactionsonCircuitsandSystemsforVideoTechnology4.70ibid;seealsoEncyclopediaofBiometrics(n26),definitionofBehaviouralBiometrics,62.

provide the same examples for physical and physiological ones: fingerprints, face, palmgeometry.

AllowingorConfirmingtheUniqueIdentificationofthatIndividualThiscriterionisakeyelementinthelegalqualificationofbiometricdata.Itdescribesthepurposesofuseofthebiometriccharacteristics,fromwhichbiometricdataareextracted.It also sets the threshold for identification applicable tobiometricdata as a categoryofpersonal data. It builds on an understanding of the difference of meaning betweenbiometricidentificationandidentificationinadataprotectioncontext.

a. TheDifferentMeaningsofIdentification

For the biometric community, identification has a very specific and narrowmeaning. Itreferstotheprocessofestablishingtheidentityofanindividualbycomparingabiometricsamplewithpreviouslystoredbiometrictemplatesthatexistacrossdifferentdatabases.71This is the ‘one-to-many’ matching.72Identity in a biometric context does not requireestablishingthecivilorlegalidentityofanindividual,butdeterminingthatasampleandapreviously recorded template originate from the same person. Identity is established,whenamatchisfoundbetweenabiometriccharacteristicandabiometrictemplate.Biometric identification is generally opposed to identity verification (or biometricverification). Identity verification is often called ‘authentication’, but this is an incorrectusage of the term according to the biometric community.73As observed by Kindt,authentication is used as a synonym of verification, identification and biometricrecognition.74But because one cannot deduce the functionality to which it refers,75theterm ‘authentication’ should be avoided. This is important for terminological precision,since Recital 51 GDPR mentions the term ‘authentication’ in opposition to ‘uniqueidentification’.This issue is furtherdeveloped in thenextsub-section.Verification is theprocess of verifying if an individual is who she or he claims to be.76The purpose istherefore not to establish the identity of an individual, but solely to verify it. Thecomparison process in that case is known as ‘one-to-one’ matching.77The biometricsampleofanindividualisonlycomparedwiththebiometricinformationcontainedinonedevice,suchasasmartcard,anIDcard,apassport,orinasingledatabase.Until the introduction of the concept of ‘biometric data’ within the scope of the dataprotection legislation, there was no reason to distinguish the general meaning of

71ISO/IEC2382-37(n24),Term37.08.03,definingbiometricidentificationas‘processofsearchingagainstabiometricenrolmentdatabasetofindandreturnthebiometricreferenceidentifier(s)attributabletoasingleindividual.’72Opinion3/2012(n8)5.73ISO/IEC2382-37(n24),Term37.08.03.74Kindt(n23).75ibid42.76ISO/IEC 2382-37 (n 24), Term 37.08.02, defining biometric verification as: ‘process of confirming abiometricclaimthroughbiometriccomparison.’77A29WP,Opinion3/2012(n8)6.

70

Chapter 3

identification from its specificmeaning in abiometric context.With the adoptionof thenew data protection framework, there is such a need. As described in sub-section 1,identificationinadataprotectioncontext(meaning‘singlingout’)hasabroadermeaningthan biometric identification (meaning ‘establishing somebody’s identity’). However, itcanbearguedthat the functionof identificationthroughpersonaldataencompassesthebiometricidentificationfunction.

b. FunctionsofBiometricData(“AllowingorConfirming”)Biometric characteristics are thus used to perform biometric identification or identityverification. These two functions seem to be present in the definition of biometric datathroughtheverbs‘allowing’and‘confirming’.Althoughthesetwoverbsdonotreflecttheterminologyusedbybiometricexperts todescribe theusesofbiometric characteristics,onecaninferthat“allowing”referstoestablishingtheidentityofanindividual(biometricidentification), whereas “confirming” refers to verifying his or her identity (identityverification). It is regrettable that the legaldefinition isnotmorerigorousanddoesnottakeintoaccountthepreciseterminologyusedinthecontextofbiometricrecognition.AscriticisedbyStalla-Bourdillon, the legaldefinitionscontained in theGDPRdonot reflecttechnologicalpractices.78Inherstudy,Kindthasalsoemphasizedtheimportanceofusingthecorrecttechnicalterminologytounderstandthediscussionsaboutbiometricdata.79Onapositivenote,oneshouldobservethatthecurrentlegaldefinitionof‘biometricdata’is much improved in comparison to the one originally proposed by the EuropeanCommission. The definition contained in the proposals of the Data Protection ReformPackage only mentioned the function of ‘biometric identification’ and omitted that of‘identityverification’.80

c. UniqueIdentificationThe phrase ‘unique identification’ raises some terminological issues. Should it beunderstood as setting up the threshold of identification to bemet by biometric data aspersonal data? Or should it be understood as referring to the ‘biometric identification’functionofbiometricdata?ThewordingofRecital51castsdoubtontheexactmeaningofthiscriterion.Biometricdataaredefinedasa legal categoryofpersonaldata. It is therefore logical tolookattheterm‘uniqueidentification’throughthelensofthedefinitionofpersonaldata.Fromthatperspective, ‘unique identification’ refers to themeaningof identification inadataprotectioncontext.AsdefinedinArticle4(1)GDPR,dataarepersonaliftheyrelateto78Sophie Stalla-Bourdillon, ‘The GDPR and The BiggestMess of All:Why Accurate Legal Definitions ReallyMatter…’ (blogpostonPeepBeep,12 April 2016) <https://peepbeep.wordpress.com/2016/04/12/the-gdpr-and-the-biggest-mess-of-all-why-accurate-legal-definitions-really-matter/>accessed30May2016.79Kindt(n23)42.80EuropeanCommission,ProposalfortheGDPR(n17),art4(11)readsasfollows:“‘biometricdata'meansanydata relating to thephysical, physiological orbehavioural characteristicsof an individualwhichallow theiruniqueidentification,suchasfacialimages,ordactyloscopicdata.”

an identified or identifiable individual. The threshold of identification is low, since anindividualonlyneeds tobe identifiable.But that threshold ismuchhigher forbiometricdata.AssuggestedbyKotschyinherinterpretationofArticle2(a)oftheDataProtectionDirective, ‘unique identification’ is the ‘highest degree of identification.’ 81 As aconsequence, biometric datamust relate to an identified individual to legally qualify asbiometric data. The adjective ‘unique’ is not defined. It couldmean that biometric datahavesuchparticularitiesthattheycan‘unambiguously’identifyanindividual.Theycan,inparticular, linkanindividualtohisorherbody.Butitwouldnotbeaccuratetosaythat,for this reason, biometric data are unique to each individual and allow their uniqueidentification.Fromascientificperspective,the‘uniqueness’ofbiometriccharacteristicsisan assumption that forensic experts have challenged.82It has indeed never beenscientifically demonstrated that two individuals do not have the same fingerprints.83Inaddition, the results on which the identification is performed are relative. Biometricrecognition is indeed based on measurements and probabilities of similarities (ordissimilarities).Theresultsobtainedfromthecomparisonofbiometricdataaresubjecttoerrors,inparticulartofalseidentification.84Assuch,biometricdatacannothavethesamefunctionasa(static)uniqueidentificationnumber.TheEDPShasadvisedagainsttheuseof biometric data as unique identifiers, because of the probabilistic nature of biometrictechnologies.85Followingthatinterpretation,anindividualwouldonlybeidentifiedifhisorherbiometriccharacteristicsmatch previously recorded biometric data. In a case of a non-match, theindividualremainsunidentified.However,heorshecouldstillbeidentifiable,i.e.heorshecouldbe identifiedbyadifferententity than thedatacontroller.86This is thecasewhenbiometricdatacanbematchedwithotherdatakeptinadatabasedifferentfromtheoneconsultedforcomparison,especiallyinascenarioofidentityverification.Inthatcase,theindividualwouldbeidentifiable.However,those‘biometric’datarelatingtoanidentifiableindividualwouldnotlegallyqualifyas‘biometricdata’.Theywouldhoweverbepersonaldata,providedtheyfulfiltheotherconditionsapplicabletopersonaldataingeneral.

81Kotschy(n44)35.82Forexample,MarkPage,JaneTaylor,andMattBlenkin,‘UniquenessintheForensicIdentificationSciences:FactorFiction?’ (2011)206 (1-3)ForensicScience International12;DavidKaye, ‘QuestioningaCourtroomProof of the Uniqueness of Fingerprints’ (2003) 71 (3) International Statistical Review 521;Michael Saks,‘ForensicIdentification:FromaFaith-Based‘Science’toaScientificScience’(2010)201(1-3)ForensicScienceInternational14.83SimonCole, ‘IsFingerprint IdentificationValid?RhetoricsofReliability inFingerprintProponents’ (2006)28(1)Law&Policy109.84For example, BioPrivacy, International Biometric Group, which developed Best Practices, see FAQs ‘AreBiometricsUniqueIdentifiers?’<http://www.bioprivacy.org>accessed30May2016.85EDPS, ‘Comments on the Communication of the Commission on interoperability of European databases’[2006] <https://edps.europa.eu/sites/edp/files/publication/06-03-10_interoperability_en.pdf > accessed 30May2016;EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheInitiativeoftheFederalRepublicofGermany,withaviewtoadoptingaCouncilDecisionontheimplementationofDecision2007/…/JHAonthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime’[2008]OJC89/1.86Recital26GDPR.

71

3


identification from its specificmeaning in abiometric context.With the adoptionof thenew data protection framework, there is such a need. As described in sub-section 1,identificationinadataprotectioncontext(meaning‘singlingout’)hasabroadermeaningthan biometric identification (meaning ‘establishing somebody’s identity’). However, itcanbearguedthat the functionof identificationthroughpersonaldataencompassesthebiometricidentificationfunction.

b. FunctionsofBiometricData(“AllowingorConfirming”)Biometric characteristics are thus used to perform biometric identification or identityverification. These two functions seem to be present in the definition of biometric datathroughtheverbs‘allowing’and‘confirming’.Althoughthesetwoverbsdonotreflecttheterminologyusedbybiometricexperts todescribe theusesofbiometric characteristics,onecaninferthat“allowing”referstoestablishingtheidentityofanindividual(biometricidentification), whereas “confirming” refers to verifying his or her identity (identityverification). It is regrettable that the legaldefinition isnotmorerigorousanddoesnottakeintoaccountthepreciseterminologyusedinthecontextofbiometricrecognition.AscriticisedbyStalla-Bourdillon, the legaldefinitionscontained in theGDPRdonot reflecttechnologicalpractices.78Inherstudy,Kindthasalsoemphasizedtheimportanceofusingthecorrecttechnicalterminologytounderstandthediscussionsaboutbiometricdata.79Onapositivenote,oneshouldobservethatthecurrentlegaldefinitionof‘biometricdata’is much improved in comparison to the one originally proposed by the EuropeanCommission. The definition contained in the proposals of the Data Protection ReformPackage only mentioned the function of ‘biometric identification’ and omitted that of‘identityverification’.80

c. UniqueIdentificationThe phrase ‘unique identification’ raises some terminological issues. Should it beunderstood as setting up the threshold of identification to bemet by biometric data aspersonal data? Or should it be understood as referring to the ‘biometric identification’functionofbiometricdata?ThewordingofRecital51castsdoubtontheexactmeaningofthiscriterion.Biometricdataaredefinedasa legal categoryofpersonaldata. It is therefore logical tolookattheterm‘uniqueidentification’throughthelensofthedefinitionofpersonaldata.Fromthatperspective, ‘unique identification’ refers to themeaningof identification inadataprotectioncontext.AsdefinedinArticle4(1)GDPR,dataarepersonaliftheyrelateto78Sophie Stalla-Bourdillon, ‘The GDPR and The BiggestMess of All:Why Accurate Legal Definitions ReallyMatter…’ (blogpostonPeepBeep,12 April 2016) <https://peepbeep.wordpress.com/2016/04/12/the-gdpr-and-the-biggest-mess-of-all-why-accurate-legal-definitions-really-matter/>accessed30May2016.79Kindt(n23)42.80EuropeanCommission,ProposalfortheGDPR(n17),art4(11)readsasfollows:“‘biometricdata'meansanydata relating to thephysical, physiological orbehavioural characteristicsof an individualwhichallow theiruniqueidentification,suchasfacialimages,ordactyloscopicdata.”

an identified or identifiable individual. The threshold of identification is low, since anindividualonlyneeds tobe identifiable.But that threshold ismuchhigher forbiometricdata.AssuggestedbyKotschyinherinterpretationofArticle2(a)oftheDataProtectionDirective, ‘unique identification’ is the ‘highest degree of identification.’ 81 As aconsequence, biometric datamust relate to an identified individual to legally qualify asbiometric data. The adjective ‘unique’ is not defined. It couldmean that biometric datahavesuchparticularitiesthattheycan‘unambiguously’identifyanindividual.Theycan,inparticular, linkanindividualtohisorherbody.Butitwouldnotbeaccuratetosaythat,for this reason, biometric data are unique to each individual and allow their uniqueidentification.Fromascientificperspective,the‘uniqueness’ofbiometriccharacteristicsisan assumption that forensic experts have challenged.82It has indeed never beenscientifically demonstrated that two individuals do not have the same fingerprints.83Inaddition, the results on which the identification is performed are relative. Biometricrecognition is indeed based on measurements and probabilities of similarities (ordissimilarities).Theresultsobtainedfromthecomparisonofbiometricdataaresubjecttoerrors,inparticulartofalseidentification.84Assuch,biometricdatacannothavethesamefunctionasa(static)uniqueidentificationnumber.TheEDPShasadvisedagainsttheuseof biometric data as unique identifiers, because of the probabilistic nature of biometrictechnologies.85Followingthatinterpretation,anindividualwouldonlybeidentifiedifhisorherbiometriccharacteristicsmatch previously recorded biometric data. In a case of a non-match, theindividualremainsunidentified.However,heorshecouldstillbeidentifiable,i.e.heorshecouldbe identifiedbyadifferententity than thedatacontroller.86This is thecasewhenbiometricdatacanbematchedwithotherdatakeptinadatabasedifferentfromtheoneconsultedforcomparison,especiallyinascenarioofidentityverification.Inthatcase,theindividualwouldbeidentifiable.However,those‘biometric’datarelatingtoanidentifiableindividualwouldnotlegallyqualifyas‘biometricdata’.Theywouldhoweverbepersonaldata,providedtheyfulfiltheotherconditionsapplicabletopersonaldataingeneral.

81Kotschy(n44)35.82Forexample,MarkPage,JaneTaylor,andMattBlenkin,‘UniquenessintheForensicIdentificationSciences:FactorFiction?’ (2011)206 (1-3)ForensicScience International12;DavidKaye, ‘QuestioningaCourtroomProof of the Uniqueness of Fingerprints’ (2003) 71 (3) International Statistical Review 521;Michael Saks,‘ForensicIdentification:FromaFaith-Based‘Science’toaScientificScience’(2010)201(1-3)ForensicScienceInternational14.83SimonCole, ‘IsFingerprint IdentificationValid?RhetoricsofReliability inFingerprintProponents’ (2006)28(1)Law&Policy109.84For example, BioPrivacy, International Biometric Group, which developed Best Practices, see FAQs ‘AreBiometricsUniqueIdentifiers?’<http://www.bioprivacy.org>accessed30May2016.85EDPS, ‘Comments on the Communication of the Commission on interoperability of European databases’[2006] <https://edps.europa.eu/sites/edp/files/publication/06-03-10_interoperability_en.pdf > accessed 30May2016;EDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheInitiativeoftheFederalRepublicofGermany,withaviewtoadoptingaCouncilDecisionontheimplementationofDecision2007/…/JHAonthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime’[2008]OJC89/1.86Recital26GDPR.

72

Chapter 3

But a second meaning could be attributed to the term ‘unique identification’. One canwonder if ‘unique identification’ shouldnotbe interpretedasreferring to the ‘biometricidentification’ function of biometric data. In Recital 51 GDPR, ‘unique identification’ isusedinoppositionto‘authentication’,whileclarifyingtheconditionsunderwhichpicturesqualifyas‘biometricdata.’Recital51providesthat:

The processing of photographs should not systematically be considered to beprocessing of special categories of personal data as they are covered by thedefinition of biometric data only when processed through a specific technicalmeansallowingtheuniqueidentificationorauthenticationofanaturalperson.

Theterm‘authentication’isnotclarified.However,itwouldbereasonabletoconsiderthatthe EU institutions have used it as a synonym for ‘verification’. In Opinion 3/2012 ondevelopmentsofbiometrictechnologies,theA29WPusedverificationandauthenticationassynonyms.InthatOpinion,theA29WPdefinedthefunctionof‘identityverification’as‘biometricverification/authentication’.87Asmentionedearlier, theuseof ‘authentication’torefertothefunctionalitiesofbiometricsystemsisnotaccurate.However,ifinRecital51GDPR, authentication means ‘identity verification’, should ‘unique identification’ beunderstood as referring to ‘biometric identification’? This interpretation would beinconsistentwith the legal definition of biometric data. In addition, since the notion ofbiometric data is approached from a legal perspective in the GDPR, the term ‘uniqueidentification’ should logically refer to the threshold of identification of biometric data(beingpersonal data) andnot to their ‘biometric identification’ function.One could stillnote the inconsistency of wording (and then meaning) between Recital 51 GDPR andArticle4(14)GDPR.

FacialImagesandDactyloscopicDataasExamplesBiometric characteristics are not themselves considered to be biometric data. Only thepersonaldata‘resulting’fromtheirprocessingqualifyasbiometricdata.Thus,itisnotthefaceofanindividual,buttheimagesofhisorherface(pictures)thatwouldbeclassifiedasbiometricdata.Likewise,itisnothisorherfingertip,butafingerprintimagethatwillbeclassified as biometric data. This is a logical conclusion since ‘biometric data’ as legallydefined are first of all ‘personal data’. To be protected under the data protection rules,personal data need to be, at least, part of a filing system or processed by automaticmeans.88The biometric characteristics themselves cannot be processed. Only the datageneratedfromthosecharacteristicscan.Thelegaldefinitionof‘biometricdata’givestwoexamplesofthosedata:facialimagesanddactyloscopic data. Concerning facial images, not all the photographs will qualify as‘biometricdata’,butonlytheonesthat‘allowtheuniqueidentificationorauthenticate’an

87A29WP,Opinion3/2012(n8)6.88art2(1)GDPRandart3(1)oftheDataProtectionDirective.

66

individual will.89To determine whether a facial image is fit for biometric recognition,different factors or parameters should be taken into account, such as light, exposure,locationortheresolutionof thecamera.90Theseparametersare logicallynotdetailed intheGDPR,astheyarelinkedtothetechnologicaldevelopmentsinfacerecognition.Asfordactyloscopicdata,theGDPRcontainsnoreferenceordefinition.Anotherlegislativeinstrument on the cross-border exchange of DNA profiles and fingerprints to fightterrorismandcrime, thePrümDecision,providesadefinition.Dactyloscopicdata in theGDPRcouldbeunderstoodasdefinedinArticle2(i)ofthePrümDecision,i.e.ascovering‘fingerprint images, images of fingerprint latents, palm prints, palm prints latents andtemplatesofsuchimages.’91Theanalysisof thedifferent componentsof the legal conceptof ‘biometricdata’ revealsthat only personal data resulting from a special processing of biometric characteristicsand relating to an identified individual will qualify as ‘biometric personal data’. Whenthosedatauniquelyidentifyanindividual,theywillbenefitfromtheprotectiongrantedtosensitivedata.Thisspecialregimeistheissueaddressedinthenextsection.

TheRegimeforSensitiveDataApplicabletotheProcessingofBiometricData

Sensitivedata(designatedundertheterm‘specialcategoriesofdata’)92areacategoryofpersonaldatathatnecessitateahigherdegreeofprotectionbecauseoftheconsequencesthat their misuse would have on individuals.93The consequences are considered sodamageablethattheirprocessingisprohibitedunlessanexceptionapplies.Theregimeofsensitive data is defined in Article 8 of the Data Protection Directive.94This provisioncontainsanexhaustive listofsensitivedata,whichare ‘personaldatarevealingracialorethnic origin, political opinions, religious or philosophical beliefs, trade-unionmembership,andtheprocessingofdataconcerninghealthorsexlife.’TheDataProtectionReformPackagehasaddedbiometricdatatothelistofsensitivedata.According to Article 9(1) GDPR, the processing of biometric data ‘for the purpose ofuniquelyidentifyinganaturalperson’isprohibited,unlessoneoftheexceptionssetoutin

89Recital51GDPR.90Facerecognitionisbasedonindividual’sdistinctivefacialcharacteristics,forguidanceonfacerecognition,see for example EDPS, ‘Video Surveillance Guidelines’ [2010], and A29WP, ‘Opinion 02/2012 on facialrecognitioninonlineandmobileservices’[2012]WP192.91Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/1(PrümDecision).92art8oftheDataProtectionDirectiveandart9GDPR.93A29WP,‘AdvicePaperonSpecialCategoriesofData(‘SensitiveData’)’Ref.Ares(2011)444105[2011].94art8(1)of theDataProtectionDirectivereadsas follows: ‘MemberStatesshallprohibit theprocessingofpersonaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,trade-unionmembership,andtheprocessingofdataconcerninghealthorsexlife’;art8(2)oftheDataProtectionDirectiveprovidesforsomeexceptionstothegeneralprohibitionofprocessing.

73

3


But a second meaning could be attributed to the term ‘unique identification’. One canwonder if ‘unique identification’ shouldnotbe interpretedasreferring to the ‘biometricidentification’ function of biometric data. In Recital 51 GDPR, ‘unique identification’ isusedinoppositionto‘authentication’,whileclarifyingtheconditionsunderwhichpicturesqualifyas‘biometricdata.’Recital51providesthat:

The processing of photographs should not systematically be considered to beprocessing of special categories of personal data as they are covered by thedefinition of biometric data only when processed through a specific technicalmeansallowingtheuniqueidentificationorauthenticationofanaturalperson.

Theterm‘authentication’isnotclarified.However,itwouldbereasonabletoconsiderthatthe EU institutions have used it as a synonym for ‘verification’. In Opinion 3/2012 ondevelopmentsofbiometrictechnologies,theA29WPusedverificationandauthenticationassynonyms.InthatOpinion,theA29WPdefinedthefunctionof‘identityverification’as‘biometricverification/authentication’.87Asmentionedearlier, theuseof ‘authentication’torefertothefunctionalitiesofbiometricsystemsisnotaccurate.However,ifinRecital51GDPR, authentication means ‘identity verification’, should ‘unique identification’ beunderstood as referring to ‘biometric identification’? This interpretation would beinconsistentwith the legal definition of biometric data. In addition, since the notion ofbiometric data is approached from a legal perspective in the GDPR, the term ‘uniqueidentification’ should logically refer to the threshold of identification of biometric data(beingpersonal data) andnot to their ‘biometric identification’ function.One could stillnote the inconsistency of wording (and then meaning) between Recital 51 GDPR andArticle4(14)GDPR.

FacialImagesandDactyloscopicDataasExamplesBiometric characteristics are not themselves considered to be biometric data. Only thepersonaldata‘resulting’fromtheirprocessingqualifyasbiometricdata.Thus,itisnotthefaceofanindividual,buttheimagesofhisorherface(pictures)thatwouldbeclassifiedasbiometricdata.Likewise,itisnothisorherfingertip,butafingerprintimagethatwillbeclassified as biometric data. This is a logical conclusion since ‘biometric data’ as legallydefined are first of all ‘personal data’. To be protected under the data protection rules,personal data need to be, at least, part of a filing system or processed by automaticmeans.88The biometric characteristics themselves cannot be processed. Only the datageneratedfromthosecharacteristicscan.Thelegaldefinitionof‘biometricdata’givestwoexamplesofthosedata:facialimagesanddactyloscopic data. Concerning facial images, not all the photographs will qualify as‘biometricdata’,butonlytheonesthat‘allowtheuniqueidentificationorauthenticate’an

87A29WP,Opinion3/2012(n8)6.88art2(1)GDPRandart3(1)oftheDataProtectionDirective.

66

individual will.89To determine whether a facial image is fit for biometric recognition,different factors or parameters should be taken into account, such as light, exposure,locationortheresolutionof thecamera.90Theseparametersare logicallynotdetailed intheGDPR,astheyarelinkedtothetechnologicaldevelopmentsinfacerecognition.Asfordactyloscopicdata,theGDPRcontainsnoreferenceordefinition.Anotherlegislativeinstrument on the cross-border exchange of DNA profiles and fingerprints to fightterrorismandcrime, thePrümDecision,providesadefinition.Dactyloscopicdata in theGDPRcouldbeunderstoodasdefinedinArticle2(i)ofthePrümDecision,i.e.ascovering‘fingerprint images, images of fingerprint latents, palm prints, palm prints latents andtemplatesofsuchimages.’91Theanalysisof thedifferent componentsof the legal conceptof ‘biometricdata’ revealsthat only personal data resulting from a special processing of biometric characteristicsand relating to an identified individual will qualify as ‘biometric personal data’. Whenthosedatauniquelyidentifyanindividual,theywillbenefitfromtheprotectiongrantedtosensitivedata.Thisspecialregimeistheissueaddressedinthenextsection.

TheRegimeforSensitiveDataApplicabletotheProcessingofBiometricData

Sensitivedata(designatedundertheterm‘specialcategoriesofdata’)92areacategoryofpersonaldatathatnecessitateahigherdegreeofprotectionbecauseoftheconsequencesthat their misuse would have on individuals.93The consequences are considered sodamageablethattheirprocessingisprohibitedunlessanexceptionapplies.Theregimeofsensitive data is defined in Article 8 of the Data Protection Directive.94This provisioncontainsanexhaustive listofsensitivedata,whichare ‘personaldatarevealingracialorethnic origin, political opinions, religious or philosophical beliefs, trade-unionmembership,andtheprocessingofdataconcerninghealthorsexlife.’TheDataProtectionReformPackagehasaddedbiometricdatatothelistofsensitivedata.According to Article 9(1) GDPR, the processing of biometric data ‘for the purpose ofuniquelyidentifyinganaturalperson’isprohibited,unlessoneoftheexceptionssetoutin

89Recital51GDPR.90Facerecognitionisbasedonindividual’sdistinctivefacialcharacteristics,forguidanceonfacerecognition,see for example EDPS, ‘Video Surveillance Guidelines’ [2010], and A29WP, ‘Opinion 02/2012 on facialrecognitioninonlineandmobileservices’[2012]WP192.91Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/1(PrümDecision).92art8oftheDataProtectionDirectiveandart9GDPR.93A29WP,‘AdvicePaperonSpecialCategoriesofData(‘SensitiveData’)’Ref.Ares(2011)444105[2011].94art8(1)of theDataProtectionDirectivereadsas follows: ‘MemberStatesshallprohibit theprocessingofpersonaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,trade-unionmembership,andtheprocessingofdataconcerninghealthorsexlife’;art8(2)oftheDataProtectionDirectiveprovidesforsomeexceptionstothegeneralprohibitionofprocessing.

74

Chapter 3

Article9(2)GDPRapplies.BeforetheadoptionoftheDataProtectionReformPackage,thedebatearoundthenatureofbiometricdata fromadataprotectionperspectiverevolvedaround their content (i.e. whether they could reveal sensitive information) and theirqualification (whether they could be considered themselves as sensitive data). Thissectionanalysesthedifferentissuesandassessesthenewconditionaddedtotriggertheprotectiongrantedtosensitivedata.

1. DebatebeforetheAdoptionoftheDataProtectionReformPackageFormany years, themain issue about the sensitive nature of biometric data concernedtheir capacity to reveal sensitive data in the sense of Article 8 of the Data ProtectionDirective.Amongthelistedsensitivedata, ‘dataconcerninghealth’or ‘revealingracialorethnic origin’ are of particular interestwhen it relates to the content of biometric data.Several scientific studies on fingerprints have indeed shown that biometric data couldrevealthistypeofsensitivedata.Medicalresearchhasinparticulardemonstratedthatthepatternof fingerprint’sridgescanindicateariskof illnesses(suchasdiabetes).95Recentstudieshavealsofoundthatfingerprintpatternsencodeinformationaboutanindividual’sancestralbackground(ethnicity).96The A29WP and the EDPS have also expressed their opinion on the topic. In Opinion3/2012, the A29WP considered that ‘some biometric data’, such as facial images couldreveal sensitive data relating to health condition or ethnic/racial origin, but in thatOpinion theWorkingParty did not qualify biometric data as sensitive data.97As for theEDPS, in severalopinions relating to theprocessingofbiometricdata forpassportsandtravel documents, it viewed biometric data as being ‘highly’98or ‘inherently sensitive,’99becauseof their characteristics andnot becauseof the sensitive information they couldreveal.Basedonthoseopinions,theAdvocateGeneralMengozziinCaseC-291/12onthevalidityofthePassportRegulation(CouncilRegulation2252/2004)statedthatbiometricdataaresensitivedatabynature.100Onthisspecificpoint, theEuropeanCourtof Justicedidnot followhis opinion. TheCourt, however, ruled that ‘biometric data’ are personaldatabecause‘theyobjectivelycontainuniqueinformationaboutindividualswhichallowsthoseindividualstobeidentifiedwithprecision.’101Ontheformatsofbiometricdata,theA29WPhasnotsaidmuch,although,in2003,itdidstatethatitconsideredthatimagesaremoresusceptibletorevealsensitivedatathanthe95InparticularHenrySKahnet al, ‘AFingerprintMarker fromEarlyGestationAssociatedwithDiabetes inMiddleAge:theDutchHungerWinterFamiliesStudy’(2009)38(1)InternationalJournalofEpidemiology101.96NicholeAFournierandAnnHRoss, ‘Sex,Ancestral,andPatternTypeVariationofFingerprintMinutiae:aForensicPerspectiveonAnthropologicalDermatoglyphics’(2015)AmericanJournalofPhysicalAnthropology,onlineaccess23September2015.97A29WP,WorkingDocumentonBiometrics(n7)10.98EDPS, ‘Opinionof23March2005ontheProposal foraRegulationoftheEuropeanParliamentandoftheCouncil concerning theVisa InformationSystem(VIS)and theexchangeofdatabetweenMemberStatesonshortstay-visas’(COM(2004)835final),Section3.4.2SpecificNatureofBiometrics[2005]OJL181/13.99EDPS,Opinionof19October2005onthethreeSISIIproposals,Section4.1Biometrics[2005]OJC91/38.100C-291/12,MichaelSchwarzvStadtBochum[2013]EU:C:2013:401,OpinionofAGMengozzi,para52.101C-291/12,MichaelSchwarzvStadtBochum[2013]EU:C:2013:670.

templatesthemselves.102Itsanalysiswasbasedonthebeliefsthatabiometricimagecouldnotbe regenerated fromabiometric template.103InOpinion3/2012, theWorkingPartydidnotamenditsposition,althoughbythattimeitwasknownthatbiometrictemplatescouldbepartiallyreversible.Havingsaidthis,itisnotsurefromascientificpointofviewthatsensitiveinformationcanbederivedfrombiometrictemplates.Accordingtothestateoftheartinbiometricrecognition,abiometricimagecanpartiallybereconstructedfromabiometric template.104Fromthatreconstructed image,and intheabsenceofresearchonthisissue,105itishowevernotcertainthatsensitiveinformationcanbeidentified.Inlegalliterature,theanalysisbyYueLuionthespecificnatureofbiometricdataprovidessomeinterestinginsights.BasedonadecisionoftheNorwegianDataProtectionAuthorityontheuseofCCTVinbuses,YueLuiexplainsthatsomeviewbiometricdataas‘carriers’ofpersonaldataandnotas ‘sensitivedata’ themselves.However, theybecomesensitive incase they are ‘processed with the intention or consequence of generating sensitiveinformation,suchashealth,geneticorracialinformation.’106Thus,itisthecontextoftheuseofbiometricdatathatwouldconditiontheapplicationoftheregimeofsensitivedata.Atthesametime,YueLuistatesthatsheisnotconvincedbythisreasoning.Sheexplainsthatthestatusofbiometricdatashouldnotbelinkedtothesensitivedatatheycanreveal,buttotheirowncharacteristics.AccordingtoYueLui,becausebiometricdatacanbeusedas ‘relatively unique and universal ‘key data’ for getting all kinds of personalinformation,’107theyshouldbeconsidered“as‘sensitivepersonaldata’ingeneral.”

2. PurposeofProcessingasaNewConditiontoApplytheRegimeofSensitiveData

Discussions on the specific nature of biometric data were revived during the publicconsultations that preceded the launch of the proposals of the new data protectionframework. Between 2009 and 2011, the European Commission consulted nationalauthorities and stakeholders on the future of the data protection regime.108Several ofthesementionedthe issueof thespecificnatureofbiometricdataandsuggestedaddingthem to the list of sensitive data.109However, in the proposals on the Data Protection

102A29WP,WorkingDocumentonBiometrics(n7)10.103ibid, ‘whether a processing contains sensitive data is a question of appreciation linkedwith the specificbiometriccharacteristicusedandthebiometricapplicationitself.Itismorelikelytobethecaseifbiometricdataintheformofimagesareprocessed,sinceinprincipletherawdata[understoodhereasimage]maynotbereconstructedfromthetemplate.’104CaoandJain(n64).105Tothebestofthisauthor’sknowledge.106YueLui,Bio-Privacy:PrivacyRegulationsandtheChallengeofBiometrics(Routledge2012),120.107ibid121.108EuropeanCommission(n16).109eganswersfromDatatilsynet,theNorwegianDataProtectionAuthority<http://ec.europa.eu/justice/news/consulting_public/0006/contributions/public_authorities/datatilsynet_en.pdf>accessed30May2016;orfromPrivacyInternational<http://ec.europa.eu/justice/news/consulting_public/0006/contributions/organisations/pi_en.pdf>accessed30May2016.

75

3


Article9(2)GDPRapplies.BeforetheadoptionoftheDataProtectionReformPackage,thedebatearoundthenatureofbiometricdata fromadataprotectionperspectiverevolvedaround their content (i.e. whether they could reveal sensitive information) and theirqualification (whether they could be considered themselves as sensitive data). Thissectionanalysesthedifferentissuesandassessesthenewconditionaddedtotriggertheprotectiongrantedtosensitivedata.

1. DebatebeforetheAdoptionoftheDataProtectionReformPackageFormany years, themain issue about the sensitive nature of biometric data concernedtheir capacity to reveal sensitive data in the sense of Article 8 of the Data ProtectionDirective.Amongthelistedsensitivedata, ‘dataconcerninghealth’or ‘revealingracialorethnic origin’ are of particular interestwhen it relates to the content of biometric data.Several scientific studies on fingerprints have indeed shown that biometric data couldrevealthistypeofsensitivedata.Medicalresearchhasinparticulardemonstratedthatthepatternof fingerprint’sridgescanindicateariskof illnesses(suchasdiabetes).95Recentstudieshavealsofoundthatfingerprintpatternsencodeinformationaboutanindividual’sancestralbackground(ethnicity).96The A29WP and the EDPS have also expressed their opinion on the topic. In Opinion3/2012, the A29WP considered that ‘some biometric data’, such as facial images couldreveal sensitive data relating to health condition or ethnic/racial origin, but in thatOpinion theWorkingParty did not qualify biometric data as sensitive data.97As for theEDPS, in severalopinions relating to theprocessingofbiometricdata forpassportsandtravel documents, it viewed biometric data as being ‘highly’98or ‘inherently sensitive,’99becauseof their characteristics andnot becauseof the sensitive information they couldreveal.Basedonthoseopinions,theAdvocateGeneralMengozziinCaseC-291/12onthevalidityofthePassportRegulation(CouncilRegulation2252/2004)statedthatbiometricdataaresensitivedatabynature.100Onthisspecificpoint, theEuropeanCourtof Justicedidnot followhis opinion. TheCourt, however, ruled that ‘biometric data’ are personaldatabecause‘theyobjectivelycontainuniqueinformationaboutindividualswhichallowsthoseindividualstobeidentifiedwithprecision.’101Ontheformatsofbiometricdata,theA29WPhasnotsaidmuch,although,in2003,itdidstatethatitconsideredthatimagesaremoresusceptibletorevealsensitivedatathanthe95InparticularHenrySKahnet al, ‘AFingerprintMarker fromEarlyGestationAssociatedwithDiabetes inMiddleAge:theDutchHungerWinterFamiliesStudy’(2009)38(1)InternationalJournalofEpidemiology101.96NicholeAFournierandAnnHRoss, ‘Sex,Ancestral,andPatternTypeVariationofFingerprintMinutiae:aForensicPerspectiveonAnthropologicalDermatoglyphics’(2015)AmericanJournalofPhysicalAnthropology,onlineaccess23September2015.97A29WP,WorkingDocumentonBiometrics(n7)10.98EDPS, ‘Opinionof23March2005ontheProposal foraRegulationoftheEuropeanParliamentandoftheCouncil concerning theVisa InformationSystem(VIS)and theexchangeofdatabetweenMemberStatesonshortstay-visas’(COM(2004)835final),Section3.4.2SpecificNatureofBiometrics[2005]OJL181/13.99EDPS,Opinionof19October2005onthethreeSISIIproposals,Section4.1Biometrics[2005]OJC91/38.100C-291/12,MichaelSchwarzvStadtBochum[2013]EU:C:2013:401,OpinionofAGMengozzi,para52.101C-291/12,MichaelSchwarzvStadtBochum[2013]EU:C:2013:670.

templatesthemselves.102Itsanalysiswasbasedonthebeliefsthatabiometricimagecouldnotbe regenerated fromabiometric template.103InOpinion3/2012, theWorkingPartydidnotamenditsposition,althoughbythattimeitwasknownthatbiometrictemplatescouldbepartiallyreversible.Havingsaidthis,itisnotsurefromascientificpointofviewthatsensitiveinformationcanbederivedfrombiometrictemplates.Accordingtothestateoftheartinbiometricrecognition,abiometricimagecanpartiallybereconstructedfromabiometric template.104Fromthatreconstructed image,and intheabsenceofresearchonthisissue,105itishowevernotcertainthatsensitiveinformationcanbeidentified.Inlegalliterature,theanalysisbyYueLuionthespecificnatureofbiometricdataprovidessomeinterestinginsights.BasedonadecisionoftheNorwegianDataProtectionAuthorityontheuseofCCTVinbuses,YueLuiexplainsthatsomeviewbiometricdataas‘carriers’ofpersonaldataandnotas ‘sensitivedata’ themselves.However, theybecomesensitive incase they are ‘processed with the intention or consequence of generating sensitiveinformation,suchashealth,geneticorracialinformation.’106Thus,itisthecontextoftheuseofbiometricdatathatwouldconditiontheapplicationoftheregimeofsensitivedata.Atthesametime,YueLuistatesthatsheisnotconvincedbythisreasoning.Sheexplainsthatthestatusofbiometricdatashouldnotbelinkedtothesensitivedatatheycanreveal,buttotheirowncharacteristics.AccordingtoYueLui,becausebiometricdatacanbeusedas ‘relatively unique and universal ‘key data’ for getting all kinds of personalinformation,’107theyshouldbeconsidered“as‘sensitivepersonaldata’ingeneral.”

2. PurposeofProcessingasaNewConditiontoApplytheRegimeofSensitiveData

Discussions on the specific nature of biometric data were revived during the publicconsultations that preceded the launch of the proposals of the new data protectionframework. Between 2009 and 2011, the European Commission consulted nationalauthorities and stakeholders on the future of the data protection regime.108Several ofthesementionedthe issueof thespecificnatureofbiometricdataandsuggestedaddingthem to the list of sensitive data.109However, in the proposals on the Data Protection

102A29WP,WorkingDocumentonBiometrics(n7)10.103ibid, ‘whether a processing contains sensitive data is a question of appreciation linkedwith the specificbiometriccharacteristicusedandthebiometricapplicationitself.Itismorelikelytobethecaseifbiometricdataintheformofimagesareprocessed,sinceinprincipletherawdata[understoodhereasimage]maynotbereconstructedfromthetemplate.’104CaoandJain(n64).105Tothebestofthisauthor’sknowledge.106YueLui,Bio-Privacy:PrivacyRegulationsandtheChallengeofBiometrics(Routledge2012),120.107ibid121.108EuropeanCommission(n16).109eganswersfromDatatilsynet,theNorwegianDataProtectionAuthority<http://ec.europa.eu/justice/news/consulting_public/0006/contributions/public_authorities/datatilsynet_en.pdf>accessed30May2016;orfromPrivacyInternational<http://ec.europa.eu/justice/news/consulting_public/0006/contributions/organisations/pi_en.pdf>accessed30May2016.

76

Chapter 3

ReformPackage,theEuropeanCommissiononlyadded‘geneticdata’tothelist.110Itwasinstead the European Parliament that added them to the list of sensitive data when itvotedontheproposals.111Intheadoptedtexts,biometricdatahavebeenupgradedtothecategoryofsensitivedata,undertheconditionthatthey‘uniquelyidentify’anindividual.Itis therefore the purpose of the processing (‘unique identification’) that will trigger theregimeapplicabletosensitivedata.Asexplained in theprevioussection, ‘unique identification’ isalsousedasacriterion toqualifyspecificpersonaldataas ‘biometricdata.’Contrarytotheothertypesofpersonaldatalistedinthecategoryofsensitivedata,‘biometricdata’arenottreatedassensitivebynaturebutbecomesensitiveastheresultoftheiruse.

PurposeofBiometricDataProcessingItisthereforethepurposeofbiometricdataprocessingthatdeterminestheapplicationoftheregimeofsensitivedata.Thepurposeisdefinedas‘uniquelyidentifyinganindividual.’As per the analysis made in the previous section, biometric data resulting from bothbiometric identification (establishment of the identity) and identity verification shouldqualify as sensitive data, provided they relate to an identified individual. Still, a doubtpersistsbecauseoftheambiguouswordingofRecital51GDPR.112If ‘allowingtheuniqueidentification’ refers to the biometric identification function and ‘allowing theauthentication’means ‘identityverification,’biometricdataused for identityverification(suchaspassport/IDverification)wouldbeexcludedfromthescopeofsensitivedata.But,as alreadyobserved,Recital51 is inconsistentwithArticle4(14)GDPR thatdefines thelegalconceptofbiometricdata.Thedefinitiondistinguishesthefunctionof ‘allowingtheunique identification’ (which covers the biometric identification function) from that of‘confirming the unique identification’ (which covers the identity verification function).Unique identification is then understood as the identity of an individual. Following thedefinition,biometricdataused forbiometricrecognition(identificationandverification)andlinkedtoanidentifiedindividualbenefitfromthestatusofsensitivedata.ItisdifficulttoreconstructtheintentionoftheEUlegislator:thenotionof‘biometricdata’was not included in the list of sensitive data contained in the proposals of the DataProtection Reform Package. Likewise, notmuch can be found in the discussions on theproposals either.The criterionof thepurposeof theprocessingwas indeed addedvery

110EuropeanCommission(n17),Art9(1)oftheproposedGDPRreadsasfollows:‘theprocessingofpersonaldata revealing raceorethnicorigin,politicalopinions, religionorbeliefs, trade-unionmembership, and theprocessing of genetic data or data concerning health or sex life or criminal convictions or related securitymeasuresshallbeprohibited.’111EuropeanParliament,legislativeresolutionontheproposalforaGDPR(COM(2012)0011-C7-0025/2012-2012/0011(COD)),Art9(1)of theamendedproposalofGDPRreadsas follows: ‘theprocessingofpersonaldata,revealingraceorethnicorigin,politicalopinions,religionorphilosophicalbeliefs,sexualorientationorgender identity, trade-unionmembership and activities, and the processing of genetic or biometric data ordata concerning health or sex life, administrative sanctions, judgments, criminal or suspected offences,convictionsorrelatedsecuritymeasuresshallbeprohibited.’(P7_TA(2014)0212)[2014].112Recital51GDPR.

late in the trilogue negotiations on the Data Protection Reform Package:113neither theresolutions on the proposals adopted by the European Parliament nor the politicalagreements reachedby theCouncilmentioned thecriterion. It canhoweverbe found inthe draft version of modernisation of Convention 108.114The draft Convention iscompleted with a Draft Explanatory Report. The 2013 Draft mentions that ‘solely theprocessingwhichwillleadtotheuniqueidentificationofanindividual’is‘tobeconsideredassensitive.’115TheDraftalsocontainstheexampleofphotographs,reproducedinRecital51GDPR,andprovides theconditionsunderwhichpicturesshouldconstitutebiometricdata.The trilogueat theEU levelseems tohavealigned the textsof theDataProtectionReformPackagewiththedraftrevisionofConvention108.

SensitiveDatabyReasonoftheirNatureItisquestionablewhetherbiometricdatashouldnothavebeentreated‘sensitivedata’byreasonoftheirnatureandnotbecauseoftheirpurposeofuse.IntheoriginalproposalsoftheDataProtectionReformPackage,theEuropeanCommissiondidnotaddbiometricdatato the list of sensitive data, but only genetic data.116It justified the addition of ‘geneticdata’ by reference to the ruling of theEuropeanCourt ofHumanRights (ECtHR) inS&MarpervUK.117In that case, relating to the retention of DNA samples, fingerprints andcellularsamplesofpersonssuspectedbutneverconvicted,theCourtruledonthesensitivenature of DNA information. It found that their sensitivity was linked to theircharacteristics–i.e.thepossibilitythatDNAinformationcouldrevealethnicorigin118andfamilygeneticmakeup.119TheECtHRdidnotfollowthesameapproachandreasoningforfingerprints,astheCourtconsidered‘commongroundthatfingerprintsdonotcontainasmuch information as either cellular samples or DNA profiles.’120The judgement wasrendered in 2008when fingerprint recognition technologieswere less developed. Sincethat time, some scientific studies have shown that sensitive information, such asethnicity121and illnesses122can possibly be derived from fingerprints. It can be argued

113ThepoliticalagreementsreachedbytheCouncilonthetextof theGeneralDataProtectionRegulation inJune2015andonthetextoftheDirectiveondataprotectionforlawenforcementpurposesdidnotmentionbiometricdatainthelistofsensitivedata.114CouncilofEurope,ConsultativeCommitteeofConvention108fortheprotectionofIndividualswithregardtoautomaticprocessingofpersonaldata(ETSNo.108),Propositionsofmodernisationadoptedbythe29thPlenarymeeting(T-PD(2012)4Rev4)[2012];themodernisationprocessstartedin2011andisstillongoing.115CouncilofEurope,BureauoftheConsultativeCommitteeofConvention108,‘DraftExplanatoryReportoftheModernisedVersionofConvention108’,T-PD-BUR(2013)3ENrev,para56.116EuropeanCommission,proposalfortheGDPR(n17)andproposalfortheDirectiveonlawenforcement(n18).117See SandMarpervUnitedKingdom [2008] ECHR 1581, and European Commission, ‘Impact AssessmentaccompanyingthedocumentRegulationof theEuropeanParliamentandof theCouncilontheprotectionofindividualswithregard to theprocessingofpersonaldataandon the freemovementofsuchdata (GeneralDataProtectionRegulation)andDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividuals with regard to the processing of personal data by competent authorities for the purposes ofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’,Brussels,25January2012,SEC(2012),55.118SandMarpervUK,para76.119ibidpara103.120ibidpara78.121A29WP,Opinion02/2012(n90);Fournieretal(n96).122Kahnetal(n95).

77

3


ReformPackage,theEuropeanCommissiononlyadded‘geneticdata’tothelist.110Itwasinstead the European Parliament that added them to the list of sensitive data when itvotedontheproposals.111Intheadoptedtexts,biometricdatahavebeenupgradedtothecategoryofsensitivedata,undertheconditionthatthey‘uniquelyidentify’anindividual.Itis therefore the purpose of the processing (‘unique identification’) that will trigger theregimeapplicabletosensitivedata.Asexplained in theprevioussection, ‘unique identification’ isalsousedasacriterion toqualifyspecificpersonaldataas ‘biometricdata.’Contrarytotheothertypesofpersonaldatalistedinthecategoryofsensitivedata,‘biometricdata’arenottreatedassensitivebynaturebutbecomesensitiveastheresultoftheiruse.

PurposeofBiometricDataProcessingItisthereforethepurposeofbiometricdataprocessingthatdeterminestheapplicationoftheregimeofsensitivedata.Thepurposeisdefinedas‘uniquelyidentifyinganindividual.’As per the analysis made in the previous section, biometric data resulting from bothbiometric identification (establishment of the identity) and identity verification shouldqualify as sensitive data, provided they relate to an identified individual. Still, a doubtpersistsbecauseoftheambiguouswordingofRecital51GDPR.112If ‘allowingtheuniqueidentification’ refers to the biometric identification function and ‘allowing theauthentication’means ‘identityverification,’biometricdataused for identityverification(suchaspassport/IDverification)wouldbeexcludedfromthescopeofsensitivedata.But,as alreadyobserved,Recital51 is inconsistentwithArticle4(14)GDPR thatdefines thelegalconceptofbiometricdata.Thedefinitiondistinguishesthefunctionof ‘allowingtheunique identification’ (which covers the biometric identification function) from that of‘confirming the unique identification’ (which covers the identity verification function).Unique identification is then understood as the identity of an individual. Following thedefinition,biometricdataused forbiometricrecognition(identificationandverification)andlinkedtoanidentifiedindividualbenefitfromthestatusofsensitivedata.ItisdifficulttoreconstructtheintentionoftheEUlegislator:thenotionof‘biometricdata’was not included in the list of sensitive data contained in the proposals of the DataProtection Reform Package. Likewise, notmuch can be found in the discussions on theproposals either.The criterionof thepurposeof theprocessingwas indeed addedvery

110EuropeanCommission(n17),Art9(1)oftheproposedGDPRreadsasfollows:‘theprocessingofpersonaldata revealing raceorethnicorigin,politicalopinions, religionorbeliefs, trade-unionmembership, and theprocessing of genetic data or data concerning health or sex life or criminal convictions or related securitymeasuresshallbeprohibited.’111EuropeanParliament,legislativeresolutionontheproposalforaGDPR(COM(2012)0011-C7-0025/2012-2012/0011(COD)),Art9(1)of theamendedproposalofGDPRreadsas follows: ‘theprocessingofpersonaldata,revealingraceorethnicorigin,politicalopinions,religionorphilosophicalbeliefs,sexualorientationorgender identity, trade-unionmembership and activities, and the processing of genetic or biometric data ordata concerning health or sex life, administrative sanctions, judgments, criminal or suspected offences,convictionsorrelatedsecuritymeasuresshallbeprohibited.’(P7_TA(2014)0212)[2014].112Recital51GDPR.

late in the trilogue negotiations on the Data Protection Reform Package:113neither theresolutions on the proposals adopted by the European Parliament nor the politicalagreements reachedby theCouncilmentioned thecriterion. It canhoweverbe found inthe draft version of modernisation of Convention 108.114The draft Convention iscompleted with a Draft Explanatory Report. The 2013 Draft mentions that ‘solely theprocessingwhichwillleadtotheuniqueidentificationofanindividual’is‘tobeconsideredassensitive.’115TheDraftalsocontainstheexampleofphotographs,reproducedinRecital51GDPR,andprovides theconditionsunderwhichpicturesshouldconstitutebiometricdata.The trilogueat theEU levelseems tohavealigned the textsof theDataProtectionReformPackagewiththedraftrevisionofConvention108.

SensitiveDatabyReasonoftheirNatureItisquestionablewhetherbiometricdatashouldnothavebeentreated‘sensitivedata’byreasonoftheirnatureandnotbecauseoftheirpurposeofuse.IntheoriginalproposalsoftheDataProtectionReformPackage,theEuropeanCommissiondidnotaddbiometricdatato the list of sensitive data, but only genetic data.116It justified the addition of ‘geneticdata’ by reference to the ruling of theEuropeanCourt ofHumanRights (ECtHR) inS&MarpervUK.117In that case, relating to the retention of DNA samples, fingerprints andcellularsamplesofpersonssuspectedbutneverconvicted,theCourtruledonthesensitivenature of DNA information. It found that their sensitivity was linked to theircharacteristics–i.e.thepossibilitythatDNAinformationcouldrevealethnicorigin118andfamilygeneticmakeup.119TheECtHRdidnotfollowthesameapproachandreasoningforfingerprints,astheCourtconsidered‘commongroundthatfingerprintsdonotcontainasmuch information as either cellular samples or DNA profiles.’120The judgement wasrendered in 2008when fingerprint recognition technologieswere less developed. Sincethat time, some scientific studies have shown that sensitive information, such asethnicity121and illnesses122can possibly be derived from fingerprints. It can be argued

113ThepoliticalagreementsreachedbytheCouncilonthetextof theGeneralDataProtectionRegulation inJune2015andonthetextoftheDirectiveondataprotectionforlawenforcementpurposesdidnotmentionbiometricdatainthelistofsensitivedata.114CouncilofEurope,ConsultativeCommitteeofConvention108fortheprotectionofIndividualswithregardtoautomaticprocessingofpersonaldata(ETSNo.108),Propositionsofmodernisationadoptedbythe29thPlenarymeeting(T-PD(2012)4Rev4)[2012];themodernisationprocessstartedin2011andisstillongoing.115CouncilofEurope,BureauoftheConsultativeCommitteeofConvention108,‘DraftExplanatoryReportoftheModernisedVersionofConvention108’,T-PD-BUR(2013)3ENrev,para56.116EuropeanCommission,proposalfortheGDPR(n17)andproposalfortheDirectiveonlawenforcement(n18).117See SandMarpervUnitedKingdom [2008] ECHR 1581, and European Commission, ‘Impact AssessmentaccompanyingthedocumentRegulationof theEuropeanParliamentandof theCouncilontheprotectionofindividualswithregard to theprocessingofpersonaldataandon the freemovementofsuchdata (GeneralDataProtectionRegulation)andDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividuals with regard to the processing of personal data by competent authorities for the purposes ofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’,Brussels,25January2012,SEC(2012),55.118SandMarpervUK,para76.119ibidpara103.120ibidpara78.121A29WP,Opinion02/2012(n90);Fournieretal(n96).122Kahnetal(n95).

78

Chapter 3

that,iftheECtHRweretoexaminetheissuenow,theCourtoughttotakeintoaccountthestateoftheartinfingerprintrecognitionandquestionwhether‘biometricdata’shouldnotbetreatedassensitivedatabecauseoftheirnature.123TheregimeofsensitivedatacontainedintheGDPRisquitesimilartotheoneset intheDataProtectionDirective.Thegeneralruleistheprohibitionofprocessingsensitivedataunless one of the exceptions listed in Article 9(2) GDPR applies.124The grounds forprocessingsensitivedataarebroadlysimilartothoseundertheDataProtectionDirective,with some additions made in the area of health. In application of Article 9(4) GDPR,Member States have the possibility to adopt other conditions or stricter rules to allowtheirprocessing.125

ConclusionsThelong-awaitedprovisionsofthenewdataprotectionframeworkbringsomecertaintieson the status of biometric data. They define the concept of biometric data taking intoaccountthetechnicalprocessingthroughwhichbiometriccharacteristicsaretransformedintodata.Equallyimportantly,thenewprovisionsalsograntthestatusofsensitivedatatobiometricdata.Butthosecertaintiesmightonlybeillusory.The legal definition of biometric data from a data protection perspective sets theconditions under which personal data can qualify as ‘biometric data’ and not theconditionsunderwhich ‘biometricdata’becomepersonaldata.Theconceptofbiometricdataisdefinedasatypeofpersonaldata.Thedefinitioncombinesthetechnicalcriteriaofbiometric data (e.g. the technical processing of biometric characteristics) with legalcriteriaapplicabletopersonaldata(e.g. the functionof ‘unique identification).However,thedefinitionlacksprecisenesswhenitaddressesthefunctionsof‘biometricrecognition’.The terminology used by the biometric community to describe these functions, i.e.biometric identificationand identityverification, isnot re-used in the legaldefinitionofbiometric data. Instead, one should deduce that the verbs ‘allowing’ and ‘confirming’respectively refer to the functionsof ‘biometric identification’ and ‘identity verification’.As for the criterion of ‘unique identification’, it sets the threshold of identificationapplicable to biometric data. Contrary to ‘generic’ personal data, biometric data mustrelate to an identified individual. The other ‘biometric data’, i.e. those that relate to an

123It could also be argued that biometric data and genetic data share several similarities from a dataprotection perspective:they both rely on permanent physiological characteristics for individual recognitionand theycanboth reveal sensitive information. Inaddition, severalnationaldataprotection laws (Slovenia,Slovakia) already include genetic data in the broader category of biometric data. Some authors (eg Kindt)support such a distinction on the ground that genetic data cannot be used for automatic recognition. Butscientificresearchinthefield(Jain)anticipatesthat‘inthenear-future’DNA-profilematchingmightbedoneinreal-timeoratleastwithinafewminutes.124art9(2)GDPRprovidesfortenexceptionsincludingexplicitconsent, legalobligationsofthecontrollerinthefieldofemploymentorsocialsecurityandprotectionofthevitalinterestsofthedatasubjectsorofanotherindividual.125art9(4)GDPRreadsas follows: ‘MemberStatesmaymaintainor introduce further conditions, includinglimitations,withregardtotheprocessingofgeneticdata,biometricdataordataconcerninghealth.’

identifiableindividual,donotlegallyqualifyasbiometricdata,butcanstillbeconsideredaspersonaldataiftheyfulfiltheothercriteriaapplicabletopersonaldata.Thenewdataprotection framework creates a new legal category of biometric data, which could bequalifiedof‘biometricpersonaldata’toreflecttheirnatureaspersonaldata.Thenewprovisionsalsoaddthecategoryofbiometricdatatothelistofsensitivedata,butnot by virtue of their nature. In the new regime, the purpose of processing (that is, touniquely identify an individual) determines the application of the regime of protection.Thisconditionisconnectedtothethresholdofidentificationapplicabletobiometricdata.However,takingintoaccountthestateoftheartinbiometrictechnologies,itisdebatablewhetherbiometricdatashouldratherhavebeentreatedassensitivebynature.

79

3


that,iftheECtHRweretoexaminetheissuenow,theCourtoughttotakeintoaccountthestateoftheartinfingerprintrecognitionandquestionwhether‘biometricdata’shouldnotbetreatedassensitivedatabecauseoftheirnature.123TheregimeofsensitivedatacontainedintheGDPRisquitesimilartotheoneset intheDataProtectionDirective.Thegeneralruleistheprohibitionofprocessingsensitivedataunless one of the exceptions listed in Article 9(2) GDPR applies.124The grounds forprocessingsensitivedataarebroadlysimilartothoseundertheDataProtectionDirective,with some additions made in the area of health. In application of Article 9(4) GDPR,Member States have the possibility to adopt other conditions or stricter rules to allowtheirprocessing.125

ConclusionsThelong-awaitedprovisionsofthenewdataprotectionframeworkbringsomecertaintieson the status of biometric data. They define the concept of biometric data taking intoaccountthetechnicalprocessingthroughwhichbiometriccharacteristicsaretransformedintodata.Equallyimportantly,thenewprovisionsalsograntthestatusofsensitivedatatobiometricdata.Butthosecertaintiesmightonlybeillusory.The legal definition of biometric data from a data protection perspective sets theconditions under which personal data can qualify as ‘biometric data’ and not theconditionsunderwhich ‘biometricdata’becomepersonaldata.Theconceptofbiometricdataisdefinedasatypeofpersonaldata.Thedefinitioncombinesthetechnicalcriteriaofbiometric data (e.g. the technical processing of biometric characteristics) with legalcriteriaapplicabletopersonaldata(e.g. the functionof ‘unique identification).However,thedefinitionlacksprecisenesswhenitaddressesthefunctionsof‘biometricrecognition’.The terminology used by the biometric community to describe these functions, i.e.biometric identificationand identityverification, isnot re-used in the legaldefinitionofbiometric data. Instead, one should deduce that the verbs ‘allowing’ and ‘confirming’respectively refer to the functionsof ‘biometric identification’ and ‘identity verification’.As for the criterion of ‘unique identification’, it sets the threshold of identificationapplicable to biometric data. Contrary to ‘generic’ personal data, biometric data mustrelate to an identified individual. The other ‘biometric data’, i.e. those that relate to an

123It could also be argued that biometric data and genetic data share several similarities from a dataprotection perspective:they both rely on permanent physiological characteristics for individual recognitionand theycanboth reveal sensitive information. Inaddition, severalnationaldataprotection laws (Slovenia,Slovakia) already include genetic data in the broader category of biometric data. Some authors (eg Kindt)support such a distinction on the ground that genetic data cannot be used for automatic recognition. Butscientificresearchinthefield(Jain)anticipatesthat‘inthenear-future’DNA-profilematchingmightbedoneinreal-timeoratleastwithinafewminutes.124art9(2)GDPRprovidesfortenexceptionsincludingexplicitconsent, legalobligationsofthecontrollerinthefieldofemploymentorsocialsecurityandprotectionofthevitalinterestsofthedatasubjectsorofanotherindividual.125art9(4)GDPRreadsas follows: ‘MemberStatesmaymaintainor introduce further conditions, includinglimitations,withregardtotheprocessingofgeneticdata,biometricdataordataconcerninghealth.’

identifiableindividual,donotlegallyqualifyasbiometricdata,butcanstillbeconsideredaspersonaldataiftheyfulfiltheothercriteriaapplicabletopersonaldata.Thenewdataprotection framework creates a new legal category of biometric data, which could bequalifiedof‘biometricpersonaldata’toreflecttheirnatureaspersonaldata.Thenewprovisionsalsoaddthecategoryofbiometricdatatothelistofsensitivedata,butnot by virtue of their nature. In the new regime, the purpose of processing (that is, touniquely identify an individual) determines the application of the regime of protection.Thisconditionisconnectedtothethresholdofidentificationapplicabletobiometricdata.However,takingintoaccountthestateoftheartinbiometrictechnologies,itisdebatablewhetherbiometricdatashouldratherhavebeentreatedassensitivebynature.

Chapter 4Law Enforcement Access to Personal Data

Originally Collected by Private Parties

82

Chapter4:LawEnforcementAccesstoPersonalDataOriginallyCollectedbyPrivateParties

MissingDataSubjects’SafeguardsinDirective2016/680?*Abstract:Accessbylawenforcementauthoritiestopersonaldatainitiallycollectedbyprivatepartiesfor commercial or operational purposes is very common, as shown by the transparencyreportsofnewtechnologycompaniesonlawenforcementrequests.Fromadataprotectionperspective, the scenario of law enforcement access is not necessarily well taken intoaccount.Theadoptionofthenewdataprotectionframeworkofferstheopportunitytoassesswhetherthenew ‘police’Directive,whichregulatestheprocessingofpersonaldatafor lawenforcementpurposes, offers sufficient safeguards to individuals.Tomake thisassessment,provisionscontainedinDirective2016/680aretestedagainstthestandardsestablishedbytheECJinDigitalRightsIrelandandTele2Sverigeontheretentionofdataandtheirfurtheraccessandusebypoliceauthorities.TheanalysisrevealsthatDirective2016/680doesnotcontain the safeguards identified in the case law. The paper further assesses the role andefficiencyoftheprincipleofpurposelimitationasasafeguardagainstrepurposinginalawenforcementcontext.Last,solutionstoovercometheshortcomingsofDirective2016/680areexaminedinconclusion.

IntroductionLawenforcementauthoritiesaroundtheglobehaveagrowingappetiteforpersonaldataheldbyprivatepartiesandinitiallycollectedforapurposedifferentthanlawenforcement.Many examples can illustrate this trend: the huge amount of law enforcement requestsmadetohigh-techcompaniesatglobal level,1thecaseof thetransferofpassengername

*ArticlepublishedintheComputerLaw&SecurityReview,volume34,issue1,February2018,pages154-165.The author would like to thank Prof JeanneMifsud Bonnici and Prof Laurence Gormley for their valuablecomments on an earlier draft, Christina Angelopoulos for kind suggestions as well as the anonymousreviewers;anyerrororomissionishoweverthesoleresponsibilityoftheauthor.1For the firsthalf-yearof2016,Microsoftreportedmore than25,000 lawenforcementrequests todisclosecontent,subscriberdataortransactionaldataatgloballevel,see<https://www.microsoft.com/about/csr/transparencyhub/lerr>comparewithApple’sandGoogle’sreportsfor thesameperiod,availableat respectively<images.apple.com/legal/privacy/transparency/request-2016-H1-en.pdf>and<https://www.google.com/transparencyreport/userdatarequest/countries/>Seealso,OlegAfonin,‘GovernmentRequestReports:Google,AppleandMicrosoft‘(ElcomSoftblog,16January2017)<https://blog.elcomsoft.com/2017/01/government-request-reports-google-apple-and-microsoft/>(alltheabovewebsiteswereaccessedon1August2017).

74

record data (air traveller data) to police authorities, 2 or the retention oftelecommunications data by Internet Service Providers (personal data retention) forfurtherusebylawenforcementauthorities.3Otherexamplesforwhichthenumberofrequestsforaccessmightnotbepubliclyknowncould follow.Given theircharacteristics,onecould thinkof thevalue thatsometypesofpersonal data have for law enforcement authorities. This is the case of biometric data(such as fingerprints),which have been used formanydecades by police authorities toidentify individuals.4Private parties rely more and more on biometric data to controlaccess to buildings, IT systems or applications. Several social media companies, e.g.Facebook,haveevenconstitutedbiometricdatabasesbasedonthe facial imagesof theirusers. In Europe, Facebook stopped facial recognition in 2012,whereas in the USA thecompany is still collecting such personal data.5Of course, Facebook has more personaldata than its users’ facial images: itmight alsoholdnames (real or alias), dateof birth,addresses, phone numbers, and any kind of personal information a user is willing toprovideunder theirprofile.All thesepersonal data, includingbiometricdata, constitutevaluable information for criminal intelligence and criminal investigation.6Criminalintelligenceisaformofsurveillancecarriedoutbylawenforcementauthoritiestogatherinformationaboutcrimeorcriminalactivitiesbeforetheiroccurrenceortoestablishtheiroccurrence.7It differs from criminal investigation, which corresponds to a proceduralstage in relation to concrete criminal activities.8These twoactivities are covered in thispaper.

2OnthePassengerNameRecord,seeInternationalCivilAviationOrganization,‘GuidelinesonPassengerNameRecord (PNR) Data’, Section 2.1.(1st edn, ICAO 2010) <https://www.iata.org/iata/passenger-data-toolkit/assets/doc_library/04-pnr/New%20Doc%209944%201st%20Edition%20PNR.pdf>accessed1August2017;seealsoDirective2016/681of27April2016ontheuseofpassengernamerecord(PNR)datafortheprevention,detection,investigationandprosecutionofterroristoffenceandseriouscrime[2016]OJL119/132.3SeeDirective2006/24/ECoftheEuropeanParliamentandoftheCouncilof15March2006ontheretentionof data generated or processed in connection with the provision of publicly available electroniccommunicationsservicesorofpubliccommunicationsnetworksandamendingDirective2002/58/EC[2006]OJL105/54.4eg Simon A Cole, Suspect Identities: AHistory of Fingerprinting andCriminal Investigation (Harvard PressUniversity2001).5It shouldbenoted that the collection, storage, retentionandsubsequentuseof facial imagesbyFacebookhave been challenged in Illinois for the lack of informed consent from the individuals concerned, seeClassActionComplaintforviolationsoftheIllinoisBiometricInformationPrivacyAct<https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1971&context=historical>accessed1August2017.6See for example, Press Association, ‘Facebook receives nearly 2,000 data requests from UK police’ TheGuardian (11 April 2014) <https://www.theguardian.com/technology/2014/apr/11/facebook-2000-data-requests-police>accessed1August2017.7Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange ofinformation and intelligence between law enforcement authorities of the Member States of the EuropeanUnion [2006]OJ L386/89; seeArt2 (c) that reads as follows: ‘crime and criminal activitieswith a view toestablishwhetherconcretecriminalactshavebeencommittedormaybecommittedinthefuture.’8CouncilFrameworkDecision2006/960/JHA,seeArt2(b)thatreadsasfollows: ‘aproceduralstagewithinwhichmeasuresare takenbycompetent lawenforcementauthoritiesor judicial authorities,withaview toestablishing and identifying facts, suspects and circumstances regarding one or several identified concretecriminalacts.’

83

4

Law Enforcement Access to Personal Data Originally Collected by Private Parties

Chapter4:LawEnforcementAccesstoPersonalDataOriginallyCollectedbyPrivateParties

MissingDataSubjects’SafeguardsinDirective2016/680?*Abstract:Accessbylawenforcementauthoritiestopersonaldatainitiallycollectedbyprivatepartiesfor commercial or operational purposes is very common, as shown by the transparencyreportsofnewtechnologycompaniesonlawenforcementrequests.Fromadataprotectionperspective, the scenario of law enforcement access is not necessarily well taken intoaccount.Theadoptionofthenewdataprotectionframeworkofferstheopportunitytoassesswhetherthenew ‘police’Directive,whichregulatestheprocessingofpersonaldatafor lawenforcementpurposes, offers sufficient safeguards to individuals.Tomake thisassessment,provisionscontainedinDirective2016/680aretestedagainstthestandardsestablishedbytheECJinDigitalRightsIrelandandTele2Sverigeontheretentionofdataandtheirfurtheraccessandusebypoliceauthorities.TheanalysisrevealsthatDirective2016/680doesnotcontain the safeguards identified in the case law. The paper further assesses the role andefficiencyoftheprincipleofpurposelimitationasasafeguardagainstrepurposinginalawenforcementcontext.Last,solutionstoovercometheshortcomingsofDirective2016/680areexaminedinconclusion.

IntroductionLawenforcementauthoritiesaroundtheglobehaveagrowingappetiteforpersonaldataheldbyprivatepartiesandinitiallycollectedforapurposedifferentthanlawenforcement.Many examples can illustrate this trend: the huge amount of law enforcement requestsmadetohigh-techcompaniesatglobal level,1thecaseof thetransferofpassengername

*ArticlepublishedintheComputerLaw&SecurityReview,volume34,issue1,February2018,pages154-165.The author would like to thank Prof JeanneMifsud Bonnici and Prof Laurence Gormley for their valuablecomments on an earlier draft, Christina Angelopoulos for kind suggestions as well as the anonymousreviewers;anyerrororomissionishoweverthesoleresponsibilityoftheauthor.1For the firsthalf-yearof2016,Microsoftreportedmore than25,000 lawenforcementrequests todisclosecontent,subscriberdataortransactionaldataatgloballevel,see<https://www.microsoft.com/about/csr/transparencyhub/lerr>comparewithApple’sandGoogle’sreportsfor thesameperiod,availableat respectively<images.apple.com/legal/privacy/transparency/request-2016-H1-en.pdf>and<https://www.google.com/transparencyreport/userdatarequest/countries/>Seealso,OlegAfonin,‘GovernmentRequestReports:Google,AppleandMicrosoft‘(ElcomSoftblog,16January2017)<https://blog.elcomsoft.com/2017/01/government-request-reports-google-apple-and-microsoft/>(alltheabovewebsiteswereaccessedon1August2017).

74

record data (air traveller data) to police authorities, 2 or the retention oftelecommunications data by Internet Service Providers (personal data retention) forfurtherusebylawenforcementauthorities.3Otherexamplesforwhichthenumberofrequestsforaccessmightnotbepubliclyknowncould follow.Given theircharacteristics,onecould thinkof thevalue thatsometypesofpersonal data have for law enforcement authorities. This is the case of biometric data(such as fingerprints),which have been used formanydecades by police authorities toidentify individuals.4Private parties rely more and more on biometric data to controlaccess to buildings, IT systems or applications. Several social media companies, e.g.Facebook,haveevenconstitutedbiometricdatabasesbasedonthe facial imagesof theirusers. In Europe, Facebook stopped facial recognition in 2012,whereas in the USA thecompany is still collecting such personal data.5Of course, Facebook has more personaldata than its users’ facial images: itmight alsoholdnames (real or alias), dateof birth,addresses, phone numbers, and any kind of personal information a user is willing toprovideunder theirprofile.All thesepersonal data, includingbiometricdata, constitutevaluable information for criminal intelligence and criminal investigation.6Criminalintelligenceisaformofsurveillancecarriedoutbylawenforcementauthoritiestogatherinformationaboutcrimeorcriminalactivitiesbeforetheiroccurrenceortoestablishtheiroccurrence.7It differs from criminal investigation, which corresponds to a proceduralstage in relation to concrete criminal activities.8These twoactivities are covered in thispaper.

2OnthePassengerNameRecord,seeInternationalCivilAviationOrganization,‘GuidelinesonPassengerNameRecord (PNR) Data’, Section 2.1.(1st edn, ICAO 2010) <https://www.iata.org/iata/passenger-data-toolkit/assets/doc_library/04-pnr/New%20Doc%209944%201st%20Edition%20PNR.pdf>accessed1August2017;seealsoDirective2016/681of27April2016ontheuseofpassengernamerecord(PNR)datafortheprevention,detection,investigationandprosecutionofterroristoffenceandseriouscrime[2016]OJL119/132.3SeeDirective2006/24/ECoftheEuropeanParliamentandoftheCouncilof15March2006ontheretentionof data generated or processed in connection with the provision of publicly available electroniccommunicationsservicesorofpubliccommunicationsnetworksandamendingDirective2002/58/EC[2006]OJL105/54.4eg Simon A Cole, Suspect Identities: AHistory of Fingerprinting andCriminal Investigation (Harvard PressUniversity2001).5It shouldbenoted that the collection, storage, retentionandsubsequentuseof facial imagesbyFacebookhave been challenged in Illinois for the lack of informed consent from the individuals concerned, seeClassActionComplaintforviolationsoftheIllinoisBiometricInformationPrivacyAct<https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1971&context=historical>accessed1August2017.6See for example, Press Association, ‘Facebook receives nearly 2,000 data requests from UK police’ TheGuardian (11 April 2014) <https://www.theguardian.com/technology/2014/apr/11/facebook-2000-data-requests-police>accessed1August2017.7Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange ofinformation and intelligence between law enforcement authorities of the Member States of the EuropeanUnion [2006]OJ L386/89; seeArt2 (c) that reads as follows: ‘crime and criminal activitieswith a view toestablishwhetherconcretecriminalactshavebeencommittedormaybecommittedinthefuture.’8CouncilFrameworkDecision2006/960/JHA,seeArt2(b)thatreadsasfollows: ‘aproceduralstagewithinwhichmeasuresare takenbycompetent lawenforcementauthoritiesor judicial authorities,withaview toestablishing and identifying facts, suspects and circumstances regarding one or several identified concretecriminalacts.’

84

Chapter 4

Fromadataprotectionperspective,theobviousquestionsthatarisefromthisscenarioarewhichlegalframeworkappliestothecaseoflawenforcementaccesstopersonaldataheldby private parties, and whether that framework provides sufficient safeguards to datasubjects. The adoption of a new data protection framework at EU level constitutes anexcellentopportunitytoassesstherulesapplicabletothescenarioatthatlevel.Adoptedin April 2016, the new data protection framework is composed of a General DataProtection Regulation (Regulation 2016/679 or GDPR)9- replacing the Data ProtectionDirective -10and of a Directive on the protection of personal data processed for lawenforcement purposes (Directive 2016/680 or the ‘police’ Directive).11The ‘police’Directive replaces the Council Framework Decision 2008/977/JHA adopted under theprevious pillar structure.12Directive 2016/680 defines the rules applicable to theprocessingofpersonaldata for lawenforcementpurposes andmore specifically for thepurposesof‘prevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties.’13Thephrase‘lawenforcementpurposes’shouldthereforebe understood, in the context of this article, as referring to the purposes regulated inDirective 2016/680. The Directive does not explicitly define the different purposes butrelies on national laws. Criminal investigation purposes aswell as criminal intelligencepurposescanthereforefallwithinthescopeofDirective2016/680.Againstthisbackground,thenextsection,Section2,addressestheapplicabilityofboththeGDPR and the ‘police’ Directive to the scenario described in this article: provisionscontained in theGDPRgovern the initialprocessingofpersonaldatabyprivateparties,whereasrulessetoutinthe‘police’Directivecoverthefurtherprocessingofthedatabylaw enforcement authorities. After having established that the further processing ofpersonaldatafallswithinthescopeofDirective2016/680,Section3analysestherulesofthat Directive to determine whether they lay down sufficient safeguards to protectindividualswhosepersonaldataareaccessedby lawenforcementauthorities.Therulesareassessedagainst thestandardsestablishedby theEuropeanCourtof Justice(ECJ) intworelatedjudgmentsontheretentionofpersonaldata.DigitalRightsIreland14andTele2

9Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1.10Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata[1995]OJL281/31.11Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesofthe prevention, investigation, detection or prosecution of criminal offences or the execution of criminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA[2016]OJL119/89.12BeforetheentryintoforceoftheLisbonTreaty,theEUpolicyareasweredividedintothreepillars.Thefirstpillar was composed of the economic communities whereas the third one regrouped police and judicialmattersincriminalmatters,seeegCatherineBarnardandStevePeers,EuropeanUnionLaw(OUP2014).13art1ofDirective2016/680.14 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others [2014]ECLI:EU:C:2014:238.

Sverige15areparticularly relevant to thescenarioof lawenforcementaccess topersonaldataheldbyprivatepartiesastheybothrelatetotheretentionofdataforlateraccessanduseby lawenforcement andnational securities authorities. Section3discusses the twocasesandextractstherelevantfindingsinanattempttoapplythemtotheprovisionsofDirective2016/680.Finally,Section4addressestheissueofthechangeofinitialpurposeandcriticallyassessestheprincipleofpurposelimitationasasafeguardagainstabusesormisuses.

ApplicableLegalInstrument:theGDPRorthe‘Police’Directive?This section considers which legal instrument is applicable to the scenario of lawenforcement access to personal data initially collected by private parties for a non-lawenforcement purpose. It provides some background on the negotiations of the ‘police’Directiveandexplainshowthedivergingpositionsof theEU institutionsonthe issueoflawenforcementaccesshaveresultedintheadoptionofcomplicatedrecitalsonthetopic.ItconcludesthatboththeGDPRandthe‘police’Directiveapplytothescenario.

PositionsoftheEUInstitutions:BetweenHesitationandDivergenceThe GDPR and the ‘police’ Directive build a bridge between them on the issues of thefurtherprocessingofpersonaldataforapurposefallingunderthescopeofeachother’sinstrument. Recital 11 of Directive 2016/680 evokes the scenario of personal datacollectedforalawenforcementpurposeandfurtherprocessedforanon-lawenforcementpurpose. In that case, the further processing is covered by the GDPR. Recital 19 of theGDPR describes the other-way around scenario and provides for the applicability ofDirective2016/680tothefurtherprocessingbylawenforcementauthoritiesofpersonaldata initially collected foranon-lawenforcementpurpose.However,both scenariosarewordedinacomplicatedmanner.16Itcouldbethatthewordingresultsfromthedivergentapproaches defended by the EU institutions during the negotiations of the new dataprotectionframework,andinparticularofthedraft‘police’Directive.In January2012, theEuropeanCommissionpublishedaproposal fora ‘police’Directivethatdidnotcontainanyreferencetothescenariooflawenforcementaccesstopersonaldata collected by third parties. Yet, a few months before, Statewatch, a civil libertiesorganisation, leakedadraftversionof theproposalwhich includedanarticlecontainingprocedural safeguards specific to theaccessby lawenforcementauthorities topersonal

15JoinedCasesC-203/15andC-698/15,Tele2SverigeABvPost-ochtelestyrelsenandSecretaryofStatefortheHomeDepartmentvTomWatsonandothers[2016]ECLI:EU:C:2016:970.16Recital 11 of Directive 2016/680 refers to ‘other bodies or entities entrusted by Member State law toexercisepublicauthoritiesandpublicpowersforthepurposeofthisDirective[i.e.Directive2016/680]’andexplainsthat‘wheresuchabodyorentityprocessespersonaldataforpurposesotherthanforthepurposesofthisDirective[i.e.Directive2016/680],Regulation(EU)2016/679applies’;whereasRecital19ofRegulation2016/679 specifies that ‘personal dataprocessedbypublic authorities under thisRegulation should,whenused for those purposes, [which are the purposes of prevention, investigation, detection or prosecution ofcriminalpenalties]begovernedbyamorespecificUnionlegalact,namelyDirective(EU)2016/680.’

85

4


Fromadataprotectionperspective,theobviousquestionsthatarisefromthisscenarioarewhichlegalframeworkappliestothecaseoflawenforcementaccesstopersonaldataheldby private parties, and whether that framework provides sufficient safeguards to datasubjects. The adoption of a new data protection framework at EU level constitutes anexcellentopportunitytoassesstherulesapplicabletothescenarioatthatlevel.Adoptedin April 2016, the new data protection framework is composed of a General DataProtection Regulation (Regulation 2016/679 or GDPR)9- replacing the Data ProtectionDirective -10and of a Directive on the protection of personal data processed for lawenforcement purposes (Directive 2016/680 or the ‘police’ Directive).11The ‘police’Directive replaces the Council Framework Decision 2008/977/JHA adopted under theprevious pillar structure.12Directive 2016/680 defines the rules applicable to theprocessingofpersonaldata for lawenforcementpurposes andmore specifically for thepurposesof‘prevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties.’13Thephrase‘lawenforcementpurposes’shouldthereforebe understood, in the context of this article, as referring to the purposes regulated inDirective 2016/680. The Directive does not explicitly define the different purposes butrelies on national laws. Criminal investigation purposes aswell as criminal intelligencepurposescanthereforefallwithinthescopeofDirective2016/680.Againstthisbackground,thenextsection,Section2,addressestheapplicabilityofboththeGDPR and the ‘police’ Directive to the scenario described in this article: provisionscontained in theGDPRgovern the initialprocessingofpersonaldatabyprivateparties,whereasrulessetoutinthe‘police’Directivecoverthefurtherprocessingofthedatabylaw enforcement authorities. After having established that the further processing ofpersonaldatafallswithinthescopeofDirective2016/680,Section3analysestherulesofthat Directive to determine whether they lay down sufficient safeguards to protectindividualswhosepersonaldataareaccessedby lawenforcementauthorities.Therulesareassessedagainst thestandardsestablishedby theEuropeanCourtof Justice(ECJ) intworelatedjudgmentsontheretentionofpersonaldata.DigitalRightsIreland14andTele2

9Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1.10Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata[1995]OJL281/31.11Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesofthe prevention, investigation, detection or prosecution of criminal offences or the execution of criminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA[2016]OJL119/89.12BeforetheentryintoforceoftheLisbonTreaty,theEUpolicyareasweredividedintothreepillars.Thefirstpillar was composed of the economic communities whereas the third one regrouped police and judicialmattersincriminalmatters,seeegCatherineBarnardandStevePeers,EuropeanUnionLaw(OUP2014).13art1ofDirective2016/680.14 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others [2014]ECLI:EU:C:2014:238.

Sverige15areparticularly relevant to thescenarioof lawenforcementaccess topersonaldataheldbyprivatepartiesastheybothrelatetotheretentionofdataforlateraccessanduseby lawenforcement andnational securities authorities. Section3discusses the twocasesandextractstherelevantfindingsinanattempttoapplythemtotheprovisionsofDirective2016/680.Finally,Section4addressestheissueofthechangeofinitialpurposeandcriticallyassessestheprincipleofpurposelimitationasasafeguardagainstabusesormisuses.

ApplicableLegalInstrument:theGDPRorthe‘Police’Directive?This section considers which legal instrument is applicable to the scenario of lawenforcement access to personal data initially collected by private parties for a non-lawenforcement purpose. It provides some background on the negotiations of the ‘police’Directiveandexplainshowthedivergingpositionsof theEU institutionsonthe issueoflawenforcementaccesshaveresultedintheadoptionofcomplicatedrecitalsonthetopic.ItconcludesthatboththeGDPRandthe‘police’Directiveapplytothescenario.

PositionsoftheEUInstitutions:BetweenHesitationandDivergenceThe GDPR and the ‘police’ Directive build a bridge between them on the issues of thefurtherprocessingofpersonaldataforapurposefallingunderthescopeofeachother’sinstrument. Recital 11 of Directive 2016/680 evokes the scenario of personal datacollectedforalawenforcementpurposeandfurtherprocessedforanon-lawenforcementpurpose. In that case, the further processing is covered by the GDPR. Recital 19 of theGDPR describes the other-way around scenario and provides for the applicability ofDirective2016/680tothefurtherprocessingbylawenforcementauthoritiesofpersonaldata initially collected foranon-lawenforcementpurpose.However,both scenariosarewordedinacomplicatedmanner.16Itcouldbethatthewordingresultsfromthedivergentapproaches defended by the EU institutions during the negotiations of the new dataprotectionframework,andinparticularofthedraft‘police’Directive.In January2012, theEuropeanCommissionpublishedaproposal fora ‘police’Directivethatdidnotcontainanyreferencetothescenariooflawenforcementaccesstopersonaldata collected by third parties. Yet, a few months before, Statewatch, a civil libertiesorganisation, leakedadraftversionof theproposalwhich includedanarticlecontainingprocedural safeguards specific to theaccessby lawenforcementauthorities topersonal

15JoinedCasesC-203/15andC-698/15,Tele2SverigeABvPost-ochtelestyrelsenandSecretaryofStatefortheHomeDepartmentvTomWatsonandothers[2016]ECLI:EU:C:2016:970.16Recital 11 of Directive 2016/680 refers to ‘other bodies or entities entrusted by Member State law toexercisepublicauthoritiesandpublicpowersforthepurposeofthisDirective[i.e.Directive2016/680]’andexplainsthat‘wheresuchabodyorentityprocessespersonaldataforpurposesotherthanforthepurposesofthisDirective[i.e.Directive2016/680],Regulation(EU)2016/679applies’;whereasRecital19ofRegulation2016/679 specifies that ‘personal dataprocessedbypublic authorities under thisRegulation should,whenused for those purposes, [which are the purposes of prevention, investigation, detection or prosecution ofcriminalpenalties]begovernedbyamorespecificUnionlegalact,namelyDirective(EU)2016/680.’

86

Chapter 4

data initially collected for purposes other than law enforcement.17Those very detailedsafeguardscomprised:(a)thepersonsentitledtohaveaccesstothepersonaldataunderthe condition that the data met a ‘reasonable ground standard’; (b) a written requestreferring to the legal basis on which the request was made; and (c) the adoption of‘appropriate safeguards’ defined by the Member States, which could include, amongothers,apriorjudicialreviewoftherequest.18Thisdraftneversawthelightofdayandtheofficialproposal for the ‘police’Directivedidnot containanyspecificprovisionson thatissue.Duringthenegotiationsontheproposalforthe‘police’Directive,theEuropeanParliamentbroughttheissuebackonthetableandproposedanewarticleon‘lawenforcementaccesstopersonaldatacollectedforadifferentpurpose.’19Inthatamendment,theusageofthepersonal data initially collected for a different purpose could only be limited to‘investigation’ or ‘prosecution of criminal offence’.20However, the other institutions didnot endorse the amendment.With the exception of one delegation, the Council did notsupporttheamendmentandadoptedapoliticalagreementontheproposalwithoutsuchaprovision.21AsfortheEuropeanCommission,itstatedthatitwasnotabletofullyendorsetheamendment.Itarguedthattherewasariskofconfusion–withoutspecifyingonwhichtopic-andofnon-compliancewithinternationalagreements,suchasthePassengerNameRecordandtheTerroristTrackingProgramme.22Thoseargumentsareverysurprisingandnot very convincing: theCommission justified its positionby referring to controversialagreementsprovidingforeignlawenforcementauthorities(mainlyUSones)accesstoEUcitizens’personaldata.

17See draft version of a ‘proposal for a Directive of the European Parliament and of the Council on theprotection of individuals with regard to the processing of personal data by competent authorities for thepurposes of prevention, investigation, detection or prosecution of criminal offences or the execution ofcriminal penalties, and the free movement of such data’ (‘Police and Criminal Justice Data ProtectionDirective’)version34,29November2011,seeart4(2)(a)-(c)<http://www.statewatch.org/news/2011/dec/ep-dp-leas-draft-directive.pdf>accessed1August2017.18art 4 (2)(c) of the leaked draft version of a proposal for a ‘Police and Criminal Justice Data ProtectionDirective.’19EuropeanParliamentlegislativeresolutionof12March2014ontheproposalforadirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldatabycompetentauthorities for thepurposesofprevention, investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata(COM(2012)0010–C7-0024/2012-2012/0010(COD))(Ordinarylegislativeprocedure:firstreading),Art4a.20ibid.21SeeCouncil, Proposal for aDirective of theEuropeanParliament andof theCouncil on theprotection ofindividuals with regards to the processing of personal data by competent authorities for the purposes ofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,FN130,Austriandelegation,LIMITEdoc.no7740/15,14April2015.22Extractedfromtheleaked‘CommissionpositiononEPamendmentson1streading’:‘haveorriskhavingtheeffect of prohibiting lawful access by competent law enforcement authorities to PNR [Passenger NationalRegister], TFTP [Terrorist Finance Tracking Programme] or other relevant personal data as provided forunderinternationalagreementsconcludedbytheUnionorexistingorproposedlegalinstrument’;TFTPisan‘AgreementbetweentheEuropeanUnionandtheUnitedStatesofAmericaontheprocessingandtransferoffinancial messaging data from the European Union to the United States for the purposes of the TerroristFinanceTrackingProgram’[2010]OJL8/11,andCouncilDecisionontheagreement[2010]OJL195/3.

In fine, theadoptedprovisionscontained in theGDPRand the ‘police’DirectiveseemtoreflectthedivergenceoftheEUinstitutionsonthisissue.

TwoSetsofRulesGovernedbyTwoDifferentInstrumentsThescenariooflawenforcementaccesstopersonaldatageneratedbyprivatepartiesforanon-lawenforcementpurposecanbesplitintothe‘initialpurposeofcollection,’subjecttotheGDPR,andthe‘purposeoffurtherprocessing’,governedbyDirective2016/680.In the scenario under review, the initial purpose of data collection mostly relates tocustomerdata collectedbyprivateparties. Provided it complieswith the conditions setoutinArticle2(1)GDPR,theinitialpurposeofcollectionissubjecttotherulescontainedin theGDPR.23Thecollectionofpersonaldata isalsoanexampleofprocessingactivitiesexplicitlycoveredbytheGDPR.24The furtherprocessingof personal data held by private parties fallswithin the scope ofDirective2016/680 if thedataare furtherprocessed fora lawenforcementpurpose.Asalreadyexplained,onthis issue,Recital19GDPRbuildsabridgebetweentheGDPRandDirective2016/680.Onecouldstillregretthattheapplicabilityofthe‘police’Directiveisonly mentioned in a non-binding provision. Law enforcement access to and use ofpersonaldatashouldthereforefallinthecategoryofdataprocessingoperations,assetoutinArticle3(2)ofDirective2016/680.Adiscussioncanensueontheexactmeaningoftheterm‘access’.AccessisnotincludedinthelistofprocessingoperationsgivenasexamplesinArticle3(2)ofDirective2016/680.25Thetermisalsoambiguous:itcanrefertodifferentprocessingoperations(‘consultation’or‘disclosure’)involvingdifferentactors(privatepartiesprovidingtheaccesstothedataor law enforcement getting access to them) and be thus subject to different rules. IfdisclosureofpersonaldatabyprivatepartiestolawenforcementauthoritiesseemstofallwithintheremitoftheGDPR,‘consultation’ofthosedatabylawenforcementauthoritiescouldbesubject todiverging interpretations.Onecouldargue that ‘consultation’by lawenforcementauthoritiesisnothingmorethan‘makingavailable’thepersonaldatatolawenforcement authorities and thus disclosure. But at the same time, ‘consultation’ couldalsobe consideredaprocessing subject to the ‘police’Directive ifpersonaldataare, forinstance, consulted by law enforcement authorities in the context of a criminalinvestigation. Approaching the term from its terminological and operational meaningmightbetoosimplistictodeterminewhichlegalinstrumentapplies.23art2(1)GDPRdefinesthescopeoftheRegulationasfollows: ‘ThisRegulationappliestotheprocessingofpersonaldatawhollyorpartlybyautomatedmeansandtotheprocessingotherthanbyautomatedmeansofpersonaldatawhichformpartofafilingsystemorareintendedtoformpartofafilingsystem.’24art4(2)GDPRdefinestheterm‘processing’andprovidesasexamples ‘collection,recording,organisation,structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.’(emphasisadded).25Processingisdefinedinidenticaltermsinart3(2)Directive2016/680andart4(2)GDPR;consultationanddisclosurearebothexamplesofprocessingactivities.

87

4


data initially collected for purposes other than law enforcement.17Those very detailedsafeguardscomprised:(a)thepersonsentitledtohaveaccesstothepersonaldataunderthe condition that the data met a ‘reasonable ground standard’; (b) a written requestreferring to the legal basis on which the request was made; and (c) the adoption of‘appropriate safeguards’ defined by the Member States, which could include, amongothers,apriorjudicialreviewoftherequest.18Thisdraftneversawthelightofdayandtheofficialproposal for the ‘police’Directivedidnot containanyspecificprovisionson thatissue.Duringthenegotiationsontheproposalforthe‘police’Directive,theEuropeanParliamentbroughttheissuebackonthetableandproposedanewarticleon‘lawenforcementaccesstopersonaldatacollectedforadifferentpurpose.’19Inthatamendment,theusageofthepersonal data initially collected for a different purpose could only be limited to‘investigation’ or ‘prosecution of criminal offence’.20However, the other institutions didnot endorse the amendment.With the exception of one delegation, the Council did notsupporttheamendmentandadoptedapoliticalagreementontheproposalwithoutsuchaprovision.21AsfortheEuropeanCommission,itstatedthatitwasnotabletofullyendorsetheamendment.Itarguedthattherewasariskofconfusion–withoutspecifyingonwhichtopic-andofnon-compliancewithinternationalagreements,suchasthePassengerNameRecordandtheTerroristTrackingProgramme.22Thoseargumentsareverysurprisingandnot very convincing: theCommission justified its positionby referring to controversialagreementsprovidingforeignlawenforcementauthorities(mainlyUSones)accesstoEUcitizens’personaldata.

17See draft version of a ‘proposal for a Directive of the European Parliament and of the Council on theprotection of individuals with regard to the processing of personal data by competent authorities for thepurposes of prevention, investigation, detection or prosecution of criminal offences or the execution ofcriminal penalties, and the free movement of such data’ (‘Police and Criminal Justice Data ProtectionDirective’)version34,29November2011,seeart4(2)(a)-(c)<http://www.statewatch.org/news/2011/dec/ep-dp-leas-draft-directive.pdf>accessed1August2017.18art 4 (2)(c) of the leaked draft version of a proposal for a ‘Police and Criminal Justice Data ProtectionDirective.’19EuropeanParliamentlegislativeresolutionof12March2014ontheproposalforadirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldatabycompetentauthorities for thepurposesofprevention, investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata(COM(2012)0010–C7-0024/2012-2012/0010(COD))(Ordinarylegislativeprocedure:firstreading),Art4a.20ibid.21SeeCouncil, Proposal for aDirective of theEuropeanParliament andof theCouncil on theprotection ofindividuals with regards to the processing of personal data by competent authorities for the purposes ofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,FN130,Austriandelegation,LIMITEdoc.no7740/15,14April2015.22Extractedfromtheleaked‘CommissionpositiononEPamendmentson1streading’:‘haveorriskhavingtheeffect of prohibiting lawful access by competent law enforcement authorities to PNR [Passenger NationalRegister], TFTP [Terrorist Finance Tracking Programme] or other relevant personal data as provided forunderinternationalagreementsconcludedbytheUnionorexistingorproposedlegalinstrument’;TFTPisan‘AgreementbetweentheEuropeanUnionandtheUnitedStatesofAmericaontheprocessingandtransferoffinancial messaging data from the European Union to the United States for the purposes of the TerroristFinanceTrackingProgram’[2010]OJL8/11,andCouncilDecisionontheagreement[2010]OJL195/3.

In fine, theadoptedprovisionscontained in theGDPRand the ‘police’DirectiveseemtoreflectthedivergenceoftheEUinstitutionsonthisissue.

TwoSetsofRulesGovernedbyTwoDifferentInstrumentsThescenariooflawenforcementaccesstopersonaldatageneratedbyprivatepartiesforanon-lawenforcementpurposecanbesplitintothe‘initialpurposeofcollection,’subjecttotheGDPR,andthe‘purposeoffurtherprocessing’,governedbyDirective2016/680.In the scenario under review, the initial purpose of data collection mostly relates tocustomerdata collectedbyprivateparties. Provided it complieswith the conditions setoutinArticle2(1)GDPR,theinitialpurposeofcollectionissubjecttotherulescontainedin theGDPR.23Thecollectionofpersonaldata isalsoanexampleofprocessingactivitiesexplicitlycoveredbytheGDPR.24The furtherprocessingof personal data held by private parties fallswithin the scope ofDirective2016/680 if thedataare furtherprocessed fora lawenforcementpurpose.Asalreadyexplained,onthis issue,Recital19GDPRbuildsabridgebetweentheGDPRandDirective2016/680.Onecouldstillregretthattheapplicabilityofthe‘police’Directiveisonly mentioned in a non-binding provision. Law enforcement access to and use ofpersonaldatashouldthereforefallinthecategoryofdataprocessingoperations,assetoutinArticle3(2)ofDirective2016/680.Adiscussioncanensueontheexactmeaningoftheterm‘access’.AccessisnotincludedinthelistofprocessingoperationsgivenasexamplesinArticle3(2)ofDirective2016/680.25Thetermisalsoambiguous:itcanrefertodifferentprocessingoperations(‘consultation’or‘disclosure’)involvingdifferentactors(privatepartiesprovidingtheaccesstothedataor law enforcement getting access to them) and be thus subject to different rules. IfdisclosureofpersonaldatabyprivatepartiestolawenforcementauthoritiesseemstofallwithintheremitoftheGDPR,‘consultation’ofthosedatabylawenforcementauthoritiescouldbesubject todiverging interpretations.Onecouldargue that ‘consultation’by lawenforcementauthoritiesisnothingmorethan‘makingavailable’thepersonaldatatolawenforcement authorities and thus disclosure. But at the same time, ‘consultation’ couldalsobe consideredaprocessing subject to the ‘police’Directive ifpersonaldataare, forinstance, consulted by law enforcement authorities in the context of a criminalinvestigation. Approaching the term from its terminological and operational meaningmightbetoosimplistictodeterminewhichlegalinstrumentapplies.23art2(1)GDPRdefinesthescopeoftheRegulationasfollows: ‘ThisRegulationappliestotheprocessingofpersonaldatawhollyorpartlybyautomatedmeansandtotheprocessingotherthanbyautomatedmeansofpersonaldatawhichformpartofafilingsystemorareintendedtoformpartofafilingsystem.’24art4(2)GDPRdefinestheterm‘processing’andprovidesasexamples ‘collection,recording,organisation,structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.’(emphasisadded).25Processingisdefinedinidenticaltermsinart3(2)Directive2016/680andart4(2)GDPR;consultationanddisclosurearebothexamplesofprocessingactivities.

88

Chapter 4

79

Trying to understand themeaning of ‘access’ is not a rhetorical issue since it has beenmentioned in thecase lawof theECJondataretention.However,onecannotbutnoticethatthecaselawdoesnotbringmuchclarityonthestatusandmeaningof‘access’.IncaseC-301/06relatingtothevalidityofthelegalbasisonwhichtheDataRetentionDirectivehad been adopted,26the Court found that the Data Retention Directive regulated theretentionofpersonaldatabutnottheiraccessorusebylawenforcementauthorities.27Bycontrast, inDigitalRights Ireland andmore clearly in Tele2Sverige - both described atlengthinthenextsection-theCourtviewedtheoperationof lawenforcementaccesstothe retained data as an accessory to the retention of personal data and extended theapplicationofEU lawto theoperationofaccess.28TheCourt justified it throughthe linkexistingbetweenthepurposeofretentionofthedataandtheiruse.29AsnotedbyWoods,theCourtrefusedtomakeadistinctionbetweenretentionandaccesstotheretaineddataand therefore to exclude access from the scope of EU law.30It should be observed thatDigitalRightsIrelandandTele2Sverigeweredecidedbeforetheadoptionofthenewdataprotectionframework.Underthenewrules,accessby lawenforcementauthorities foralaw enforcement purpose should fall within the scope of Directive 2016/680 and bedistinctfromretentionofdataprocessedforanon-lawenforcementpurpose.Inanycase,in this paper, what matters is the purpose for which privately held personal data arefurther accessed and not whether access means ‘consultation’ by law enforcementauthoritiesor‘disclosure’byprivateparties.Asdescribedinthissection,theGDPRappliestotheinitialpurposeofcollection,whereasthe ‘police’ Directive applies to the further processing of the same data by lawenforcementauthorities.Althoughbothtextsacknowledgethescenarioanddeterminetheinstrument applicable thereto, they do not contain specific rules applicable to the lawenforcement access to personal data collected for a different purpose. Yet Opinion03/2015oftheArticle29DataProtectionWorkingParty(A29WP)31ontheproposalfora‘police’Directiverecommended: ‘anyprocessingforapurposedifferentthanthespecificone forwhich thedatawasoriginallyprocessed should alwayshave its own legal basis

26CaseC-301/06,IrelandvEuropeanParliamentandCouncil[2009]ECLI:EU:C:2009:68.27CaseC-301/06,para80;seealsoArt4Directive2006/24.28Tele2Sverige(n15)para76.29Tele2Sverige(n15)para79: ‘sincedataisretainedonlyforthepurpose,whennecessary,ofmakingthatdataaccessible to thecompetentnationalauthorities,national legislationthat imposestheretentionofdatanecessarily entails, in principle, the existence of provisions relating to access by the competent nationalauthoritiestothedataretainedbytheprovidersofelectroniccommunicationsservices’;seealsoOpinionofA.G.SaugmandsgaardØEinTele2Sverige,para125:‘theraisond’êtreofadataretentionobligationistoenablelawenforcementauthorities toaccess thedataretained,andso the issueof theretentionofdatacannotbeentirelyseparatedfromtheissueofaccesstothatdata.’30LornaWoods, ‘DataRetention andNational Law: theECJRuling in JoinedCases C-203/15 andC-698/15Tele2andWatson(GrandChamber)’(EULawAnalysis,21December2016)blogpost<http://eulawanalysis.blogspot.nl/2016/12/data-retention-and-national-law-ecj.html> accessed 1 August2017.31The A29WP is an independent advisory body to the European Commission on data protection matters<http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083>accessed1August2017.

includingclearandspecificsafeguards.’32Ifitisestablishedthatthefurtherprocessingforalawenforcementpurposeofpersonaldataheldbyprivatepartieshasalegalbasis,33onecanstillwonderifDirective2016/680containsclearandspecificsafeguardstoensuretheprotectionofindividualswhosepersonaldataareaccessed.Thisissueisaddressedinthenextsection.

Existenceof‘SubstantiveandProcedural’SafeguardsinDirective2016/680?

Besides facilitating the freemovement of personal data in the area of lawenforcement,Directive 2016/680 aims at ensuring the same level of protection of individuals’ rightsthrough the EU.34According to Recital 26 of Directive 2016/680, safeguards are anelement of fair processing that should ensure that individuals are able to exercise theirrights in a law enforcement context. This sectionwill assesswhether the provisions ofDirective2016/680providesufficientsafeguardsfortheprotectionofindividualswhosepersonal data initially collected by private parties are accessed by law enforcementauthorities. Tomakethisassessment,thepaperbuildsonthe‘standards’establishedbytheEuropeanCourtof Justice in its jurisprudenceondataretention, i.e. inDigitalRightsIreland35andTele2Sverige36.ThefirstcaserelatestotheEUdataretentionframework,i.e.the Data Retention Directive (or Directive 2006/24), the second one to national dataretentionframeworks(theSwedishandUKframeworks)asdescribedbelow.

PreliminaryRemarksontheUseofDigitalRightsIrelandandTele2SverigeasBenchmark

The two judgments are relevant to the scenario of law enforcement access even if theyrelatetoslightlydifferentsituations.Indeed,inDigitalRightsIrelandandTele2Sverige,thelawsat stakecover trafficdatacollectedby telecomsoperators for theirownusageandretained to be accessed (and further used) by law enforcement authorities. The lawsimposeanobligationtoretainthedata.Bycontrast,inthescenariounderconsideration,personaldataarecollectedbyprivatepartiesfortheirownuse(oratleastforanon-lawenforcement purpose) and are then accessed by law enforcement authorities. Privatepartiesareundernoobligationtoretainpersonaldata for lawenforcementaccess, theysimply make the data available upon request. This is an important precision since thescenario under reviewdoes not relate tomass collection ormass retention of personaldata. To illustrate it, one could think of the situation where an employer collects his

32A29WP, ‘Opinion 03/2015 on the draft directive on the protection of individuals with regard to theprocessingofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’[2015]WP233.33Recital19GDPR.34Recitals7and15Directive2016/680.35DigitalRightsIreland(n14).36Tele2Sverige(n15).

89

4


79

Trying to understand themeaning of ‘access’ is not a rhetorical issue since it has beenmentioned in thecase lawof theECJondataretention.However,onecannotbutnoticethatthecaselawdoesnotbringmuchclarityonthestatusandmeaningof‘access’.IncaseC-301/06relatingtothevalidityofthelegalbasisonwhichtheDataRetentionDirectivehad been adopted,26the Court found that the Data Retention Directive regulated theretentionofpersonaldatabutnottheiraccessorusebylawenforcementauthorities.27Bycontrast, inDigitalRights Ireland andmore clearly in Tele2Sverige - both described atlengthinthenextsection-theCourtviewedtheoperationof lawenforcementaccesstothe retained data as an accessory to the retention of personal data and extended theapplicationofEU lawto theoperationofaccess.28TheCourt justified it throughthe linkexistingbetweenthepurposeofretentionofthedataandtheiruse.29AsnotedbyWoods,theCourtrefusedtomakeadistinctionbetweenretentionandaccesstotheretaineddataand therefore to exclude access from the scope of EU law.30It should be observed thatDigitalRightsIrelandandTele2Sverigeweredecidedbeforetheadoptionofthenewdataprotectionframework.Underthenewrules,accessby lawenforcementauthorities foralaw enforcement purpose should fall within the scope of Directive 2016/680 and bedistinctfromretentionofdataprocessedforanon-lawenforcementpurpose.Inanycase,in this paper, what matters is the purpose for which privately held personal data arefurther accessed and not whether access means ‘consultation’ by law enforcementauthoritiesor‘disclosure’byprivateparties.Asdescribedinthissection,theGDPRappliestotheinitialpurposeofcollection,whereasthe ‘police’ Directive applies to the further processing of the same data by lawenforcementauthorities.Althoughbothtextsacknowledgethescenarioanddeterminetheinstrument applicable thereto, they do not contain specific rules applicable to the lawenforcement access to personal data collected for a different purpose. Yet Opinion03/2015oftheArticle29DataProtectionWorkingParty(A29WP)31ontheproposalfora‘police’Directiverecommended: ‘anyprocessingforapurposedifferentthanthespecificone forwhich thedatawasoriginallyprocessed should alwayshave its own legal basis

26CaseC-301/06,IrelandvEuropeanParliamentandCouncil[2009]ECLI:EU:C:2009:68.27CaseC-301/06,para80;seealsoArt4Directive2006/24.28Tele2Sverige(n15)para76.29Tele2Sverige(n15)para79: ‘sincedataisretainedonlyforthepurpose,whennecessary,ofmakingthatdataaccessible to thecompetentnationalauthorities,national legislationthat imposestheretentionofdatanecessarily entails, in principle, the existence of provisions relating to access by the competent nationalauthoritiestothedataretainedbytheprovidersofelectroniccommunicationsservices’;seealsoOpinionofA.G.SaugmandsgaardØEinTele2Sverige,para125:‘theraisond’êtreofadataretentionobligationistoenablelawenforcementauthorities toaccess thedataretained,andso the issueof theretentionofdatacannotbeentirelyseparatedfromtheissueofaccesstothatdata.’30LornaWoods, ‘DataRetention andNational Law: theECJRuling in JoinedCases C-203/15 andC-698/15Tele2andWatson(GrandChamber)’(EULawAnalysis,21December2016)blogpost<http://eulawanalysis.blogspot.nl/2016/12/data-retention-and-national-law-ecj.html> accessed 1 August2017.31The A29WP is an independent advisory body to the European Commission on data protection matters<http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083>accessed1August2017.

includingclearandspecificsafeguards.’32Ifitisestablishedthatthefurtherprocessingforalawenforcementpurposeofpersonaldataheldbyprivatepartieshasalegalbasis,33onecanstillwonderifDirective2016/680containsclearandspecificsafeguardstoensuretheprotectionofindividualswhosepersonaldataareaccessed.Thisissueisaddressedinthenextsection.

Existenceof‘SubstantiveandProcedural’SafeguardsinDirective2016/680?

Besides facilitating the freemovement of personal data in the area of lawenforcement,Directive 2016/680 aims at ensuring the same level of protection of individuals’ rightsthrough the EU.34According to Recital 26 of Directive 2016/680, safeguards are anelement of fair processing that should ensure that individuals are able to exercise theirrights in a law enforcement context. This sectionwill assesswhether the provisions ofDirective2016/680providesufficientsafeguardsfortheprotectionofindividualswhosepersonal data initially collected by private parties are accessed by law enforcementauthorities. Tomakethisassessment,thepaperbuildsonthe‘standards’establishedbytheEuropeanCourtof Justice in its jurisprudenceondataretention, i.e. inDigitalRightsIreland35andTele2Sverige36.ThefirstcaserelatestotheEUdataretentionframework,i.e.the Data Retention Directive (or Directive 2006/24), the second one to national dataretentionframeworks(theSwedishandUKframeworks)asdescribedbelow.

PreliminaryRemarksontheUseofDigitalRightsIrelandandTele2SverigeasBenchmark

The two judgments are relevant to the scenario of law enforcement access even if theyrelatetoslightlydifferentsituations.Indeed,inDigitalRightsIrelandandTele2Sverige,thelawsat stakecover trafficdatacollectedby telecomsoperators for theirownusageandretained to be accessed (and further used) by law enforcement authorities. The lawsimposeanobligationtoretainthedata.Bycontrast,inthescenariounderconsideration,personaldataarecollectedbyprivatepartiesfortheirownuse(oratleastforanon-lawenforcement purpose) and are then accessed by law enforcement authorities. Privatepartiesareundernoobligationtoretainpersonaldata for lawenforcementaccess, theysimply make the data available upon request. This is an important precision since thescenario under reviewdoes not relate tomass collection ormass retention of personaldata. To illustrate it, one could think of the situation where an employer collects his

32A29WP, ‘Opinion 03/2015 on the draft directive on the protection of individuals with regard to theprocessingofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’[2015]WP233.33Recital19GDPR.34Recitals7and15Directive2016/680.35DigitalRightsIreland(n14).36Tele2Sverige(n15).

90

Chapter 4

employees’ fingerprints to give themaccess to securedbuildings.37A criminal offence isthen committed on the work premises. The police authorities request access to thebiometricdatafilesheldbytheemployertocomparethemwiththebiometricdatafoundonsite.Inthatspecificscenario,whatmattersaretherulesapplicabletolawenforcementauthorities to get access to those data. However, despite the differences between thescenarios,theECJ’srulingsinDigitalRightsIrelandandTele2Sverigealsocovertheissueof lawenforcementaccess to theretaineddata inadditionto the issueofdataretentionitself.ItispreciselythewaytheECJapproachestheissueofaccessthatisrelevantinthecontextofthispaper.There is also enough evidence to believe that the findings ofDigitalRightsIreland andTele2Sverige apply to legislativemeasures beyondmetadata retention.38The EuropeanParliamentandtheEuropeanCommissionhavebothaddressedtheissueoftheimpactoftheDigitalRightsIreland judgment on other EU legislation. Prior to the adoption of the‘police’Directive,thelegalserviceoftheEuropeanParliamentdeliveredanopinionontheconsequences of Digital Rights Ireland.39Since at that time, national legislation on theprocessingofpersonaldata for lawenforcementauthorities felloutside thescopeofEUlaw,40itconsideredthattherulesonlawenforcementaccesstoanduseofpersonaldatacollectedforadifferentpurposewerenotnecessarilyimpactedbythejudgment.However,italsoacknowledged that itspositionwouldbedifferent ifandwhen theproposal fora‘police’Directivewouldbeadopted.41Afewmonthslater,theEuropeanParliamentaskedthe European Commission to assess the possible impact ofDigitalRightsIrelandon theproposed Passenger Name Record (PNR) Directive.42In its answer to the EuropeanParliament, theEuropeanCommissionopined that the judgment set up a framework toassess EU legislation on ‘the general collection and processing for law enforcement

37 eg Guidelines by the Irish Data Protection Commission on ‘Biometrics in the Workplace’<https://www.dataprotection.ie/docs/Biometrics-in-the-workplace/m/244.htm> accessed 1 August 2017;positionoftheFrenchdataprotectionauthority(CNIL)ontheuseofbiometricsystemstocontrolaccesstoworking places <https://www.cnil.fr/fr/le-controle-dacces-biometrique-sur-les-lieux-de-travail> accessed 1August2017.38SeealsoFranziskaBoehmandMarkCole,‘DataRetentionaftertheJudgementoftheCourtofJusticeoftheEuropeanUnion’(30June2014), inwhichtheauthorsassesstheimpactoftheDRI judgmentonotherDataRetentionMeasures<https://www.janalbrecht.eu/fileadmin/material/Dokumente/Boehm_Cole_-_Data_Retention_Study_-_June_2014.pdf>accessed1August2017.39Legal Service of the European Parliament, leaked document, legal opinion of 22 December 2014 ‘LIBE-Questions relating to the judgmentof theCourt of Justiceof8April 2014 in JoinedCasesC-293/12andC-594/12, Digital Rights Ireland and Seitlinger and others - Directive 2006/24/EC on data retention -Consequencesofthejudgment’[2014]para80<http://www.statewatch.org/news/2015/apr/ep-ls-opinion-digital-rights-judgment.pdf> accessed 1 August2017.40The only data protection framework applicable in the context of law enforcement was the CouncilFrameworkDecision2008/977/JHAthatonlycoveredcross-borderprocessingforlawenforcementpurposes,seeRecital7andart1ofCouncilFrameworkDecision2008/977/JHA.41Opinionof theEuropeanParliament(2014), footnote62readsas follows: ‘it [i.e. thedraftDirective]willbringimportantchangestotheUnion’sdataprotectionlawintheareaofcriminallaw,incomparisontotheactcurrentlyinforce,i.e.CouncilFrameworkDecision2008/977/JHA.’42European Parliament, ‘Resolution of 11 February 2015 on anti-terrorism measures’ (2015/2530 (RSP))[2015] Point 13 <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2015-0032+0+DOC+XML+V0//EN>accessed1August2017.

82

purposesof personal data of individuals.’43TheCommission acknowledged inparticularthat the findings of the Digital Right Ireland case should be taken into account in theassessmentoftheproposalforaPNRDirective.44AsforTele2Sverige,thejudgmentassessestheimpactandapplicationoftheDigitalRightsIreland judgment to national data retention regimes. Because of the scope of Directive2016/680,45it can be strongly asserted that its findings apply to national legislationrelatingtothecollectionofpersonaldatabythirdpartiesandtotheirfurtherprocessingbylawenforcementauthorities.

TheBenchmarksetbyDigitalRightsIrelandandTele2SverigeThe Data Retention Directive was ‘struck down’ by the ECJ in Digital Rights Ireland;whereas national data retention measures still in place (Sweden) or adopted after theinvalidation of the Directive (UK) were declared incompatible with EU law in Tele2Sverige.Thesetwocaseshaveastrongconnection.FollowingtheinvalidationoftheDataRetentionDirective,nationalmeasuresondataretentionstillhadtobecompliantwithEUlaw, and in particular, with the e-privacy Directive (or Directive 2002/28/EC) adoptedbefore the Data Retention Directive. Article 15(1) of that Directive expressly allowsMember States to adoptdata retentionmeasuresunder specific conditions. It is againstthat provision that the ECJ had to determine the compliance of the Swedish and UKmeasuresinTele2Sverige.In Digital Rights Ireland, two national jurisdictions, the High Court of Ireland and theVerfassungsgerichtshof(AustrianConstitutionalCourt),broughtarequestforpreliminaryrulingsbeforetheECJonthevalidityoftheDataRetentionDirective.Thenationalcourtscontested the compatibility of the Directivewith Articles 7, 8 and 11 of the Charter ofFundamentalRights.46InTele2Sverige,aSwedishadministrativeCourtandaUKCourtofAppealreferredpreliminaryquestionstotheECJonthecompatibilityofrespectivelytheSwedishlawsondataretention47andtheUKDRPIA48withthee-privacyDirectiveaswellaswithArticles7and8oftheCharterofFundamentalRights.49

43SeeEuropeanCommission’sanswertotheEuropeanParliamentonthePNRproposalandtheconsequencesof the DRI judgment, as leaked by Statewatch, see <statewatch.org/news/2015/mar/eu-com-eu-pnr-letter.pdf> accessed 1 August 2017. The European Commission referred to ‘legislation’ in general, but oneunderstandsthatitsreasoningfocusesonEUlegislationandnotonnationallegislation.44ibid.45Coveringbothdomesticandcross-borderdataprocessing.46DigitalRightsIreland(n14)para23; thenationalCourtsasked theECJ to review thecompatibilityof theDataRetentionDirectivewithotherEUprovisions(art41Charter,art52(3)-(4)-(7)Charter,andart8ECHR);at national level, proceedings against national measures implementing the Data Retention Directive werebroughtbytheadvocacygroupDigitalRightsIrelandinIrelandandbymorethan11,000applicantsandtheregionalGovernmentofCarinthiainAustria.47Tele2Sverige(n15)paras15and16,respectivelytheLaw2003:389onelectroniccommunications(Lagen(2003:389)omelektroniskkommunikation or LEK) and Regulation 2003:396 on electronic communications(Förordningen(2003:396)omelektroniskkommunikation); theCodeof JudicialProcedure (Rättegångsbalkenor RB) and Law 2012:278 on the collection of data on electronic communications in the law enforcementauthorities’ investigative activities (Lagen (2012:278) om inhämtning av uppgifter om elektroniskkommunikationidebrottsbekämpandemyndigheternasunderrättelseverksamhet).

91

4


employees’ fingerprints to give themaccess to securedbuildings.37A criminal offence isthen committed on the work premises. The police authorities request access to thebiometricdatafilesheldbytheemployertocomparethemwiththebiometricdatafoundonsite.Inthatspecificscenario,whatmattersaretherulesapplicabletolawenforcementauthorities to get access to those data. However, despite the differences between thescenarios,theECJ’srulingsinDigitalRightsIrelandandTele2Sverigealsocovertheissueof lawenforcementaccess to theretaineddata inadditionto the issueofdataretentionitself.ItispreciselythewaytheECJapproachestheissueofaccessthatisrelevantinthecontextofthispaper.There is also enough evidence to believe that the findings ofDigitalRightsIreland andTele2Sverige apply to legislativemeasures beyondmetadata retention.38The EuropeanParliamentandtheEuropeanCommissionhavebothaddressedtheissueoftheimpactoftheDigitalRightsIreland judgment on other EU legislation. Prior to the adoption of the‘police’Directive,thelegalserviceoftheEuropeanParliamentdeliveredanopinionontheconsequences of Digital Rights Ireland.39Since at that time, national legislation on theprocessingofpersonaldata for lawenforcementauthorities felloutside thescopeofEUlaw,40itconsideredthattherulesonlawenforcementaccesstoanduseofpersonaldatacollectedforadifferentpurposewerenotnecessarilyimpactedbythejudgment.However,italsoacknowledged that itspositionwouldbedifferent ifandwhen theproposal fora‘police’Directivewouldbeadopted.41Afewmonthslater,theEuropeanParliamentaskedthe European Commission to assess the possible impact ofDigitalRightsIrelandon theproposed Passenger Name Record (PNR) Directive.42In its answer to the EuropeanParliament, theEuropeanCommissionopined that the judgment set up a framework toassess EU legislation on ‘the general collection and processing for law enforcement

37 eg Guidelines by the Irish Data Protection Commission on ‘Biometrics in the Workplace’<https://www.dataprotection.ie/docs/Biometrics-in-the-workplace/m/244.htm> accessed 1 August 2017;positionoftheFrenchdataprotectionauthority(CNIL)ontheuseofbiometricsystemstocontrolaccesstoworking places <https://www.cnil.fr/fr/le-controle-dacces-biometrique-sur-les-lieux-de-travail> accessed 1August2017.38SeealsoFranziskaBoehmandMarkCole,‘DataRetentionaftertheJudgementoftheCourtofJusticeoftheEuropeanUnion’(30June2014), inwhichtheauthorsassesstheimpactoftheDRI judgmentonotherDataRetentionMeasures<https://www.janalbrecht.eu/fileadmin/material/Dokumente/Boehm_Cole_-_Data_Retention_Study_-_June_2014.pdf>accessed1August2017.39Legal Service of the European Parliament, leaked document, legal opinion of 22 December 2014 ‘LIBE-Questions relating to the judgmentof theCourt of Justiceof8April 2014 in JoinedCasesC-293/12andC-594/12, Digital Rights Ireland and Seitlinger and others - Directive 2006/24/EC on data retention -Consequencesofthejudgment’[2014]para80<http://www.statewatch.org/news/2015/apr/ep-ls-opinion-digital-rights-judgment.pdf> accessed 1 August2017.40The only data protection framework applicable in the context of law enforcement was the CouncilFrameworkDecision2008/977/JHAthatonlycoveredcross-borderprocessingforlawenforcementpurposes,seeRecital7andart1ofCouncilFrameworkDecision2008/977/JHA.41Opinionof theEuropeanParliament(2014), footnote62readsas follows: ‘it [i.e. thedraftDirective]willbringimportantchangestotheUnion’sdataprotectionlawintheareaofcriminallaw,incomparisontotheactcurrentlyinforce,i.e.CouncilFrameworkDecision2008/977/JHA.’42European Parliament, ‘Resolution of 11 February 2015 on anti-terrorism measures’ (2015/2530 (RSP))[2015] Point 13 <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2015-0032+0+DOC+XML+V0//EN>accessed1August2017.

82

purposesof personal data of individuals.’43TheCommission acknowledged inparticularthat the findings of the Digital Right Ireland case should be taken into account in theassessmentoftheproposalforaPNRDirective.44AsforTele2Sverige,thejudgmentassessestheimpactandapplicationoftheDigitalRightsIreland judgment to national data retention regimes. Because of the scope of Directive2016/680,45it can be strongly asserted that its findings apply to national legislationrelatingtothecollectionofpersonaldatabythirdpartiesandtotheirfurtherprocessingbylawenforcementauthorities.

TheBenchmarksetbyDigitalRightsIrelandandTele2SverigeThe Data Retention Directive was ‘struck down’ by the ECJ in Digital Rights Ireland;whereas national data retention measures still in place (Sweden) or adopted after theinvalidation of the Directive (UK) were declared incompatible with EU law in Tele2Sverige.Thesetwocaseshaveastrongconnection.FollowingtheinvalidationoftheDataRetentionDirective,nationalmeasuresondataretentionstillhadtobecompliantwithEUlaw, and in particular, with the e-privacy Directive (or Directive 2002/28/EC) adoptedbefore the Data Retention Directive. Article 15(1) of that Directive expressly allowsMember States to adoptdata retentionmeasuresunder specific conditions. It is againstthat provision that the ECJ had to determine the compliance of the Swedish and UKmeasuresinTele2Sverige.In Digital Rights Ireland, two national jurisdictions, the High Court of Ireland and theVerfassungsgerichtshof(AustrianConstitutionalCourt),broughtarequestforpreliminaryrulingsbeforetheECJonthevalidityoftheDataRetentionDirective.Thenationalcourtscontested the compatibility of the Directivewith Articles 7, 8 and 11 of the Charter ofFundamentalRights.46InTele2Sverige,aSwedishadministrativeCourtandaUKCourtofAppealreferredpreliminaryquestionstotheECJonthecompatibilityofrespectivelytheSwedishlawsondataretention47andtheUKDRPIA48withthee-privacyDirectiveaswellaswithArticles7and8oftheCharterofFundamentalRights.49

43SeeEuropeanCommission’sanswertotheEuropeanParliamentonthePNRproposalandtheconsequencesof the DRI judgment, as leaked by Statewatch, see <statewatch.org/news/2015/mar/eu-com-eu-pnr-letter.pdf> accessed 1 August 2017. The European Commission referred to ‘legislation’ in general, but oneunderstandsthatitsreasoningfocusesonEUlegislationandnotonnationallegislation.44ibid.45Coveringbothdomesticandcross-borderdataprocessing.46DigitalRightsIreland(n14)para23; thenationalCourtsasked theECJ to review thecompatibilityof theDataRetentionDirectivewithotherEUprovisions(art41Charter,art52(3)-(4)-(7)Charter,andart8ECHR);at national level, proceedings against national measures implementing the Data Retention Directive werebroughtbytheadvocacygroupDigitalRightsIrelandinIrelandandbymorethan11,000applicantsandtheregionalGovernmentofCarinthiainAustria.47Tele2Sverige(n15)paras15and16,respectivelytheLaw2003:389onelectroniccommunications(Lagen(2003:389)omelektroniskkommunikation or LEK) and Regulation 2003:396 on electronic communications(Förordningen(2003:396)omelektroniskkommunikation); theCodeof JudicialProcedure (Rättegångsbalkenor RB) and Law 2012:278 on the collection of data on electronic communications in the law enforcementauthorities’ investigative activities (Lagen (2012:278) om inhämtning av uppgifter om elektroniskkommunikationidebrottsbekämpandemyndigheternasunderrättelseverksamhet).

92

Chapter 4

83

a. ElementsoftheBenchmarkInbothcases,theECJhadtoassesswhetherthedataretentionregimesatEUornationallevel constitutedan interferencewith the right toprivacy (Article7of theCharter)andwith the right to data protection (Article 8 of the Charter) and if so, whether thisinterferencewasjustifiedinapplicationofArticle52(1)oftheCharter.i)Existenceofinterferences?Ineachcase,theCourtdidnotfindonebutseveral interferences.First, theobligationtoretaindata and give lawenforcement authorities access to themconstitute twodistinctinterferenceswith the right to privacy.50Then, without althoughmuch explanation, theECJ ruled inDigitalRightsIrelandthat the Data Retention Directive also constituted aninterference with the right to data protection on the ground that ‘it provides for theprocessing of personal data.’ The Court clearly missed the opportunity to explain thenature and characteristics of metadata and the reasons why metadata should beconsidered personal data.51In Tele2 Sverige, the Court put more emphasis on thedistinctionbetweenthe interferencebasedontheretentionofdataandthe interferencebasedonaccesstothoseretaineddatabylawenforcementauthorities.ii)JustificationsAfterhavingestablished theexistenceof interferences, theCourtassessedwhether theywere justified in application of Article 52(1) of the Charter. Article 52(1) sets theconditions under which fundamental rights, such as the rights to privacy and dataprotection,canbelimited.First,limitationsmustbe‘providedbylaw’.Second,theymust‘respect the essence of those rights.’ Third, they must comply with the principle ofproportionality, meaning they must ‘[be] necessary and genuinely meet objectives ofgeneralinterestrecognizedbytheUnionortheneedtoprotecttherightsandfreedomsofothers.’52The assessment of the Court in the two cases is different: in Digital RightsIreland,53theCourtanalysedindetailthedifferentconditionsunderwhichderogationsto

48OpinionAGSaugmandsgaardØE,Tele2Sverige,paras34and35,thedataretentionregimegovernedbytheData Retention and Investigatory Powers Act 2014 (DRIPA), the Data Retention Regulations 2014 (SI2014/2042) and the Retention of Communications Data Code of Practice and the rules on access tocommunicationsdataasdefinedintheRegulatoryInvestigatoryAct2000asamendmentbytheRegulationofInvestigatory Powers Order 2015 and the Acquisition and Disclosure of Communications Data Code ofPractice,ECLI:EU:C:2016:572.49Atnationallevel,proceedingswerebroughtbyTele2Sverige,aSwedishtelecommunicationsproviderthatstopped retaining traffic data the day after theDRI judgmentwas delivered, and by three individualswhochallenged thenewUKdata retention regimeadoptedafter the invalidationof theDRI judgment; formoredetails,seepara48etseq,andpara55etseq.50DigitalRightsIreland(n14)para32etseq,andTele2Sverige(n15)para100.51Itisquiterelevanttowonderwhichtypeofinfometadatacanrevealaboutanindividual,seeforinstance,Jonathan Mayer, Patrick Mutchler, and John C. Mitchell, ‘Evaluating the Privacy Properties of TelephoneMetadata’(2013)113(20)ProceedingsoftheNationalAcademyofSciencesoftheUnitedStatesofAmerica,5536; see also the position of the A29WP that considers metadata as personal data in A29WP, ‘Opinion04/2014onsurveillanceofelectroniccommunicationsforintelligenceandnationalsecuritypurposes’[2014]WP215,where it states,page4, that: ‘unlike inothercountries, inEurope,metadataarepersonaldataandshouldbeprotected.’52art52(1)oftheCharterofFundamentalRights.53Digital Rights Ireland (n 14) para 39 et seq; the Court assessed whether the Data Retention Directiveinfringed the essence of the rights to privacy and data protection (it did not) and checked whether the

84

thefundamentalrightsarepermitted,whereasinTele2Sverige,theCourtmainlyfocusedontheproportionalityofthenationallawsderogatingtotheprincipleofconfidentiality.54Yet it is precisely on the last condition of Article 52(1) of the Charter, i.e. the test ofproportionality, thatboththeDataRetentionDirectiveandthenationalmeasures failed.The Court found that the Data Retention Directive and the national measures underreviewwerenotproportionatesincetheywentbeyondwhatwasstrictlynecessary.InDigitalRights Ireland, the Court held that the Directive did not ‘lay down clear andpreciserulesgoverningthescopeandapplicationofthemeasureandimposingminimumsafeguards’forthepersonsaffectedbythemeasuresofdataretention.55Morespecifically,concerningthelawenforcementaccesstoretaineddata,theDataRetentionDirectivedidnotprovideany limits.56TheCourt foundthat theDirective failedtodefinean ‘objectivecriterion’ to limit law enforcement access57and also failed to provide “substantive andproceduralconditions”onaccessandfurtheruseoftheretaineddatabylawenforcementauthorities. In particular, the Court found that theDirective did not identifywho couldhave access to the retained data and did not set a procedural rule imposing a priorindependentreviewoftherequestforaccess.58In Tele2 Sverige, the ECJ confirmed the conditions identified in Digital Rights Ireland.Concerning the objective of the national instruments, the Court held that national lawsmustdeterminetheconditionsofaccesstoensurethataccessislimitedtowhatisstrictlynecessary but at the same time, national legislation must adopt ‘substantive andprocedural conditions governing the access’ to the retained data by law enforcementauthorities.59Onthatmatter, theCourtreiterated theconditionssetout inDigitalRightsIrelandinrelationtotheDataRetentionDirective.Thoseincludethe(numberof)personsentitled to get access to the retained data as well as a judicial or administrative priorreview of the request for access.60In Tele2 Sverige, building on the case law of theEuropeanCourtofHumanRights,61theECJspecifiedthat‘accesscan,asageneralrule,begranted, in relation to the objective of fighting crime, only to the data of individualssuspectedofplanningorhavingcommittedaseriouscrimeorofbeingimplicatedinonewayoranotherinsuchacrime.’62Thus,alinkwithaseriouscriminalactivityisnecessary.In the Tele2 Sverige case, the Court added an extra safeguard to allow individuals toexercise their right of remedy: the Court imposed a duty of notification on law

objective of the data retention directive constituted an objective of general interest (it did as it aimed atfightingseriouscrime).54Tele2Sverige(n15)para95etseq.55DigitalRightsIreland(n14)para54.56DigitalRightIreland(n14)para60.57DigitalRightsIreland(n14)para61:‘mustbestrictlyrestrictedtothepurposeofpreventinganddetectingpreciselydefinedseriousoffencesorofconductingcriminalprosecutionsrelatingthereto.’58DigitalRightsIreland(n14)para62.59Tele2Sverige(n15)para118.60DigitalRightsIreland(n14)para62;Tele2Sverige(n15)para118.61Inparticular,RomanZakharovvRussia,Appno47143/06(ECHR,04December2015).62Tele2Sverige(n15)para119.

93

4


83

a. ElementsoftheBenchmarkInbothcases,theECJhadtoassesswhetherthedataretentionregimesatEUornationallevel constitutedan interferencewith the right toprivacy (Article7of theCharter)andwith the right to data protection (Article 8 of the Charter) and if so, whether thisinterferencewasjustifiedinapplicationofArticle52(1)oftheCharter.i)Existenceofinterferences?Ineachcase,theCourtdidnotfindonebutseveral interferences.First, theobligationtoretaindata and give lawenforcement authorities access to themconstitute twodistinctinterferenceswith the right to privacy.50Then, without althoughmuch explanation, theECJ ruled inDigitalRightsIrelandthat the Data Retention Directive also constituted aninterference with the right to data protection on the ground that ‘it provides for theprocessing of personal data.’ The Court clearly missed the opportunity to explain thenature and characteristics of metadata and the reasons why metadata should beconsidered personal data.51In Tele2 Sverige, the Court put more emphasis on thedistinctionbetweenthe interferencebasedontheretentionofdataandthe interferencebasedonaccesstothoseretaineddatabylawenforcementauthorities.ii)JustificationsAfterhavingestablished theexistenceof interferences, theCourtassessedwhether theywere justified in application of Article 52(1) of the Charter. Article 52(1) sets theconditions under which fundamental rights, such as the rights to privacy and dataprotection,canbelimited.First,limitationsmustbe‘providedbylaw’.Second,theymust‘respect the essence of those rights.’ Third, they must comply with the principle ofproportionality, meaning they must ‘[be] necessary and genuinely meet objectives ofgeneralinterestrecognizedbytheUnionortheneedtoprotecttherightsandfreedomsofothers.’52The assessment of the Court in the two cases is different: in Digital RightsIreland,53theCourtanalysedindetailthedifferentconditionsunderwhichderogationsto

48OpinionAGSaugmandsgaardØE,Tele2Sverige,paras34and35,thedataretentionregimegovernedbytheData Retention and Investigatory Powers Act 2014 (DRIPA), the Data Retention Regulations 2014 (SI2014/2042) and the Retention of Communications Data Code of Practice and the rules on access tocommunicationsdataasdefinedintheRegulatoryInvestigatoryAct2000asamendmentbytheRegulationofInvestigatory Powers Order 2015 and the Acquisition and Disclosure of Communications Data Code ofPractice,ECLI:EU:C:2016:572.49Atnationallevel,proceedingswerebroughtbyTele2Sverige,aSwedishtelecommunicationsproviderthatstopped retaining traffic data the day after theDRI judgmentwas delivered, and by three individualswhochallenged thenewUKdata retention regimeadoptedafter the invalidationof theDRI judgment; formoredetails,seepara48etseq,andpara55etseq.50DigitalRightsIreland(n14)para32etseq,andTele2Sverige(n15)para100.51Itisquiterelevanttowonderwhichtypeofinfometadatacanrevealaboutanindividual,seeforinstance,Jonathan Mayer, Patrick Mutchler, and John C. Mitchell, ‘Evaluating the Privacy Properties of TelephoneMetadata’(2013)113(20)ProceedingsoftheNationalAcademyofSciencesoftheUnitedStatesofAmerica,5536; see also the position of the A29WP that considers metadata as personal data in A29WP, ‘Opinion04/2014onsurveillanceofelectroniccommunicationsforintelligenceandnationalsecuritypurposes’[2014]WP215,where it states,page4, that: ‘unlike inothercountries, inEurope,metadataarepersonaldataandshouldbeprotected.’52art52(1)oftheCharterofFundamentalRights.53Digital Rights Ireland (n 14) para 39 et seq; the Court assessed whether the Data Retention Directiveinfringed the essence of the rights to privacy and data protection (it did not) and checked whether the

84

thefundamentalrightsarepermitted,whereasinTele2Sverige,theCourtmainlyfocusedontheproportionalityofthenationallawsderogatingtotheprincipleofconfidentiality.54Yet it is precisely on the last condition of Article 52(1) of the Charter, i.e. the test ofproportionality, thatboththeDataRetentionDirectiveandthenationalmeasures failed.The Court found that the Data Retention Directive and the national measures underreviewwerenotproportionatesincetheywentbeyondwhatwasstrictlynecessary.InDigitalRights Ireland, the Court held that the Directive did not ‘lay down clear andpreciserulesgoverningthescopeandapplicationofthemeasureandimposingminimumsafeguards’forthepersonsaffectedbythemeasuresofdataretention.55Morespecifically,concerningthelawenforcementaccesstoretaineddata,theDataRetentionDirectivedidnotprovideany limits.56TheCourt foundthat theDirective failedtodefinean ‘objectivecriterion’ to limit law enforcement access57and also failed to provide “substantive andproceduralconditions”onaccessandfurtheruseoftheretaineddatabylawenforcementauthorities. In particular, the Court found that theDirective did not identifywho couldhave access to the retained data and did not set a procedural rule imposing a priorindependentreviewoftherequestforaccess.58In Tele2 Sverige, the ECJ confirmed the conditions identified in Digital Rights Ireland.Concerning the objective of the national instruments, the Court held that national lawsmustdeterminetheconditionsofaccesstoensurethataccessislimitedtowhatisstrictlynecessary but at the same time, national legislation must adopt ‘substantive andprocedural conditions governing the access’ to the retained data by law enforcementauthorities.59Onthatmatter, theCourtreiterated theconditionssetout inDigitalRightsIrelandinrelationtotheDataRetentionDirective.Thoseincludethe(numberof)personsentitled to get access to the retained data as well as a judicial or administrative priorreview of the request for access.60In Tele2 Sverige, building on the case law of theEuropeanCourtofHumanRights,61theECJspecifiedthat‘accesscan,asageneralrule,begranted, in relation to the objective of fighting crime, only to the data of individualssuspectedofplanningorhavingcommittedaseriouscrimeorofbeingimplicatedinonewayoranotherinsuchacrime.’62Thus,alinkwithaseriouscriminalactivityisnecessary.In the Tele2 Sverige case, the Court added an extra safeguard to allow individuals toexercise their right of remedy: the Court imposed a duty of notification on law

objective of the data retention directive constituted an objective of general interest (it did as it aimed atfightingseriouscrime).54Tele2Sverige(n15)para95etseq.55DigitalRightsIreland(n14)para54.56DigitalRightIreland(n14)para60.57DigitalRightsIreland(n14)para61:‘mustbestrictlyrestrictedtothepurposeofpreventinganddetectingpreciselydefinedseriousoffencesorofconductingcriminalprosecutionsrelatingthereto.’58DigitalRightsIreland(n14)para62.59Tele2Sverige(n15)para118.60DigitalRightsIreland(n14)para62;Tele2Sverige(n15)para118.61Inparticular,RomanZakharovvRussia,Appno47143/06(ECHR,04December2015).62Tele2Sverige(n15)para119.

94

Chapter 4

enforcementauthoritiesthathaveaccessedtheretaineddata.Theyhavetheobligationtoinformindividuals,accordingtotheirnationallaws,thattheirdatahavebeenaccessed,assoon as this notification can no longer prejudice the investigations.63The Court thusconsidered that this obligation of information has to be implemented in nationalprocedurallaws.In conclusion, on the issueof access to retaineddata, theCourt set out ‘procedural andsubstantive conditions’ to frame that access. Laid down in Digital Rights Ireland andconfirmedinTele2Sverige,EUornationalmeasuresrelatingtothecollectionofpersonaldata and their further processing for law enforcement purposes should contain: anobjectivecriteriontodefinehowandwhenlawenforcementauthoritiesshouldbegrantedaccess to thedata; aprocedural ruleonan independentprior reviewof the request foraccess,andtheobligationtonotify individualswhosepersonaldatahavebeenaccessed.The next sub-section applies the findings ofDigitalRights Ireland and Tele2Sverige todeterminewhetherDirective2016/680containstheconditionsnecessarytogovern lawenforcement access to personal data collected by private parties for a non-lawenforcementpurpose.

ApplicationoftheRulingstoDirective2016/680Preliminarily,itshouldbeobservedthatDigitalRightsIrelandwasdecidedwhileDirective2016/680wasbeingnegotiated.Therefore,andforthereasonsexplainedintheprevioussub-section, its findings should have been taken into account and ‘implemented’ inDirective2016/680.OneshouldexpecttofindintheDirectivetheconditionsidentifiedinDigitalRightsIreland,i.e. the number of persons allowed to access the personal data aswellasaprocedureofpriorreviewoftherequestforlawenforcementaccess.Bycontrast,Tele2SverigewasdecidedaftertheadoptionofDirective2016/680.Itisthereforelogicalthat its findings, and in particular, the obligation of notification,might not be found inDirective2016/680.ThissectionsuggestsareadingofthesafeguardsestablishedinDigitalRightsIrelandandTele2Sverige in thebroadercontextof lawenforcementaccess topersonaldataheldbyprivateparties.Ifthesafeguardshavenotbeenestablishedforthatspecificscenario,theycanstillapplysincethefindingsofthejudgmentsreachbeyonddataretentionmeasures.64

ObjectiveCriteriatoDetermineLawEnforcementAccessFirst, the objective of Directive 2016/680 is to lay down data protection rules whenpersonal data are processed by law enforcement authorities for ‘the prevention,investigation, detection or prosecution of criminal offences or the execution of criminalpenalties,includingthesafeguardingagainstthepreventionandthepreventionofthreats

63Tele2Sverige(n15)para121.64See sub-section 1 (‘Preliminary Remarks on the Use of Digital Rights Ireland and Tele2 Sverige asBenchmark’)ofSectionIII.

to public security.’65This objective is a general objective of fighting crime. As such itconstitutes anobjectiveof general interest.66However, theobjectiveof fighting crime isnot enough to grant access to lawenforcement authorities. InDigitalRightsIreland andTele2Sverige, the Court considered that the objective should at least be an objective offightingseriouscrime.67Accesstoretaineddataneedstobejustifiedbythenatureofthecrime.However, in the scenariounder review,personaldataarenot retained for futureaccessbylawenforcementauthorities;theyareonlymadeavailableifrequested.Assuch,in a criminal investigation context, it seems difficult to argue that law enforcementauthorities shouldonlygetaccess topersonaldata relating to serious crime.Though, inthecontextofcriminalintelligencewhereindicesthatacriminalactivityhasoccurredorwilloccurarenotestablishedyet,itwouldmakesensetolimittheaccesstopersonaldatathat are linked to serious crime, so as to prevent the mass surveillance of individuals.Thus,concerningtheobjectivecriterionoftheconditionsofaccess,adistinctionbetweencriminalinvestigationandcriminalintelligenceisnecessaryinrelationtothenatureofthecriminalactivityatstake.YetDirective2016/680doesnotestablishsuchadistinction.Moreover, what is missing from Directive 2016/680 is the identification of individualsauthorised tohaveaccess to thepersonaldatacollected foradifferentpurpose (staffoflawenforcementauthorities)andthecategoriesofpersonaldatathatshouldbeaccessible(personaldatafromsuspects,criminals,witnesses,etc.).Onthisissue,theleakedversionof the draft ‘police’ Directive of 2011 contained a specific provision. Article 4(2)(a)proposed restraining the access to cases where ‘reasonable grounds give reason toconsider that the processing of the personal data will substantially contribute to theprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties.’68

OversightMechanism:IndependentReviewoftheRequestforAccess?InDigitalRightsIreland,theECJruledthatlawenforcementaccesstoretaineddatashouldbesubjecttoapriorreview,eitherbyaCourtorbyanindependentadministrativebody.Theprocedureshouldbepartofnationalcriminalprocedurallaw.69TheECJleavessomeleewaytoMemberStatesintheimplementationofthereviewmechanism.ThequestioniswhetherDirective2016/680containsaproceduralsafeguardthatensurespriorreviewoftherequestforaccesstopersonaldata.

65art1(1)ofDirective2016/680.66DigitalIrelandRights(n14)para41etseq.67DigitalIrelandRights(n14)paras42-43,andTele2Sverige(n15)para102.68art4(2)(a)oftheleakeddraftversionoftheproposalfora‘policeDirective’(n17).69DigitalRightsIreland(n14)para62,ascomplementedbyTele2Sverige(n15)para120.Thepriorreviewisinitiated ‘following a reasoned request of those authorities submitted within the procedures for theprevention,detectionorprosecutionofcrime.’

95

4


enforcementauthoritiesthathaveaccessedtheretaineddata.Theyhavetheobligationtoinformindividuals,accordingtotheirnationallaws,thattheirdatahavebeenaccessed,assoon as this notification can no longer prejudice the investigations.63The Court thusconsidered that this obligation of information has to be implemented in nationalprocedurallaws.In conclusion, on the issueof access to retaineddata, theCourt set out ‘procedural andsubstantive conditions’ to frame that access. Laid down in Digital Rights Ireland andconfirmedinTele2Sverige,EUornationalmeasuresrelatingtothecollectionofpersonaldata and their further processing for law enforcement purposes should contain: anobjectivecriteriontodefinehowandwhenlawenforcementauthoritiesshouldbegrantedaccess to thedata; aprocedural ruleonan independentprior reviewof the request foraccess,andtheobligationtonotify individualswhosepersonaldatahavebeenaccessed.The next sub-section applies the findings ofDigitalRights Ireland and Tele2Sverige todeterminewhetherDirective2016/680containstheconditionsnecessarytogovern lawenforcement access to personal data collected by private parties for a non-lawenforcementpurpose.

ApplicationoftheRulingstoDirective2016/680Preliminarily,itshouldbeobservedthatDigitalRightsIrelandwasdecidedwhileDirective2016/680wasbeingnegotiated.Therefore,andforthereasonsexplainedintheprevioussub-section, its findings should have been taken into account and ‘implemented’ inDirective2016/680.OneshouldexpecttofindintheDirectivetheconditionsidentifiedinDigitalRightsIreland,i.e. the number of persons allowed to access the personal data aswellasaprocedureofpriorreviewoftherequestforlawenforcementaccess.Bycontrast,Tele2SverigewasdecidedaftertheadoptionofDirective2016/680.Itisthereforelogicalthat its findings, and in particular, the obligation of notification,might not be found inDirective2016/680.ThissectionsuggestsareadingofthesafeguardsestablishedinDigitalRightsIrelandandTele2Sverige in thebroadercontextof lawenforcementaccess topersonaldataheldbyprivateparties.Ifthesafeguardshavenotbeenestablishedforthatspecificscenario,theycanstillapplysincethefindingsofthejudgmentsreachbeyonddataretentionmeasures.64

ObjectiveCriteriatoDetermineLawEnforcementAccessFirst, the objective of Directive 2016/680 is to lay down data protection rules whenpersonal data are processed by law enforcement authorities for ‘the prevention,investigation, detection or prosecution of criminal offences or the execution of criminalpenalties,includingthesafeguardingagainstthepreventionandthepreventionofthreats

63Tele2Sverige(n15)para121.64See sub-section 1 (‘Preliminary Remarks on the Use of Digital Rights Ireland and Tele2 Sverige asBenchmark’)ofSectionIII.

to public security.’65This objective is a general objective of fighting crime. As such itconstitutes anobjectiveof general interest.66However, theobjectiveof fighting crime isnot enough to grant access to lawenforcement authorities. InDigitalRightsIreland andTele2Sverige, the Court considered that the objective should at least be an objective offightingseriouscrime.67Accesstoretaineddataneedstobejustifiedbythenatureofthecrime.However, in the scenariounder review,personaldataarenot retained for futureaccessbylawenforcementauthorities;theyareonlymadeavailableifrequested.Assuch,in a criminal investigation context, it seems difficult to argue that law enforcementauthorities shouldonlygetaccess topersonaldata relating to serious crime.Though, inthecontextofcriminalintelligencewhereindicesthatacriminalactivityhasoccurredorwilloccurarenotestablishedyet,itwouldmakesensetolimittheaccesstopersonaldatathat are linked to serious crime, so as to prevent the mass surveillance of individuals.Thus,concerningtheobjectivecriterionoftheconditionsofaccess,adistinctionbetweencriminalinvestigationandcriminalintelligenceisnecessaryinrelationtothenatureofthecriminalactivityatstake.YetDirective2016/680doesnotestablishsuchadistinction.Moreover, what is missing from Directive 2016/680 is the identification of individualsauthorised tohaveaccess to thepersonaldatacollected foradifferentpurpose (staffoflawenforcementauthorities)andthecategoriesofpersonaldatathatshouldbeaccessible(personaldatafromsuspects,criminals,witnesses,etc.).Onthisissue,theleakedversionof the draft ‘police’ Directive of 2011 contained a specific provision. Article 4(2)(a)proposed restraining the access to cases where ‘reasonable grounds give reason toconsider that the processing of the personal data will substantially contribute to theprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties.’68

OversightMechanism:IndependentReviewoftheRequestforAccess?InDigitalRightsIreland,theECJruledthatlawenforcementaccesstoretaineddatashouldbesubjecttoapriorreview,eitherbyaCourtorbyanindependentadministrativebody.Theprocedureshouldbepartofnationalcriminalprocedurallaw.69TheECJleavessomeleewaytoMemberStatesintheimplementationofthereviewmechanism.ThequestioniswhetherDirective2016/680containsaproceduralsafeguardthatensurespriorreviewoftherequestforaccesstopersonaldata.

65art1(1)ofDirective2016/680.66DigitalIrelandRights(n14)para41etseq.67DigitalIrelandRights(n14)paras42-43,andTele2Sverige(n15)para102.68art4(2)(a)oftheleakeddraftversionoftheproposalfora‘policeDirective’(n17).69DigitalRightsIreland(n14)para62,ascomplementedbyTele2Sverige(n15)para120.Thepriorreviewisinitiated ‘following a reasoned request of those authorities submitted within the procedures for theprevention,detectionorprosecutionofcrime.’

96

Chapter 4

Article 28 of Directive 2016/680 provides for an oversight mechanism. It requires the‘priorconsultation’ofthenationaldataprotectionauthority(DPA)intwocases:70whenadata protection impact assessment has beenperformed andno risk-mitigatingmeasurehasbeenadopted(Article28(1)(a))orwhenaspecificprocessing‘involvesahighrisktotherightsandfreedomsofindividuals’(Article28(1)(b)).71Itcouldbeargued,withafar-stretchedinterpretationofArticle28(1)(b),thatlawenforcementaccesstopersonaldatacollectedbyprivatepartiesforanon-lawenforcementpurposefallswithinthecategoryof‘high-risk processing’. However, not all access to personal data for a law enforcementpurposewouldqualifyas ‘highriskprocessing’.Ifthenotionisundefined,72Recital52ofDirective2016/680providessomeguidancetoassessthelevelofriskofaprocessing.Thepurposeoftheprocessing isoneofthefactors,besidesthenature,scope,andcontextoftheprocessing.Determiningwhetherasubsequentprocessingofpersonaldataforalawenforcementpurposeconstitutesa‘highrisk’processingrequiresacase-by-caseanalysis.Therefore,itcouldbethatthefurtherprocessingofpersonaldatawouldconstitutea‘highrisk’ processing in a context of criminal intelligence because of the risk of masssurveillance;whereasthesameprocessingperformedinacriminal investigationcontextwouldnot.In the end, it is still questionable whether the procedure of ‘prior consultation’ of anational DPA set out in Article 28 of Directive 2016/680 amounts to the procedure of‘priorreview’byan independentauthority,asrequiredby theECJcase law. IfDPAsareindependentauthorities,73itcannotbeclaimedthata‘priorconsultation’isequivalenttoa‘priorreview’.Directive2016/680 indeed lacksclarityon theexactpowergiven todataprotectionauthoritiesthroughthepriorconsultation.Article47(3)ofDirective2016/680,on the powers of national supervisory authorities, refers to their ‘advisory power’ inrespectoftheprocedureofpriorconsultation.Likewise,ifitisjustifiedtorequireapriorjudicialoradministrative reviewof a request foraccess topersonaldata collected foradifferentpurpose,itmightbedisproportionatetorequirethereviewofeachrequestbyanationalDPA.Inconclusion,Article28ofDirective2016/680doesnotseemtobeasufficientproceduralsafeguard.Firstofall,itisnotguaranteedthatalldataprotectionauthoritiesacrosstheEUwouldhavethesamereadingofArticle28ofDirective2016/680.Then,theprovisiononly

70Besides the two cases requiring prior consultation of the DPA, Member States have the possibility toestablishalistofprocessingoperationsthataresubjecttopriorconsultation.Onecouldimaginethatthecaseoflawenforcementaccesstopersonaldatageneratedbythirdpartiescouldbeincludedinsuchalist;howeverthisoptionislefttothediscretionofMemberStates,seeart28(3)Directive2016/680.71art28(1)(b)Directive2016/680.72Recital52Directive2016/680onlyspecifiesthathighriskis‘aparticularriskofprejudicetotherightsandfreedomsofdata subjects’;by comparison in the contextof theGDPR,art35(3)of theRegulationprovidessome guidance onwhat ‘high risk processing’might include: systematic profiling, large-scale processing ofsensitivedataorsystematicandlarge-scalemonitoringofpubliclyaccessibleareas.73Following both the GDPR and Directive 2016/680, DPAs are required to be independent authorities; ontheirindependence,seeamongothers,OrlaLynskey, ‘theEuropeanisationofDataProtectionLaw’(2017)19CambridgeYearbookofEuropeanLegalStudies252.

88

requires an advice (prior consultation) and not a decision (prior review) before thefurther processing for a law enforcement purpose can be executed. Finally, the priorconsultationofDPAsislimitedto‘highriskprocessing’.

TheRighttoInformationasaDutyofNotification?The right to be informed about the collection of one’s own personal data is a veryimportantrightsinceittriggerstheapplicationoftheotherdatasubjects’rights:therighttoaccessthepersonaldatacollected;torectifythemiftheyareinaccurate;tohavethemerasedunderspecificconditions,aswellastobeinformedoftherightoflegalremedies.Inalawenforcementcontext,itislogicalthatthoserightsarenotasbroadasinanon-lawenforcement context. For instance, the necessity of a criminal investigationmay validlyjustify restrictions to those rights. However, following Tele2Sverige, individuals whosepersonal data havebeen accessedby law enforcement authorities shouldbenotified assoon as possible and, in any event, as soon as the notification no longer prejudices theongoinginvestigations.74Article 13 of Directive 2016/680 sets out the right of information, which is defined as‘informationtobemadeavailableortobegiventothedatasubject.’Thisprovisionlistsallthepiecesofinformationtobe‘madeavailableorgiven’toanindividual.However,itdoesnotspecifythattheinformationbeactivelyprovidedtothedatasubject.ThewordingofArticle13 seems to indicate that the right to information is a rightof confirmation thatcollection of personal data has been carried out. The right to information, as set out inArticle13ofDirective2016/680,constitutesanimprovementincomparisonwithArticle16oftheCouncilFrameworkDecision2008/977/JHA.Thislatteronlyprovidesforaright‘tobe informed’ inaccordancewith ‘national law.’Yet,Article13ofDirective2016/680doesnotestablishadutyofnotification.NowhereisitmentionedintheDirectivethatdatasubjects should receive communicationabout the collectionof theirdataas soonas thepurposeforwhichtheirdatahavebeencollectedisnotatstakeanymore.Bycomparisonprinciple2.2oftheCouncilofEurope’sRecommendationontheuseofpersonaldatainthepolicesector(RecommendationR(87)15)providesthattheindividualshouldbe‘informedthatinformationisheldabouthimassoonastheobjectofthepoliceactivitiesisnolongerlikelytobeprejudiced.’75TheabsenceofnotificationisevenmoreproblematicinacasewherepersonaldatahavebeencollectedbyprivatepartiesundertheGDPRregimeandareaccessedforfurtheruseby lawenforcementauthorities.The individualsconcernedarenotabletoexercisetheirrightsproperlyiftheyarenotinformed,atsomepoint,thattheirdatahavebeenaccessed.

In Tele2Sverige, the ECJ required that law enforcement authorities ‘notify the persons

74Tele2Sverige(n15)para121.75However,lawenforcementauthoritieshavecriticisedthisprinciplebecausetheyconsideritdifficulttoputintopractice.

97

4


Article 28 of Directive 2016/680 provides for an oversight mechanism. It requires the‘priorconsultation’ofthenationaldataprotectionauthority(DPA)intwocases:70whenadata protection impact assessment has beenperformed andno risk-mitigatingmeasurehasbeenadopted(Article28(1)(a))orwhenaspecificprocessing‘involvesahighrisktotherightsandfreedomsofindividuals’(Article28(1)(b)).71Itcouldbeargued,withafar-stretchedinterpretationofArticle28(1)(b),thatlawenforcementaccesstopersonaldatacollectedbyprivatepartiesforanon-lawenforcementpurposefallswithinthecategoryof‘high-risk processing’. However, not all access to personal data for a law enforcementpurposewouldqualifyas ‘highriskprocessing’.Ifthenotionisundefined,72Recital52ofDirective2016/680providessomeguidancetoassessthelevelofriskofaprocessing.Thepurposeoftheprocessing isoneofthefactors,besidesthenature,scope,andcontextoftheprocessing.Determiningwhetherasubsequentprocessingofpersonaldataforalawenforcementpurposeconstitutesa‘highrisk’processingrequiresacase-by-caseanalysis.Therefore,itcouldbethatthefurtherprocessingofpersonaldatawouldconstitutea‘highrisk’ processing in a context of criminal intelligence because of the risk of masssurveillance;whereasthesameprocessingperformedinacriminal investigationcontextwouldnot.In the end, it is still questionable whether the procedure of ‘prior consultation’ of anational DPA set out in Article 28 of Directive 2016/680 amounts to the procedure of‘priorreview’byan independentauthority,asrequiredby theECJcase law. IfDPAsareindependentauthorities,73itcannotbeclaimedthata‘priorconsultation’isequivalenttoa‘priorreview’.Directive2016/680 indeed lacksclarityon theexactpowergiven todataprotectionauthoritiesthroughthepriorconsultation.Article47(3)ofDirective2016/680,on the powers of national supervisory authorities, refers to their ‘advisory power’ inrespectoftheprocedureofpriorconsultation.Likewise,ifitisjustifiedtorequireapriorjudicialoradministrative reviewof a request foraccess topersonaldata collected foradifferentpurpose,itmightbedisproportionatetorequirethereviewofeachrequestbyanationalDPA.Inconclusion,Article28ofDirective2016/680doesnotseemtobeasufficientproceduralsafeguard.Firstofall,itisnotguaranteedthatalldataprotectionauthoritiesacrosstheEUwouldhavethesamereadingofArticle28ofDirective2016/680.Then,theprovisiononly

70Besides the two cases requiring prior consultation of the DPA, Member States have the possibility toestablishalistofprocessingoperationsthataresubjecttopriorconsultation.Onecouldimaginethatthecaseoflawenforcementaccesstopersonaldatageneratedbythirdpartiescouldbeincludedinsuchalist;howeverthisoptionislefttothediscretionofMemberStates,seeart28(3)Directive2016/680.71art28(1)(b)Directive2016/680.72Recital52Directive2016/680onlyspecifiesthathighriskis‘aparticularriskofprejudicetotherightsandfreedomsofdata subjects’;by comparison in the contextof theGDPR,art35(3)of theRegulationprovidessome guidance onwhat ‘high risk processing’might include: systematic profiling, large-scale processing ofsensitivedataorsystematicandlarge-scalemonitoringofpubliclyaccessibleareas.73Following both the GDPR and Directive 2016/680, DPAs are required to be independent authorities; ontheirindependence,seeamongothers,OrlaLynskey, ‘theEuropeanisationofDataProtectionLaw’(2017)19CambridgeYearbookofEuropeanLegalStudies252.

88

requires an advice (prior consultation) and not a decision (prior review) before thefurther processing for a law enforcement purpose can be executed. Finally, the priorconsultationofDPAsislimitedto‘highriskprocessing’.

TheRighttoInformationasaDutyofNotification?The right to be informed about the collection of one’s own personal data is a veryimportantrightsinceittriggerstheapplicationoftheotherdatasubjects’rights:therighttoaccessthepersonaldatacollected;torectifythemiftheyareinaccurate;tohavethemerasedunderspecificconditions,aswellastobeinformedoftherightoflegalremedies.Inalawenforcementcontext,itislogicalthatthoserightsarenotasbroadasinanon-lawenforcement context. For instance, the necessity of a criminal investigationmay validlyjustify restrictions to those rights. However, following Tele2Sverige, individuals whosepersonal data havebeen accessedby law enforcement authorities shouldbenotified assoon as possible and, in any event, as soon as the notification no longer prejudices theongoinginvestigations.74Article 13 of Directive 2016/680 sets out the right of information, which is defined as‘informationtobemadeavailableortobegiventothedatasubject.’Thisprovisionlistsallthepiecesofinformationtobe‘madeavailableorgiven’toanindividual.However,itdoesnotspecifythattheinformationbeactivelyprovidedtothedatasubject.ThewordingofArticle13 seems to indicate that the right to information is a rightof confirmation thatcollection of personal data has been carried out. The right to information, as set out inArticle13ofDirective2016/680,constitutesanimprovementincomparisonwithArticle16oftheCouncilFrameworkDecision2008/977/JHA.Thislatteronlyprovidesforaright‘tobe informed’ inaccordancewith ‘national law.’Yet,Article13ofDirective2016/680doesnotestablishadutyofnotification.NowhereisitmentionedintheDirectivethatdatasubjects should receive communicationabout the collectionof theirdataas soonas thepurposeforwhichtheirdatahavebeencollectedisnotatstakeanymore.Bycomparisonprinciple2.2oftheCouncilofEurope’sRecommendationontheuseofpersonaldatainthepolicesector(RecommendationR(87)15)providesthattheindividualshouldbe‘informedthatinformationisheldabouthimassoonastheobjectofthepoliceactivitiesisnolongerlikelytobeprejudiced.’75TheabsenceofnotificationisevenmoreproblematicinacasewherepersonaldatahavebeencollectedbyprivatepartiesundertheGDPRregimeandareaccessedforfurtheruseby lawenforcementauthorities.The individualsconcernedarenotabletoexercisetheirrightsproperlyiftheyarenotinformed,atsomepoint,thattheirdatahavebeenaccessed.

In Tele2Sverige, the ECJ required that law enforcement authorities ‘notify the persons

74Tele2Sverige(n15)para121.75However,lawenforcementauthoritieshavecriticisedthisprinciplebecausetheyconsideritdifficulttoputintopractice.

98

Chapter 4

affected,undertheapplicablenationalprocedures.’76TheCourtaddedthatthenotificationis ‘necessary to enable the persons affected to exercise, inter alia, their right to a legalremedy.’77HoweveronecoulddisputethelegalbasisonwhichtheECJimposesadutyofnotificationonlawenforcementauthoritiesforthefurtherprocessingoftheretaineddata.TheCourtbased its reasoningonArticle15(2)of thee-privacyDirective ‘read together’withArticle22of theDataProtectionDirective.78Yet theDataProtectionDirectivedoesnot apply to the processing of data for law enforcement purposes. Those processingoperations are excluded from the scope of EU law except when they are exchangedbetweenMemberStates.Cross-borderdataprocessingforlawenforcementpurposesfallswithinthescopeofCouncilFrameworkDecision2008/977/JHA.79But,thankstoacleverartifice,theECJheldthatboththeretentionofdatabytelecomsoperatorsandtheiraccessby law enforcement authorities fell within the scope of the e-privacy Directive. Toreinforce its position, theCourt added that the only reason that thedatawere retainedwastoprovidelawenforcementauthoritiesaccesstothem.80Asmentionedinsub-section2,thereasoningoftheECJonthisspecificissueisdisputable.Withtheadoptionofthenewdata protection framework, the scenario of access by law enforcement authorities toretained personal data should be considered as a processing for a law enforcementpurposeandfallwithinthescopeofDirective2016/680.81However,beyondthepossiblediscussionon the scopeof thee-privacyDirectiveand the inclusionof lawenforcementaccess,oneshouldfocusontheinterpretationoftherighttoinformationgivenbytheECJ.Inascenariooflawenforcementaccesstopersonaldatageneratedinadifferentcontext,theright to informationought tobe interpretedasadutyofnotification.Yetasdrafted,Article13ofDirective2016/680doesnotlaydownsuchanobligation.After the analysis of the ECJ case law on data retention and its possible impact on thesafeguardscontainedinthe‘police’Directive,thearticlewillassesswhethertheprincipleofpurposelimitation,asdefinedinDirective2016/680,playsitsroleofsafeguardinthecontextoflawenforcementaccess.

SafeguardsagainstAbuses:ThePrincipleofPurposeLimitation?In thescenarioatstakeaswellas inthescenarioofdataretentionofpersonaldata, themain issue fromadataprotectionperspective is the changeof initialpurpose:personaldata collected for a specific purpose are then reprocessed for a different purpose. AsstatedbytheA29WPinitsopiniononpurposelimitation(Opinion03/2013),theprinciple

76Tele2Sverige(n15)para121.77ibid.78ibid.79Recital6CouncilFrameworkDecision2008/977/JHA.80Tele2Sverige(n15)para79.81SeeRecital 19GDPRmaking a bridgebetween theGDPR and theDirective in case of further use by lawenforcementauthoritiesofpersonaldatacollectedundertheGDPR..

of purpose limitation is ‘a cornerstone of data protection.’82It constitutes a safeguardagainst themisuseorabuseofpersonaldataandguides the lawfuluseofpersonaldatacollectedforadifferentpurpose.Inasituationwherelawenforcementauthoritiesgetaccesstopersonaldatageneratedbyprivateparties, thepurposeofthefurtherprocessingofpersonaldata(lawenforcementpurpose)hasnolinkwiththeinitialpurposeofdatacollection(commercialoroperationalpurpose).Assuch,thepurposeofthefurtherprocessingshouldbedeemedincompatiblewiththeinitialpurposeofprocessing.Yet,Article4(2)ofDirective2016/680allowstherepurposingofpersonaldatacollectedbyotherpartiesforadifferentpurposeundertheconditions of legality and proportionality. The question that arises is whether thisprovision offers sufficient guarantees to protect individuals whose personal data arecollectedunder the regimeof theGDPRandsubsequentlyusedunder the regimeof the‘police’Directive.

NotionofPurposeLimitationDescribed in identical terms in the GDPR and the ‘police’ Directive, the principle ofpurpose limitation entails that personal data are ‘collected for specified, explicit, andlegitimate purposes and not processed in a manner that is incompatible with thosepurposes.’83ThiswordingoriginatesfromArticle6(1)(b)oftheDataProtectionDirective.AsanalysedbytheA29WP,theprincipleofpurposelimitationiscomposedofaprincipleof purpose specification (‘specified, explicit and legitimatepurposes’) and a principle ofcompatibleuse(‘notprocessedinamannerincompatible’).84Sincethefocusofthispaperis on the further processing of personal data and not on their initial processing, it isassumed that the purpose of initial processing satisfies the criteria of purposespecification. For the same reason, the terms ‘purpose limitation’ and ‘principle ofcompatibleuse’areusedinterchangeablyinthissection.

ApplicationofthePrinciple:TestofCompatibilityversusDerogationThe interpretation given to the principle of purpose limitation is different in a non-lawenforcementcontextfromthatinalawenforcementcontext.WhentheGDPRapplies,thecompatibilityofafurtherprocessingwiththeinitialprocessingisassessedinapplicationof a testof compatibilitybasedon five factors asdescribed inArticle6(4)GDPR.Thoseincludethelinkbetweentheinitialprocessingandthefurtherprocessing;thecontextofdata collection; the nature of personal data (such as sensitive data); the impact of thefurther processing on data subjects, and the existence of appropriate safeguards tocompensateforthechangeofpurpose(s).85Thefactorof“contextofprocessing”should,in82A29WP,‘Opinion03/2013onpurposelimitation’[2013]WP203,4.83art5(1)(b)GDPRandart4(1)(b)ofDirective2016/680.84Opinion03/2013(n82).85art6(4)GDPRreadsasfollows:‘Wheretheprocessingforapurposeotherthanthatforwhichthepersonaldatahavebeencollectedisnotbasedonthedatasubject’sconsentoronaUnionorMemberStatelawwhichconstitutes a necessary and proportionate measure in a democratic society to safeguard the objectivesreferredtoinArticle23(1),thecontrollershall,inordertoascertainwhetherprocessingforanotherpurpose

99

4


affected,undertheapplicablenationalprocedures.’76TheCourtaddedthatthenotificationis ‘necessary to enable the persons affected to exercise, inter alia, their right to a legalremedy.’77HoweveronecoulddisputethelegalbasisonwhichtheECJimposesadutyofnotificationonlawenforcementauthoritiesforthefurtherprocessingoftheretaineddata.TheCourtbased its reasoningonArticle15(2)of thee-privacyDirective ‘read together’withArticle22of theDataProtectionDirective.78Yet theDataProtectionDirectivedoesnot apply to the processing of data for law enforcement purposes. Those processingoperations are excluded from the scope of EU law except when they are exchangedbetweenMemberStates.Cross-borderdataprocessingforlawenforcementpurposesfallswithinthescopeofCouncilFrameworkDecision2008/977/JHA.79But,thankstoacleverartifice,theECJheldthatboththeretentionofdatabytelecomsoperatorsandtheiraccessby law enforcement authorities fell within the scope of the e-privacy Directive. Toreinforce its position, theCourt added that the only reason that thedatawere retainedwastoprovidelawenforcementauthoritiesaccesstothem.80Asmentionedinsub-section2,thereasoningoftheECJonthisspecificissueisdisputable.Withtheadoptionofthenewdata protection framework, the scenario of access by law enforcement authorities toretained personal data should be considered as a processing for a law enforcementpurposeandfallwithinthescopeofDirective2016/680.81However,beyondthepossiblediscussionon the scopeof thee-privacyDirectiveand the inclusionof lawenforcementaccess,oneshouldfocusontheinterpretationoftherighttoinformationgivenbytheECJ.Inascenariooflawenforcementaccesstopersonaldatageneratedinadifferentcontext,theright to informationought tobe interpretedasadutyofnotification.Yetasdrafted,Article13ofDirective2016/680doesnotlaydownsuchanobligation.After the analysis of the ECJ case law on data retention and its possible impact on thesafeguardscontainedinthe‘police’Directive,thearticlewillassesswhethertheprincipleofpurposelimitation,asdefinedinDirective2016/680,playsitsroleofsafeguardinthecontextoflawenforcementaccess.

SafeguardsagainstAbuses:ThePrincipleofPurposeLimitation?In thescenarioatstakeaswellas inthescenarioofdataretentionofpersonaldata, themain issue fromadataprotectionperspective is the changeof initialpurpose:personaldata collected for a specific purpose are then reprocessed for a different purpose. AsstatedbytheA29WPinitsopiniononpurposelimitation(Opinion03/2013),theprinciple

76Tele2Sverige(n15)para121.77ibid.78ibid.79Recital6CouncilFrameworkDecision2008/977/JHA.80Tele2Sverige(n15)para79.81SeeRecital 19GDPRmaking a bridgebetween theGDPR and theDirective in case of further use by lawenforcementauthoritiesofpersonaldatacollectedundertheGDPR..

of purpose limitation is ‘a cornerstone of data protection.’82It constitutes a safeguardagainst themisuseorabuseofpersonaldataandguides the lawfuluseofpersonaldatacollectedforadifferentpurpose.Inasituationwherelawenforcementauthoritiesgetaccesstopersonaldatageneratedbyprivateparties, thepurposeofthefurtherprocessingofpersonaldata(lawenforcementpurpose)hasnolinkwiththeinitialpurposeofdatacollection(commercialoroperationalpurpose).Assuch,thepurposeofthefurtherprocessingshouldbedeemedincompatiblewiththeinitialpurposeofprocessing.Yet,Article4(2)ofDirective2016/680allowstherepurposingofpersonaldatacollectedbyotherpartiesforadifferentpurposeundertheconditions of legality and proportionality. The question that arises is whether thisprovision offers sufficient guarantees to protect individuals whose personal data arecollectedunder the regimeof theGDPRandsubsequentlyusedunder the regimeof the‘police’Directive.

NotionofPurposeLimitationDescribed in identical terms in the GDPR and the ‘police’ Directive, the principle ofpurpose limitation entails that personal data are ‘collected for specified, explicit, andlegitimate purposes and not processed in a manner that is incompatible with thosepurposes.’83ThiswordingoriginatesfromArticle6(1)(b)oftheDataProtectionDirective.AsanalysedbytheA29WP,theprincipleofpurposelimitationiscomposedofaprincipleof purpose specification (‘specified, explicit and legitimatepurposes’) and a principle ofcompatibleuse(‘notprocessedinamannerincompatible’).84Sincethefocusofthispaperis on the further processing of personal data and not on their initial processing, it isassumed that the purpose of initial processing satisfies the criteria of purposespecification. For the same reason, the terms ‘purpose limitation’ and ‘principle ofcompatibleuse’areusedinterchangeablyinthissection.

ApplicationofthePrinciple:TestofCompatibilityversusDerogationThe interpretation given to the principle of purpose limitation is different in a non-lawenforcementcontextfromthatinalawenforcementcontext.WhentheGDPRapplies,thecompatibilityofafurtherprocessingwiththeinitialprocessingisassessedinapplicationof a testof compatibilitybasedon five factors asdescribed inArticle6(4)GDPR.Thoseincludethelinkbetweentheinitialprocessingandthefurtherprocessing;thecontextofdata collection; the nature of personal data (such as sensitive data); the impact of thefurther processing on data subjects, and the existence of appropriate safeguards tocompensateforthechangeofpurpose(s).85Thefactorof“contextofprocessing”should,in82A29WP,‘Opinion03/2013onpurposelimitation’[2013]WP203,4.83art5(1)(b)GDPRandart4(1)(b)ofDirective2016/680.84Opinion03/2013(n82).85art6(4)GDPRreadsasfollows:‘Wheretheprocessingforapurposeotherthanthatforwhichthepersonaldatahavebeencollectedisnotbasedonthedatasubject’sconsentoronaUnionorMemberStatelawwhichconstitutes a necessary and proportionate measure in a democratic society to safeguard the objectivesreferredtoinArticle23(1),thecontrollershall,inordertoascertainwhetherprocessingforanotherpurpose

100

Chapter 4

particular, be understood as “reasonable expectations of data subjects based on theirrelationshipwiththecontrollerastotheirfurtheruse.”86Thesefactorsapplyifthefurtherprocessing is not based on the data subject’s consent for the further processing or onnationalorEUlawallowingthefurtherprocessing.87Bycontrast,inalawenforcementcontext,thecompatibilityofafurtherprocessingisnotassessed in application of a test of compatibility. Instead, Article 4(2) of Directive2016/680providesforaderogationfromtheprincipleofpurposelimitation:thefurtherprocessingofpersonaldataforapurposedifferentthantheinitialpurposeofcollectionisallowedifitcomplieswiththeprinciplesoflegality(i.e.basedon“UnionorMemberStatelaw”) and proportionality (“processing necessary and proportionate to that otherpurpose”).88Article4(2)ofDirective2016/680raisesat least two issues: the firstone relates to theinitialprocessingofpersonaldataandthesecondonetothecompatibilityofthefurtherprocessingofpersonaldataforalawenforcementpurposewiththeinitialpurposeoftheircollectioninanon-lawenforcementcontext.First,fromthewordingofArticle4(2)ofDirective2016/680,itisnotclearwhichtypeof‘initial purpose’ is referred to. The first sentence of Article 4(2) provides that “theprocessingbythesameoranothercontrollerforanyofthepurposessetoutinArticle1(1)otherthanthatforwhichthepersonaldataarecollectedshallbepermitted…”Shouldthephrase“otherthanthatforwhich”beunderstoodasreferringtoanypurposeotherthanthoseofDirective2016/680,i.e.anynon-lawenforcementpurpose?Alternatively,shouldit be understood as referring to any initial purpose coveredbyDirective 2016/680butdifferentfromthepurposeoffurtheruse?Inthatcase,theinitialandfurtherpurposesareofthesamenature,i.e.theyfallwithinthebroadcategoryoflawenforcement,buttheyaredifferent. For instance, one could think of personal data collected in the context of aspecificcriminalinvestigationandfurtherusedinanon-relatedinvestigation.Intheend,

iscompatiblewiththepurposeforwhichthepersonalareinitiallycollected,takeintoaccount,interalia:(a)any link between the purposes for which the personal data have been collected and the purposes of theintended further processing; (b) the context in which the personal data have been collected, in particularregarding the relationshipbetweendata subjects and the controller; (c) thenatureof thepersonal data, inparticular whether special categories of personal data are processed, pursuant to Article 9, or whetherpersonal data related to criminal convictions and offences are processed, pursuant to Article 10; (d) thepossibleconsequencesof the intended furtherprocessing fordatasubjects; (e) theexistenceofappropriatesafeguards,whichmayincludeencryptionorpseudonymisation.’86Recital50GDPR.87art6(4)GDPR.88art4(2)Directive2016/680readsasfollows: ‘ProcessingbythesameoranothercontrollerforanyofthepurposessetoutinArticle1(1)otherthanforwhichthepersonaldataarecollectedshallbepermittedinsofaras: (a) thecontroller isauthorised toprocesssuchpersonaldata forsuchapurpose inaccordancewithUnion or Member State law; and (b) processing is necessary and proportionate to that other purpose inaccordance with Union or Member State law.’ Art 4(2) GDPR needs to be read together with Recital 29Directive2016/680.

thewordingofArticle4(2)ofDirective2016/680remainsambiguous89andallowsforabroadinterpretationthatencompassesanyinitialpurposeofprocessingwithinoroutsidethescopeofDirective2016/680.Next, in application of Article 4(2) of Directive 2016/680, the further processing isauthorised provided it is based on a national or EU law, and it is necessary andproportionate to the purpose of law enforcement. Yet, that article establishes no linkbetweenthepurposeof the initialprocessingandthepurposeof thefurtherprocessing.Does itmean that the furtherpurpose is incompatiblepersewith the initialpurposeofprocessing? It is at least not possible to draw that conclusion from the wording ofDirective2016/680.Asamatterof comparison,under theGDPR,unrelatedpurposesofprocessing are not considered incompatible per se. For instance, Article 5(1)(b) of theGDPRclearlyestablishesthatthefurtherprocessingforascientific,historicalorstatisticalpurpose is not incompatible with the initial purpose of processing, as long as it isaccompanied with appropriate safeguards.90However, in a law enforcement context,Directive 2016/680 does not contain a similar provision. Article 4(2) of Directive2016/680doesnotevenrefer to thenotionofcompatibilitybetween the initialand thefurther purposes of processing. Instead, it authorises the subsequent processing underspecific conditions. The provision seems to establish a derogation from the principle of‘purposelimitation’describedinArticle4(1)(b)ofDirective2016/680.Yet,theapproachfollowed inDirective 2016/680 is different from the one that the A29WP advocated inOpinion03/2013.InthatOpinion,theA29WPreviewedseveralmixedscenariosinvolvinganinitialcollectionofpersonaldataforanon-lawenforcementpurposefollowedbyare-use of those data for a law enforcement purpose. These specific scenarios relate to theDataRetentionDirective, thePNRscheme, theEURODACdatabaseand theuseof smartmetering data for the purpose of detecting tax fraud.91In the analysis of the differentexamples, the A29WP did not state that the further processing was prima facieincompatible with the original purpose of processing. Instead, it performed a test ofcompatibility,weighingthefurtherprocessingforalawenforcementpurposeagainsttheinitialpurposeofcollectionusingvariousfactors.TheA29WPbaseditswholereasoningon the initial purpose of collection. If that purpose fell within the scope of the DataProtection Directive, the further processing –whatever its nature- had to be assessedfollowingthetestofcompatibilitytheA29WPhaddefined.What is problematic in the approach of the principle of purpose limitation set out inDirective2016/680istheabsenceoftestofcompatibility,whichisreplacedinsteadbyaderogation based on the principles of necessity and proportionality. Yet, as rightlyobservedbytheEuropeanDataProtectionSupervisor inrespectof the furtheruse fora

89Recital29Directive2016/680doesnotbringfurtherclarificationas itrelatesto ‘personaldata[that]areprocessedbythesameoranothercontrollerforapurposewithinthescopeofthisDirectiveotherthanthatforwhichithadbeencollected…’90Appropriatesafeguardsasdefinedinart89(1)GDPR.91Opinion03/2013(n82)Annex4,examples17to20,67-69.

101

4


particular, be understood as “reasonable expectations of data subjects based on theirrelationshipwiththecontrollerastotheirfurtheruse.”86Thesefactorsapplyifthefurtherprocessing is not based on the data subject’s consent for the further processing or onnationalorEUlawallowingthefurtherprocessing.87Bycontrast,inalawenforcementcontext,thecompatibilityofafurtherprocessingisnotassessed in application of a test of compatibility. Instead, Article 4(2) of Directive2016/680providesforaderogationfromtheprincipleofpurposelimitation:thefurtherprocessingofpersonaldataforapurposedifferentthantheinitialpurposeofcollectionisallowedifitcomplieswiththeprinciplesoflegality(i.e.basedon“UnionorMemberStatelaw”) and proportionality (“processing necessary and proportionate to that otherpurpose”).88Article4(2)ofDirective2016/680raisesat least two issues: the firstone relates to theinitialprocessingofpersonaldataandthesecondonetothecompatibilityofthefurtherprocessingofpersonaldataforalawenforcementpurposewiththeinitialpurposeoftheircollectioninanon-lawenforcementcontext.First,fromthewordingofArticle4(2)ofDirective2016/680,itisnotclearwhichtypeof‘initial purpose’ is referred to. The first sentence of Article 4(2) provides that “theprocessingbythesameoranothercontrollerforanyofthepurposessetoutinArticle1(1)otherthanthatforwhichthepersonaldataarecollectedshallbepermitted…”Shouldthephrase“otherthanthatforwhich”beunderstoodasreferringtoanypurposeotherthanthoseofDirective2016/680,i.e.anynon-lawenforcementpurpose?Alternatively,shouldit be understood as referring to any initial purpose coveredbyDirective 2016/680butdifferentfromthepurposeoffurtheruse?Inthatcase,theinitialandfurtherpurposesareofthesamenature,i.e.theyfallwithinthebroadcategoryoflawenforcement,buttheyaredifferent. For instance, one could think of personal data collected in the context of aspecificcriminalinvestigationandfurtherusedinanon-relatedinvestigation.Intheend,

iscompatiblewiththepurposeforwhichthepersonalareinitiallycollected,takeintoaccount,interalia:(a)any link between the purposes for which the personal data have been collected and the purposes of theintended further processing; (b) the context in which the personal data have been collected, in particularregarding the relationshipbetweendata subjects and the controller; (c) thenatureof thepersonal data, inparticular whether special categories of personal data are processed, pursuant to Article 9, or whetherpersonal data related to criminal convictions and offences are processed, pursuant to Article 10; (d) thepossibleconsequencesof the intended furtherprocessing fordatasubjects; (e) theexistenceofappropriatesafeguards,whichmayincludeencryptionorpseudonymisation.’86Recital50GDPR.87art6(4)GDPR.88art4(2)Directive2016/680readsasfollows: ‘ProcessingbythesameoranothercontrollerforanyofthepurposessetoutinArticle1(1)otherthanforwhichthepersonaldataarecollectedshallbepermittedinsofaras: (a) thecontroller isauthorised toprocesssuchpersonaldata forsuchapurpose inaccordancewithUnion or Member State law; and (b) processing is necessary and proportionate to that other purpose inaccordance with Union or Member State law.’ Art 4(2) GDPR needs to be read together with Recital 29Directive2016/680.

thewordingofArticle4(2)ofDirective2016/680remainsambiguous89andallowsforabroadinterpretationthatencompassesanyinitialpurposeofprocessingwithinoroutsidethescopeofDirective2016/680.Next, in application of Article 4(2) of Directive 2016/680, the further processing isauthorised provided it is based on a national or EU law, and it is necessary andproportionate to the purpose of law enforcement. Yet, that article establishes no linkbetweenthepurposeof the initialprocessingandthepurposeof thefurtherprocessing.Does itmean that the furtherpurpose is incompatiblepersewith the initialpurposeofprocessing? It is at least not possible to draw that conclusion from the wording ofDirective2016/680.Asamatterof comparison,under theGDPR,unrelatedpurposesofprocessing are not considered incompatible per se. For instance, Article 5(1)(b) of theGDPRclearlyestablishesthatthefurtherprocessingforascientific,historicalorstatisticalpurpose is not incompatible with the initial purpose of processing, as long as it isaccompanied with appropriate safeguards.90However, in a law enforcement context,Directive 2016/680 does not contain a similar provision. Article 4(2) of Directive2016/680doesnotevenrefer to thenotionofcompatibilitybetween the initialand thefurther purposes of processing. Instead, it authorises the subsequent processing underspecific conditions. The provision seems to establish a derogation from the principle of‘purposelimitation’describedinArticle4(1)(b)ofDirective2016/680.Yet,theapproachfollowed inDirective 2016/680 is different from the one that the A29WP advocated inOpinion03/2013.InthatOpinion,theA29WPreviewedseveralmixedscenariosinvolvinganinitialcollectionofpersonaldataforanon-lawenforcementpurposefollowedbyare-use of those data for a law enforcement purpose. These specific scenarios relate to theDataRetentionDirective, thePNRscheme, theEURODACdatabaseand theuseof smartmetering data for the purpose of detecting tax fraud.91In the analysis of the differentexamples, the A29WP did not state that the further processing was prima facieincompatible with the original purpose of processing. Instead, it performed a test ofcompatibility,weighingthefurtherprocessingforalawenforcementpurposeagainsttheinitialpurposeofcollectionusingvariousfactors.TheA29WPbaseditswholereasoningon the initial purpose of collection. If that purpose fell within the scope of the DataProtection Directive, the further processing –whatever its nature- had to be assessedfollowingthetestofcompatibilitytheA29WPhaddefined.What is problematic in the approach of the principle of purpose limitation set out inDirective2016/680istheabsenceoftestofcompatibility,whichisreplacedinsteadbyaderogation based on the principles of necessity and proportionality. Yet, as rightlyobservedbytheEuropeanDataProtectionSupervisor inrespectof the furtheruse fora

89Recital29Directive2016/680doesnotbringfurtherclarificationas itrelatesto ‘personaldata[that]areprocessedbythesameoranothercontrollerforapurposewithinthescopeofthisDirectiveotherthanthatforwhichithadbeencollected…’90Appropriatesafeguardsasdefinedinart89(1)GDPR.91Opinion03/2013(n82)Annex4,examples17to20,67-69.

102

Chapter 4

lawenforcementpurposeof large-scaledatabases initiallyconstitutedforadministrativepurposes: ‘a database regarded as proportionate when used for a specific purpose canbecomedisproportionatewhen the use is expanded to other purposes afterwards.’92Toacknowledge this situation, some authors have even redefined the principle of purposelimitationasaprincipleof ‘purposedeviation’thatreflectstheabsenceof linksbetweenthe initial and the furtherpurposesofprocessing.93It is therefore the roleof theECJ tointerpret the principles of necessity and proportionality in a way that will ensure theprotection of data subjects. To do so, the Court ought to take into account the initialpurposeofprocessinginitsinterpretationoftheprincipleofproportionalityasprovidedunderArticle4(2)ofDirective2016/680.

ConclusionsThescenariooflawenforcementaccesstopersonaldatainitiallycollectedforadifferentpurposeraisescomplexissues.Ifitisestablishedthatthefurtherprocessingofthosedatafora lawenforcementpurpose fallswithin the scopeofDirective2016/680,no specificrulestakingintoaccountthatscenariohavebeenadopted.However,inlightoftwoECJ’srulings, Digital Rights Ireland and Tele2 Sverige, on partially similar scenarios, theassessmentof therulescontainedinDirective2016/680revealsthattheDirective lacksessential provisions to ensure the protection of individuals’ right to data protection. Inparticular,theDirectivefailstoprovideobjectivecriteriatodelimitthelawenforcementaccesstopersonaldatageneratedforadifferentpurposeandaspecificproceduralruleonthe prior reviewof the request for access. As for the right to be informed, it should beinterpreted,inthatcontext,asarighttobenotified,atacertainpoint,thatdatahavebeenaccessedby lawenforcementauthorities.Thearticlealsopointsout that theabsenceofspecificrulesisalsodetrimentaltotheprincipleofpurposelimitation,whichdoesnotlinktheinitialpurposeofprocessingwiththepurposeoffurtherprocessing.To overcome these shortcomings, several solutions could be envisaged. First, since theDirective has recently been adopted, a revision of the Directive to incorporate rulesspecifictothescenarioissimplynotapracticaloption.Asasolution,onecouldconsidertheopportunityprovidedbytheongoingrevisionofthee-privacyDirectivetoaddspecificrules,basedonthefindingsofDigitalRightsIrelandandTele2Sverige,tocoverthescenariooflawenforcementaccesstopersonaldatagenerated

92SeeEDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheCommunicationfromtheCommissionto the European Parliament, the Council, the Economic and Social Committee and the Committee of theRegionsonmigration’[2012]OJC34/18,para17;EDPS,‘Opinion07/2016,EDPSOpinionontheFirstreformpackageontheCommonEuropeanAsylumSystem(Eurodac,EASOandDublinregulations) [2016],para17<https://edps.europa.eu/sites/edp/files/publication/16-09-21_ceas_opinion_en.pdf>accessed1August2017.93e.g.ElsdeBusserandGertVermeulen,‘TowardsaCoherentEUPolicyonOutgoingDataTransfersforUseinCriminalMatters?TheAdequacyRequirement and the FrameworkDecisiononDataProtection inCriminalMatters.ATransatlanticExercise inAdequacy’ inMarcCoolsetal (eds),EUandInternationalCrimeControl.TopicalIssues,GovernanceandSecurityResearchPaperSeries,Vol.4(Maklu2010)102.

byprivateparties.Thisoptionwould,however,be limitedtothefurtheruseofpersonaldata originally processed by telecommunications providers only. Therefore, this optionwouldbequiterestrictive.Thesecondoptionwouldbe inthehandsof theEuropeanDataProtectionBoard,whichcould issueanopinionon thedataprotectionrulesapplicable to thescenario, includingthe implications ofTele2Sverige on the interpretation ofDirective 2016/680. Themaindrawbackofthisoptionliesinitsnon-bindingnature.Ultimately,andthislastoptionwouldoffermorelegalcertainty,aftertheimplementationof Directive 2016/680 in national legislation, national courts could send preliminaryquestions to the ECJ on the interpretation of the key provisions of Directive 2016/680(andinparticularontherighttobeinformed,theprocedureofpriorreviewbyDPAsandon thederogation to theprinciple of purpose limitation).Thisoptionmightnotbe fast.Andonemightneed, in theend, the resilienceandactivismof anotherSchremsto starttailor-madeproceedingsatnationallevelandpavethewaytotheECJ.

103

4


lawenforcementpurposeof large-scaledatabases initiallyconstitutedforadministrativepurposes: ‘a database regarded as proportionate when used for a specific purpose canbecomedisproportionatewhen the use is expanded to other purposes afterwards.’92Toacknowledge this situation, some authors have even redefined the principle of purposelimitationasaprincipleof ‘purposedeviation’thatreflectstheabsenceof linksbetweenthe initial and the furtherpurposesofprocessing.93It is therefore the roleof theECJ tointerpret the principles of necessity and proportionality in a way that will ensure theprotection of data subjects. To do so, the Court ought to take into account the initialpurposeofprocessinginitsinterpretationoftheprincipleofproportionalityasprovidedunderArticle4(2)ofDirective2016/680.

ConclusionsThescenariooflawenforcementaccesstopersonaldatainitiallycollectedforadifferentpurposeraisescomplexissues.Ifitisestablishedthatthefurtherprocessingofthosedatafora lawenforcementpurpose fallswithin the scopeofDirective2016/680,no specificrulestakingintoaccountthatscenariohavebeenadopted.However,inlightoftwoECJ’srulings, Digital Rights Ireland and Tele2 Sverige, on partially similar scenarios, theassessmentof therulescontainedinDirective2016/680revealsthattheDirective lacksessential provisions to ensure the protection of individuals’ right to data protection. Inparticular,theDirectivefailstoprovideobjectivecriteriatodelimitthelawenforcementaccesstopersonaldatageneratedforadifferentpurposeandaspecificproceduralruleonthe prior reviewof the request for access. As for the right to be informed, it should beinterpreted,inthatcontext,asarighttobenotified,atacertainpoint,thatdatahavebeenaccessedby lawenforcementauthorities.Thearticlealsopointsout that theabsenceofspecificrulesisalsodetrimentaltotheprincipleofpurposelimitation,whichdoesnotlinktheinitialpurposeofprocessingwiththepurposeoffurtherprocessing.To overcome these shortcomings, several solutions could be envisaged. First, since theDirective has recently been adopted, a revision of the Directive to incorporate rulesspecifictothescenarioissimplynotapracticaloption.Asasolution,onecouldconsidertheopportunityprovidedbytheongoingrevisionofthee-privacyDirectivetoaddspecificrules,basedonthefindingsofDigitalRightsIrelandandTele2Sverige,tocoverthescenariooflawenforcementaccesstopersonaldatagenerated

92SeeEDPS,‘OpinionoftheEuropeanDataProtectionSupervisorontheCommunicationfromtheCommissionto the European Parliament, the Council, the Economic and Social Committee and the Committee of theRegionsonmigration’[2012]OJC34/18,para17;EDPS,‘Opinion07/2016,EDPSOpinionontheFirstreformpackageontheCommonEuropeanAsylumSystem(Eurodac,EASOandDublinregulations) [2016],para17<https://edps.europa.eu/sites/edp/files/publication/16-09-21_ceas_opinion_en.pdf>accessed1August2017.93e.g.ElsdeBusserandGertVermeulen,‘TowardsaCoherentEUPolicyonOutgoingDataTransfersforUseinCriminalMatters?TheAdequacyRequirement and the FrameworkDecisiononDataProtection inCriminalMatters.ATransatlanticExercise inAdequacy’ inMarcCoolsetal (eds),EUandInternationalCrimeControl.TopicalIssues,GovernanceandSecurityResearchPaperSeries,Vol.4(Maklu2010)102.

byprivateparties.Thisoptionwould,however,be limitedtothefurtheruseofpersonaldata originally processed by telecommunications providers only. Therefore, this optionwouldbequiterestrictive.Thesecondoptionwouldbe inthehandsof theEuropeanDataProtectionBoard,whichcould issueanopinionon thedataprotectionrulesapplicable to thescenario, includingthe implications ofTele2Sverige on the interpretation ofDirective 2016/680. Themaindrawbackofthisoptionliesinitsnon-bindingnature.Ultimately,andthislastoptionwouldoffermorelegalcertainty,aftertheimplementationof Directive 2016/680 in national legislation, national courts could send preliminaryquestions to the ECJ on the interpretation of the key provisions of Directive 2016/680(andinparticularontherighttobeinformed,theprocedureofpriorreviewbyDPAsandon thederogation to theprinciple of purpose limitation).Thisoptionmightnotbe fast.Andonemightneed, in theend, the resilienceandactivismof anotherSchremsto starttailor-madeproceedingsatnationallevelandpavethewaytotheECJ.

Chapter 5Subsequent Use of GDPR Data for

a Law Enforcement Purpose

106

Chapter5:SubsequentUseofGDPRDataforaLawEnforcementPurpose

TheForgottenPrincipleofPurposeLimitation?*Abstract:This article questions the role of the principle of purpose limitation in a situation wherepersonal data are collected under the General Data Protection Regulation (GDPR) andfurtherprocessedunder theregimeof the ‘policeandcriminal justice’Directive. It reviewstherulessetoutinbothinstruments,concerningtheprincipleofpurposelimitationandthefurtherprocessingofpersonaldata foradifferentpurpose.Theanalysisof therulesunderDirective2016/680revealssomeambiguity:aretherulesapplicabletothesubsequentuseofanypersonaldata(includingthosecollectedundertheGDPR)?Oraretheruleslimitedtothesubsequentuseof ‘policeor criminal justice’data? Buildingon theambiguouswordingofArticle 4(2) of the Directive, the article addresses the two hypotheses and analyses theirconsequences.Itconcludeswiththeuncertaintyoftheapplicablerulesandthelikelihoodofdiverginginterpretationsatthenationallevel.

IntroductionExamples of cases where law enforcement authorities request access to personal datainitially collected by third parties for a different purpose are numerous.Many of themrelatetothelegalobligationofprivatepartiestoretainanddisclosepersonaldatatolawenforcement authorities, such as in the fields of air transport, 1 banking 2 ortelecommunications.3In these cases, personal data are retained for further use by lawenforcement authorities to fight fraud, terrorism, and serious criminal offences.Besidesthesecases,therearesituationswhereprivatepartiescollectpersonaldatafortheirownuses(suchascommercialoroperationalpurposes)butareundernospecificobligationtoretainthemforlawenforcementpurposes.Onecouldthinkofthevastamountofpersonaldata that social media collect and hold. Some of these data are very valuable to law

*ArticlepublishedintheEuropeanDataProtectionLawReview(EDPL),volume4,issue2,June2018,pages157-162;theauthorwishestothankProfJeanneMifsudBonniciforhervaluablecommentsandPimGeelhoedfor fruitful discussions on law enforcement issues, aswell as the peer-reviewers for their suggestions andcarefulreading.Theviewsexpressedinthisarticlearesolelythoseoftheauthor.Allremainingerrorsaretheauthor’ssoleresponsibility.1Obligation imposed on airline companies to retain passenger data; see Directive (EU) 2016/681 of theEuropeanParliamentandoftheCouncilof27April2016ontheuseofpassengernamerecord(PNR)dataforthe prevention, detection, investigation and prosecution of terrorist offences and serious crimes (PNRDirective)[2016]OJL119/32.2Obligationsimposedonbankstoretainfinancialdataforanti-moneylaunderingpurposes.3ReferringtotheDataRetentionDirective(Directive2006/24/EC)adoptedin2006andinvalidatedin2014bytheEuropeanCourtofJustice;seeJoinedCasesC-293/12andC-594/12DigitalRightsIrelandandSeitlingerandOthers[2014]ECLI:EU:C:2014:238.

enforcementauthorities(i.e.photographsorvoicerecordings).Althoughsocialmediaarenot obliged to retain these data, they can be requested to grant law enforcementauthorities access to the data. As shown by the transparency reports published by thelargesttechcompanies(e.g.Facebook,Google,Microsoft),thenumberoflawenforcementrequestsforaccesstocontentanduseraccountsisrapidlygrowing.4Nofigureis,however,available on the types of content requested and the purposes of use. It is also almostimpossibletoknowtheexactvolumeofpersonaldatacollectedandheldbysocialmedia.Concerningphotographsalone,in2012,morethan300millionphotoswereuploadedtoFacebook every day.5Yet, as shown by the research undergone by Facebook on theuploaded images, photographs portraying individuals are very useful for facialrecognition.6In a different field, one could also think of biometric data (such asfingerprints,palmprints,andfacialimages)thatanemployeroraschoolholdsabouttheiremployees or students to give them access to premises, canteens or library facilities.These data are particularly valuable for identification purposes. It is, thus, not hard toimaginethatlawenforcementauthoritiescouldaskprivatepartiestohandoverbiometricdata initiallycollectedforapurposeotherthan lawenforcementandre-usetheminthecontextofacriminalinvestigation.7Duetotheavailabilityofdataandtechnologicalmeanstoprocessthem,therepurposingofdata– in thesenseof re-use foradifferentpurpose– isagrowingphenomenon.8Whenpersonal data are repurposed to be used in a different context, that repurposingmightchallenge the principle of purpose limitation. Following that principle, personal datacollected for a specific purpose should be used for compatible purposes or furtherprocessedunderadifferentlegalbasis.Thesituationbecomescomplicatedwhenpersonaldata have been collected in a particular context (such as commercial) and are furtherprocessedinadifferentone(suchaslawenforcement).Butwhenrulesondataprotectionare split between two instruments, like in the new EU data protection framework, the4SeeAliyaRam, ‘TechCompaniesEndureNear-DoublingofRequests forPersonalData’FinancialTimes (30August 2017) <https://www.ft.com/content/b754882e-8cbd-11e7-9084-d0c17942ba93> accessed 10 April2018.More specifically Facebook’s Transparency Report <https://newsroom.fb.com/news/2017/12/reinforcing-our-commitment-to-transparency/>accessed10April2018.Microsoft’sTransparencyReport<https://www.microsoft.com/en-us/about/corporate-responsibility/lerr>accessed10April2018.Google’s Transparency Report <https://transparencyreport.google.com/user-data/overview> accessed 10April2018.5CaseyChan, ‘WhatFacebookDealswithEveryday:2.7BillionLikes,300MillionPhotosUploadedand500Terabytes of Data’ Gizmodo (22 August 2012) <https://gizmodo.com/5937143/what-facebook-deals-with-everyday-27-billion-likes-300-million-photos-uploaded-and-500-terabytes-of-data>accessed10April2018.6Joaquin Quiñonero Candela, ‘Managing Your Identity on Facebook with Face Recognition Technology’Facebook Newsroom (19 December 2017) <https://newsroom.fb.com/news/2017/12/managing-your-identity-on-facebook-with-face-recognition-technology/>accessed10April2018.7Onthecollectionofbiometricdatabyschoolsandtheirpotentialre-usebylawenforcementauthorities,seefor instance Wendy Grossman, ‘Is School Fingerprinting out of Bounds?’ The Guardian (30 March 2006)<https://www.theguardian.com/technology/2006/mar/30/schools.guardianweeklytechnologysection>accessed10April2018.8Especiallywithbigdataanalytics,seeBartCustersandHelenaUrsic,‘BigDataandDataReuse:ATaxonomyofDataReuse forBalancingBigDataBenefitsandPersonalDataProtection’ (2016)6(1) InternationalDataPrivacyLaw4.

107

5

Subsequent Use of GDPR Data for a Law Enforcement Purpose

Chapter5:SubsequentUseofGDPRDataforaLawEnforcementPurpose

TheForgottenPrincipleofPurposeLimitation?*Abstract:This article questions the role of the principle of purpose limitation in a situation wherepersonal data are collected under the General Data Protection Regulation (GDPR) andfurtherprocessedunder theregimeof the ‘policeandcriminal justice’Directive. It reviewstherulessetoutinbothinstruments,concerningtheprincipleofpurposelimitationandthefurtherprocessingofpersonaldata foradifferentpurpose.Theanalysisof therulesunderDirective2016/680revealssomeambiguity:aretherulesapplicabletothesubsequentuseofanypersonaldata(includingthosecollectedundertheGDPR)?Oraretheruleslimitedtothesubsequentuseof ‘policeor criminal justice’data? Buildingon theambiguouswordingofArticle 4(2) of the Directive, the article addresses the two hypotheses and analyses theirconsequences.Itconcludeswiththeuncertaintyoftheapplicablerulesandthelikelihoodofdiverginginterpretationsatthenationallevel.

IntroductionExamples of cases where law enforcement authorities request access to personal datainitially collected by third parties for a different purpose are numerous.Many of themrelatetothelegalobligationofprivatepartiestoretainanddisclosepersonaldatatolawenforcement authorities, such as in the fields of air transport, 1 banking 2 ortelecommunications.3In these cases, personal data are retained for further use by lawenforcement authorities to fight fraud, terrorism, and serious criminal offences.Besidesthesecases,therearesituationswhereprivatepartiescollectpersonaldatafortheirownuses(suchascommercialoroperationalpurposes)butareundernospecificobligationtoretainthemforlawenforcementpurposes.Onecouldthinkofthevastamountofpersonaldata that social media collect and hold. Some of these data are very valuable to law

*ArticlepublishedintheEuropeanDataProtectionLawReview(EDPL),volume4,issue2,June2018,pages157-162;theauthorwishestothankProfJeanneMifsudBonniciforhervaluablecommentsandPimGeelhoedfor fruitful discussions on law enforcement issues, aswell as the peer-reviewers for their suggestions andcarefulreading.Theviewsexpressedinthisarticlearesolelythoseoftheauthor.Allremainingerrorsaretheauthor’ssoleresponsibility.1Obligation imposed on airline companies to retain passenger data; see Directive (EU) 2016/681 of theEuropeanParliamentandoftheCouncilof27April2016ontheuseofpassengernamerecord(PNR)dataforthe prevention, detection, investigation and prosecution of terrorist offences and serious crimes (PNRDirective)[2016]OJL119/32.2Obligationsimposedonbankstoretainfinancialdataforanti-moneylaunderingpurposes.3ReferringtotheDataRetentionDirective(Directive2006/24/EC)adoptedin2006andinvalidatedin2014bytheEuropeanCourtofJustice;seeJoinedCasesC-293/12andC-594/12DigitalRightsIrelandandSeitlingerandOthers[2014]ECLI:EU:C:2014:238.

enforcementauthorities(i.e.photographsorvoicerecordings).Althoughsocialmediaarenot obliged to retain these data, they can be requested to grant law enforcementauthorities access to the data. As shown by the transparency reports published by thelargesttechcompanies(e.g.Facebook,Google,Microsoft),thenumberoflawenforcementrequestsforaccesstocontentanduseraccountsisrapidlygrowing.4Nofigureis,however,available on the types of content requested and the purposes of use. It is also almostimpossibletoknowtheexactvolumeofpersonaldatacollectedandheldbysocialmedia.Concerningphotographsalone,in2012,morethan300millionphotoswereuploadedtoFacebook every day.5Yet, as shown by the research undergone by Facebook on theuploaded images, photographs portraying individuals are very useful for facialrecognition.6In a different field, one could also think of biometric data (such asfingerprints,palmprints,andfacialimages)thatanemployeroraschoolholdsabouttheiremployees or students to give them access to premises, canteens or library facilities.These data are particularly valuable for identification purposes. It is, thus, not hard toimaginethatlawenforcementauthoritiescouldaskprivatepartiestohandoverbiometricdata initiallycollectedforapurposeotherthan lawenforcementandre-usetheminthecontextofacriminalinvestigation.7Duetotheavailabilityofdataandtechnologicalmeanstoprocessthem,therepurposingofdata– in thesenseof re-use foradifferentpurpose– isagrowingphenomenon.8Whenpersonal data are repurposed to be used in a different context, that repurposingmightchallenge the principle of purpose limitation. Following that principle, personal datacollected for a specific purpose should be used for compatible purposes or furtherprocessedunderadifferentlegalbasis.Thesituationbecomescomplicatedwhenpersonaldata have been collected in a particular context (such as commercial) and are furtherprocessedinadifferentone(suchaslawenforcement).Butwhenrulesondataprotectionare split between two instruments, like in the new EU data protection framework, the4SeeAliyaRam, ‘TechCompaniesEndureNear-DoublingofRequests forPersonalData’FinancialTimes (30August 2017) <https://www.ft.com/content/b754882e-8cbd-11e7-9084-d0c17942ba93> accessed 10 April2018.More specifically Facebook’s Transparency Report <https://newsroom.fb.com/news/2017/12/reinforcing-our-commitment-to-transparency/>accessed10April2018.Microsoft’sTransparencyReport<https://www.microsoft.com/en-us/about/corporate-responsibility/lerr>accessed10April2018.Google’s Transparency Report <https://transparencyreport.google.com/user-data/overview> accessed 10April2018.5CaseyChan, ‘WhatFacebookDealswithEveryday:2.7BillionLikes,300MillionPhotosUploadedand500Terabytes of Data’ Gizmodo (22 August 2012) <https://gizmodo.com/5937143/what-facebook-deals-with-everyday-27-billion-likes-300-million-photos-uploaded-and-500-terabytes-of-data>accessed10April2018.6Joaquin Quiñonero Candela, ‘Managing Your Identity on Facebook with Face Recognition Technology’Facebook Newsroom (19 December 2017) <https://newsroom.fb.com/news/2017/12/managing-your-identity-on-facebook-with-face-recognition-technology/>accessed10April2018.7Onthecollectionofbiometricdatabyschoolsandtheirpotentialre-usebylawenforcementauthorities,seefor instance Wendy Grossman, ‘Is School Fingerprinting out of Bounds?’ The Guardian (30 March 2006)<https://www.theguardian.com/technology/2006/mar/30/schools.guardianweeklytechnologysection>accessed10April2018.8Especiallywithbigdataanalytics,seeBartCustersandHelenaUrsic,‘BigDataandDataReuse:ATaxonomyofDataReuse forBalancingBigDataBenefitsandPersonalDataProtection’ (2016)6(1) InternationalDataPrivacyLaw4.

108

Chapter 5

97

situationbecomesevenmorecomplicated.Thenewframeworkiscomposedofageneralinstrument – the General Data Protection Regulation (GDPR)9– and of a specificinstrument applicable to data processing in the field of law enforcement –Directive2016/680 (Police and Criminal Justice Directive). 10 The GDPR replaces Directive95/46/EC (Data Protection Directive),11while Directive 2016/680 replaces the CouncilFrameworkDecision2008/977/JHA.12Howdo the instruments interactwitheachotherwhenpersonaldatacollectedundertheGDPRarefurtherprocessedundertherulesofthenew Directive? And what is the role of the principle of purpose limitation in such ascenario?By investigating the rules applicable to the further processing of GDPR data in a lawenforcementcontext,thearticleattemptstodelineatethescopeandroleoftheprincipleofpurposelimitationwhendataprocessingiscarriedoutacrossthetwoinstruments.ThepaperonlycoversthesubsequentuseofGDPRdatabylawenforcementauthoritiesunderthenewDirective.Itdoesnottackletheissueofdisclosure(whichcanentailthetransfer)ofpersonaldatabyprivatepartiestolawenforcementauthorities.13AccordingtoRecital11ofDirective2016/680, thisdisclosure shouldbecoveredby the rulesof theGDPR.14Following Purtova’s analysis, the disclosure of personal data by private parties to lawenforcementauthorities issubjecttotheGDPRandmightbenefit fromtheexceptionsofArticle23GDPR.15Thisarticleanalyses,instead,therulesapplicabletothere-useofGDPRdataoncethedatahavebeenaccessedbyortransferredtolawenforcementauthorities.Following this introduction, Section II sketches the background on the principle ofpurpose limitation and addresses the relationship between the GDPR and Directive

9Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1.10Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesofthe prevention, investigation, detection or prosecution of criminal offences or the execution of criminalpenalties, and on the free movement of such data, and repealing the Council Framework Decision2008/977/JHA[2016]OJL119/89.11EuropeanParliamentandCouncilDirective95/46/ECof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(Directive95/46/ECorDataProtectionDirective)[1995]OJL281/31.12Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal dataprocessed in the framework of police and judicial cooperation in criminal matters (Council FrameworkDecision2008/977/JHA)[2008]OJL350/60;thenewDirectiveextendsthescopeoftheCouncilFrameworkDecisionlimitedtocross-borderprocessing.13Nadezhda Purtova, ‘Between the GDPR and the Police Directive: Navigating Through the Maze ofInformationSharinginPublic-PrivatePartnerships’(2018)8(1)InternationalDataPrivacyLaw52.14Recital11GDPRprovidesthat‘Regulation(EU)2016/679,therefore,appliesincaseswhereabodyorentitycollectspersonaldataforotherpurposesandfurtherprocessesthosepersonaldatainordertocomplywithalegal obligation towhich it is subject’; for a criticism on themeaning and scope of Recital 11, seeMireilleCaruana, ‘The Reform of the EU Data Protection Framework in the Context of Police and Criminal JusticeSector: Harmonisation, Scope, Oversight and Enforcement’ (2017) International Law Review, Computers &Technology(online)<http://www.tandfonline.com/doi/abs/10.1080/13600869.2017.1370224>accessed10April2018.15It should be observed that art 23 GDPR sets out exceptions applicable to data subjects’ rights and thecorrespondingdataprotectionprinciples;onecouldquestionwhetheranydatasubject’s rightderives fromtheprincipleofpurposelimitation,andthuswhetherart23GDPRcouldbeinvoked.

2016/680. Against this background, Section III compares the regime of the principle ofpurpose limitation inboth instruments. It focusesonArticle4(2)ofDirective2016/680providingtheconditionsapplicable to furtherprocessingandquestionsthescopeof theinitialprocessing.HighlightingthetextualambiguityofArticle4(2),SectionIVsuggestsareadingoftheprovisiontoencompassfurtherprocessingofGDPRdata,whereasSectionVassessestheconsequencesofexcludingsuchprocessingfromthescopeofArticle4(2).

BackgroundThis section briefly describes the roots of the principle of purpose limitation andaddressestherelationshipbetweentheGDPRandDirective2016/680.

OriginofthePrincipleofPurposeLimitationTherootsof theprincipleare tobe foundinearly international instrumentsonprivacy,and in particular in the OECD guidelines on privacy16and in the Council of Europe’sConvention on theprocessing of personal data (Convention108).17From the origin, theprinciplewassplitintotwoprinciples,apurposespecificationprincipleandauselimitationprinciple.18Inthelawenforcementsector,theCouncilofEurope’sRecommendationontheuse of personal data in the police sector [Recommendation R(87) 15] also contains aprovisiononpurposelimitation.19BuildingonConvention108,boththeDataProtectionDirective(Directive95/46/EC)andtheCouncilFrameworkDecision(Decision2008/977/JHA)containspecificprovisionsonpurpose limitation, althoughphrased slightlydifferently.20Inboth texts, theprinciple ofpurpose limitationentailsthatthepurposesofdatacollectionare ‘specified,explicitandlegitimate’andthatdatashouldnotbefurtherprocessedinaway‘incompatiblewith’theoriginalpurposesofcollection.21

AsacknowledgedbytheEuropeanCommissioninitsstudyontheimplementationoftheDataProtectionDirective,thebroadwordingoftheprincipleofpurposelimitationhasledto diverging interpretations in Member States. These differences concern the scope of

16OECDGuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalData[1981](updatedin2013)(‘OECDGuidelinesonPrivacy’)<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>accessed10April2018.17ConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,ETS,No108,28January1981,Strasbourg(Convention108).18Respectively para 9 (purpose specification principle) and para 10 (use limitation principle) of theOECDGuidelinesonPrivacy.19CouncilofEuropeRecommendationR(87)15oftheCommitteeofMinisterstoMemberStatesregulatingtheuseofpersonaldata in thepolicesector [1987],Principle2.1 (purpose limitation) toberead togetherwithPrinciple4(uselimitation).20art6(1)(b)Directive95/46andart3CouncilFrameworkDecision2008/977/JHA;art3(1)oftheDecisionprovides that: ‘personal datamaybe collected by the competent authorities only for specified, explicit andlegitimatepurposesintheframeworkoftheirtasksandmaybeprocessedonlyforthesamepurposeforwhichdatawerecollected.’Thecondition‘samepurpose’isnottobefoundinDirective95/46/EC.21art6(1)(b)Directive95/46/ECandart3(2)CouncilFrameworkDecision2008/977/JHA.

109

5


97

situationbecomesevenmorecomplicated.Thenewframeworkiscomposedofageneralinstrument – the General Data Protection Regulation (GDPR)9– and of a specificinstrument applicable to data processing in the field of law enforcement –Directive2016/680 (Police and Criminal Justice Directive). 10 The GDPR replaces Directive95/46/EC (Data Protection Directive),11while Directive 2016/680 replaces the CouncilFrameworkDecision2008/977/JHA.12Howdo the instruments interactwitheachotherwhenpersonaldatacollectedundertheGDPRarefurtherprocessedundertherulesofthenew Directive? And what is the role of the principle of purpose limitation in such ascenario?By investigating the rules applicable to the further processing of GDPR data in a lawenforcementcontext,thearticleattemptstodelineatethescopeandroleoftheprincipleofpurposelimitationwhendataprocessingiscarriedoutacrossthetwoinstruments.ThepaperonlycoversthesubsequentuseofGDPRdatabylawenforcementauthoritiesunderthenewDirective.Itdoesnottackletheissueofdisclosure(whichcanentailthetransfer)ofpersonaldatabyprivatepartiestolawenforcementauthorities.13AccordingtoRecital11ofDirective2016/680, thisdisclosure shouldbecoveredby the rulesof theGDPR.14Following Purtova’s analysis, the disclosure of personal data by private parties to lawenforcementauthorities issubjecttotheGDPRandmightbenefit fromtheexceptionsofArticle23GDPR.15Thisarticleanalyses,instead,therulesapplicabletothere-useofGDPRdataoncethedatahavebeenaccessedbyortransferredtolawenforcementauthorities.Following this introduction, Section II sketches the background on the principle ofpurpose limitation and addresses the relationship between the GDPR and Directive

9Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1.10Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesofthe prevention, investigation, detection or prosecution of criminal offences or the execution of criminalpenalties, and on the free movement of such data, and repealing the Council Framework Decision2008/977/JHA[2016]OJL119/89.11EuropeanParliamentandCouncilDirective95/46/ECof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(Directive95/46/ECorDataProtectionDirective)[1995]OJL281/31.12Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal dataprocessed in the framework of police and judicial cooperation in criminal matters (Council FrameworkDecision2008/977/JHA)[2008]OJL350/60;thenewDirectiveextendsthescopeoftheCouncilFrameworkDecisionlimitedtocross-borderprocessing.13Nadezhda Purtova, ‘Between the GDPR and the Police Directive: Navigating Through the Maze ofInformationSharinginPublic-PrivatePartnerships’(2018)8(1)InternationalDataPrivacyLaw52.14Recital11GDPRprovidesthat‘Regulation(EU)2016/679,therefore,appliesincaseswhereabodyorentitycollectspersonaldataforotherpurposesandfurtherprocessesthosepersonaldatainordertocomplywithalegal obligation towhich it is subject’; for a criticism on themeaning and scope of Recital 11, seeMireilleCaruana, ‘The Reform of the EU Data Protection Framework in the Context of Police and Criminal JusticeSector: Harmonisation, Scope, Oversight and Enforcement’ (2017) International Law Review, Computers &Technology(online)<http://www.tandfonline.com/doi/abs/10.1080/13600869.2017.1370224>accessed10April2018.15It should be observed that art 23 GDPR sets out exceptions applicable to data subjects’ rights and thecorrespondingdataprotectionprinciples;onecouldquestionwhetheranydatasubject’s rightderives fromtheprincipleofpurposelimitation,andthuswhetherart23GDPRcouldbeinvoked.

2016/680. Against this background, Section III compares the regime of the principle ofpurpose limitation inboth instruments. It focusesonArticle4(2)ofDirective2016/680providingtheconditionsapplicable to furtherprocessingandquestionsthescopeof theinitialprocessing.HighlightingthetextualambiguityofArticle4(2),SectionIVsuggestsareadingoftheprovisiontoencompassfurtherprocessingofGDPRdata,whereasSectionVassessestheconsequencesofexcludingsuchprocessingfromthescopeofArticle4(2).

BackgroundThis section briefly describes the roots of the principle of purpose limitation andaddressestherelationshipbetweentheGDPRandDirective2016/680.

OriginofthePrincipleofPurposeLimitationTherootsof theprincipleare tobe foundinearly international instrumentsonprivacy,and in particular in the OECD guidelines on privacy16and in the Council of Europe’sConvention on theprocessing of personal data (Convention108).17From the origin, theprinciplewassplitintotwoprinciples,apurposespecificationprincipleandauselimitationprinciple.18Inthelawenforcementsector,theCouncilofEurope’sRecommendationontheuse of personal data in the police sector [Recommendation R(87) 15] also contains aprovisiononpurposelimitation.19BuildingonConvention108,boththeDataProtectionDirective(Directive95/46/EC)andtheCouncilFrameworkDecision(Decision2008/977/JHA)containspecificprovisionsonpurpose limitation, althoughphrased slightlydifferently.20Inboth texts, theprinciple ofpurpose limitationentailsthatthepurposesofdatacollectionare ‘specified,explicitandlegitimate’andthatdatashouldnotbefurtherprocessedinaway‘incompatiblewith’theoriginalpurposesofcollection.21

AsacknowledgedbytheEuropeanCommissioninitsstudyontheimplementationoftheDataProtectionDirective,thebroadwordingoftheprincipleofpurposelimitationhasledto diverging interpretations in Member States. These differences concern the scope of

16OECDGuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalData[1981](updatedin2013)(‘OECDGuidelinesonPrivacy’)<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>accessed10April2018.17ConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalData,ETS,No108,28January1981,Strasbourg(Convention108).18Respectively para 9 (purpose specification principle) and para 10 (use limitation principle) of theOECDGuidelinesonPrivacy.19CouncilofEuropeRecommendationR(87)15oftheCommitteeofMinisterstoMemberStatesregulatingtheuseofpersonaldata in thepolicesector [1987],Principle2.1 (purpose limitation) toberead togetherwithPrinciple4(uselimitation).20art6(1)(b)Directive95/46andart3CouncilFrameworkDecision2008/977/JHA;art3(1)oftheDecisionprovides that: ‘personal datamaybe collected by the competent authorities only for specified, explicit andlegitimatepurposesintheframeworkoftheirtasksandmaybeprocessedonlyforthesamepurposeforwhichdatawerecollected.’Thecondition‘samepurpose’isnottobefoundinDirective95/46/EC.21art6(1)(b)Directive95/46/ECandart3(2)CouncilFrameworkDecision2008/977/JHA.

110

Chapter 5

exceptions,themeaningofcompatibleuses,andtherequirement(aswellasthetype)ofsafeguardsapplicabletodatasubjects.22TherationaleoftheprincipleinalawenforcementcontextisnottobefoundinDirective2016/680. Instead, it is described in the Europol Regulation (Regulation 2016/794) onlaw enforcement cooperation.23The principle of purpose limitation is defined by itscharacteristics, which are ‘to contribute to transparency, legal certainty andpredictability.’24According to some authors, the principle of purpose limitation is theresult of the right to self-determination, i.e. to control how own personal data areprocessedandused.25However,thisapproachandunderstandingoftheprinciplearehardto support in a lawenforcement context. In the context of a criminal investigation, it isindeeddifficulttoarguethatanindividualwhosepersonaldatahavebeencollectedforacommercialpurposeshouldcontrolthewaythepolicefurtherusehisorherdata.Instead,it could be argued that an individual whose data are further processed for a lawenforcementpurposeshouldbemadeaware,orbenotified,aboutthisprocessingaftertheinvestigation is over or as soon as the investigation cannot be prejudiced anymore.26Awarenessornotificationis,however,differentfromcontrol.Last,theprincipleofpurposelimitation–inparticular,itsspecificationcomponent–isanelementofthefundamentalrighttotheprotectionofpersonaldata.27TheCourtofJusticeof the European Union (CJEU) has recently acknowledged that ‘the protection againstunlawfulaccessandprocessing’isapartofthe‘essence’ofthefundamentalrighttodataprotection.28Assuch,anylimitationtotheprincipleofpurposelimitationshouldcomplywiththeconditionsformulatedinArticle52(1)oftheCharterofFundamentalRights(theCharter).Thisclaimwillbefurtherexplainedinthearticle.

RelationshipbetweentheGDPRandDirective2016/680As argued elsewhere,29the GDPR and Directive 2016/680 build a bridge towards eachother.Recital19GDPRdelineatesthematerialscopeoftheRegulation.Itexcludesfromits

22Annex 2, Evaluation of the Implementation of the Data Protection Directive, at 25 in Commission StaffWorkingPaper,ImpactAssessmentAccompanyingtheproposalsforaRegulationandDirective,SEC(2012)72final[2012].23Regulation(EU)2016/794oftheEuropeanParliamentandoftheCouncilof11May2016ontheEuropeanUnion Agency for law enforcement cooperation (Europol) and replacing and repealing Council Decisions2009/371/JHA,2009/935/JHA,2009/936/JHAand2009/968/JHA(EuropolRegulation)[2016]OJL135/53.24Recital26EuropolRegulation.25LianeColonna,‘DataMininganditsParadoxicalRelationshiptothePurposeofLimitation’inSergeGutwirth,RonaldLeenes,andPauldeHert(eds),ReloadingDataProtection(Kluwer2014),300-302;MariaTzanou,TheFundamentalRighttoDataProtection:NormativeValueintheContextofCounter-TerrorismSurveillance (HartPublishing2017)40.26Asdiscussedlaterinthearticle.27art8Charter.28Opinion1/15oftheCourt(GrandChamber)ontheDraftAgreementbetweenCanadaandtheEuropeanUnion[2017]ECLI:EU:C:2017:592,para150;alsoascitedandanalysedbyCoudertinFannyCoudert, ‘TheEuropolRegulationandPurposeLimitation,Fromthe‘Silo-BasedApproach’to…WhatExactly?’(2017)3(3)EDPL313.29egCatherine Jasserand, ‘LawEnforcementAccesstoPersonalDataOriginallyCollectedbyPrivateParties:MissingDataSubjects'SafeguardsinDirective2016/680?’(2018)34(1)ComputerLaw&SecurityReview;seealsoanalysismadebyPurtova(n13).

scope the processing of personal data by ‘public authorities’ for a law enforcementpurpose, as defined in Article 1(1) of the Directive. Those processing operations fallinstead within the scope of Directive 2016/680.30Likewise, Recital 11 of the DirectiveexpresslyexcludesfromitsscopeprocessingactivitiesbyentitiesorbodiesentrustedforlawenforcementpurposeswhenthoseprocessingactivitiesarenotcarriedoutforalawenforcementpurposebutforapurposethatwouldfallundertheGDPR.31Besidesthetworecitalsonthematerialscopeofeachinstrument,theGDPRandDirective2016/680 are pretty silent on their relationship. As adopted, the texts are far lessambitiousthantheEuropeanParliament’sresolutionsonthelegislativeproposals.32Morespecifically,theresolutionontheproposalforanewDirectiveincludedanarticleonlawenforcement access to personal data initially collected for a non-law enforcementpurpose.33In that case,notonlydid the furtherprocessingneeda legalbasisbut it alsohad to comply with strict conditions (such as identification of individuals allowed toaccessthedata,adoptionofsafeguards,andspecificformatfortherequest).34Inaddition,the provision limited the re-use of the data to the ‘investigation’ or ‘prosecution ofcriminaloffences.’35Subsequentuseofpersonaldataforcrimepreventionwas, thus,notenvisaged.ThereisnotmuchdiscussionconcerningtheapplicabilityofthenewDirectiverulestothelaw enforcement use of personal data collected by private parties. If carried out by acompetent authority,36for one of the purposes of Directive 2016/680,37the subsequentuse of GDPR data falls within the scope of the Directive. What is more crucial is todeterminetherulesapplicabletothefurtherprocessingofGDPRdataundertheregimeofDirective2016/680.Toaddressthisissue,nextsectionassessestheprincipleofpurposelimitationasdesignedinDirective2016/680.

30Seeart2(2)GDPRandRecital19GDPR.31SeeRecital11Directive2016/680.32RespectivelyEuropeanParliamentLegislativeResolutionof12March2014ontheproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)(COM(2012)0011-C7-0025/2012-2012/0011(COD)P7_TA(2014)01[2014],and EuropeanParliament legislativeResolutionontheprotectionofindividualswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposes of prevention, investigation, detection or prosecution of criminal offences or the execution ofcriminal penalties, and the freemovement of such data [COM(2012)0010-C-7-0024/2012-2012/010(COD)]P7_TA(2014)0219[2014].33art 4a Resolution of 12 March 2014, P7_TA(2014)0219, entitled ‘access to data initially processed forpurposesothersthanthosereferredtoinarticle1(1)’.34ibid,art4a(1)(a)-(d).35ibid,art4a(2).36AsdefinedinArt3(7)Directive2016/680.37Asdescribedinart1(1)Directive2016/680,iefor‘theprevention,investigation,detectionorprosecutionofcriminal offences or the execution of criminal penalties, including the safeguarding of threats to publicsecurity.’

111

5


exceptions,themeaningofcompatibleuses,andtherequirement(aswellasthetype)ofsafeguardsapplicabletodatasubjects.22TherationaleoftheprincipleinalawenforcementcontextisnottobefoundinDirective2016/680. Instead, it is described in the Europol Regulation (Regulation 2016/794) onlaw enforcement cooperation.23The principle of purpose limitation is defined by itscharacteristics, which are ‘to contribute to transparency, legal certainty andpredictability.’24According to some authors, the principle of purpose limitation is theresult of the right to self-determination, i.e. to control how own personal data areprocessedandused.25However,thisapproachandunderstandingoftheprinciplearehardto support in a lawenforcement context. In the context of a criminal investigation, it isindeeddifficulttoarguethatanindividualwhosepersonaldatahavebeencollectedforacommercialpurposeshouldcontrolthewaythepolicefurtherusehisorherdata.Instead,it could be argued that an individual whose data are further processed for a lawenforcementpurposeshouldbemadeaware,orbenotified,aboutthisprocessingaftertheinvestigation is over or as soon as the investigation cannot be prejudiced anymore.26Awarenessornotificationis,however,differentfromcontrol.Last,theprincipleofpurposelimitation–inparticular,itsspecificationcomponent–isanelementofthefundamentalrighttotheprotectionofpersonaldata.27TheCourtofJusticeof the European Union (CJEU) has recently acknowledged that ‘the protection againstunlawfulaccessandprocessing’isapartofthe‘essence’ofthefundamentalrighttodataprotection.28Assuch,anylimitationtotheprincipleofpurposelimitationshouldcomplywiththeconditionsformulatedinArticle52(1)oftheCharterofFundamentalRights(theCharter).Thisclaimwillbefurtherexplainedinthearticle.

RelationshipbetweentheGDPRandDirective2016/680As argued elsewhere,29the GDPR and Directive 2016/680 build a bridge towards eachother.Recital19GDPRdelineatesthematerialscopeoftheRegulation.Itexcludesfromits

22Annex 2, Evaluation of the Implementation of the Data Protection Directive, at 25 in Commission StaffWorkingPaper,ImpactAssessmentAccompanyingtheproposalsforaRegulationandDirective,SEC(2012)72final[2012].23Regulation(EU)2016/794oftheEuropeanParliamentandoftheCouncilof11May2016ontheEuropeanUnion Agency for law enforcement cooperation (Europol) and replacing and repealing Council Decisions2009/371/JHA,2009/935/JHA,2009/936/JHAand2009/968/JHA(EuropolRegulation)[2016]OJL135/53.24Recital26EuropolRegulation.25LianeColonna,‘DataMininganditsParadoxicalRelationshiptothePurposeofLimitation’inSergeGutwirth,RonaldLeenes,andPauldeHert(eds),ReloadingDataProtection(Kluwer2014),300-302;MariaTzanou,TheFundamentalRighttoDataProtection:NormativeValueintheContextofCounter-TerrorismSurveillance (HartPublishing2017)40.26Asdiscussedlaterinthearticle.27art8Charter.28Opinion1/15oftheCourt(GrandChamber)ontheDraftAgreementbetweenCanadaandtheEuropeanUnion[2017]ECLI:EU:C:2017:592,para150;alsoascitedandanalysedbyCoudertinFannyCoudert, ‘TheEuropolRegulationandPurposeLimitation,Fromthe‘Silo-BasedApproach’to…WhatExactly?’(2017)3(3)EDPL313.29egCatherine Jasserand, ‘LawEnforcementAccesstoPersonalDataOriginallyCollectedbyPrivateParties:MissingDataSubjects'SafeguardsinDirective2016/680?’(2018)34(1)ComputerLaw&SecurityReview;seealsoanalysismadebyPurtova(n13).

scope the processing of personal data by ‘public authorities’ for a law enforcementpurpose, as defined in Article 1(1) of the Directive. Those processing operations fallinstead within the scope of Directive 2016/680.30Likewise, Recital 11 of the DirectiveexpresslyexcludesfromitsscopeprocessingactivitiesbyentitiesorbodiesentrustedforlawenforcementpurposeswhenthoseprocessingactivitiesarenotcarriedoutforalawenforcementpurposebutforapurposethatwouldfallundertheGDPR.31Besidesthetworecitalsonthematerialscopeofeachinstrument,theGDPRandDirective2016/680 are pretty silent on their relationship. As adopted, the texts are far lessambitiousthantheEuropeanParliament’sresolutionsonthelegislativeproposals.32Morespecifically,theresolutionontheproposalforanewDirectiveincludedanarticleonlawenforcement access to personal data initially collected for a non-law enforcementpurpose.33In that case,notonlydid the furtherprocessingneeda legalbasisbut it alsohad to comply with strict conditions (such as identification of individuals allowed toaccessthedata,adoptionofsafeguards,andspecificformatfortherequest).34Inaddition,the provision limited the re-use of the data to the ‘investigation’ or ‘prosecution ofcriminaloffences.’35Subsequentuseofpersonaldataforcrimepreventionwas, thus,notenvisaged.ThereisnotmuchdiscussionconcerningtheapplicabilityofthenewDirectiverulestothelaw enforcement use of personal data collected by private parties. If carried out by acompetent authority,36for one of the purposes of Directive 2016/680,37the subsequentuse of GDPR data falls within the scope of the Directive. What is more crucial is todeterminetherulesapplicabletothefurtherprocessingofGDPRdataundertheregimeofDirective2016/680.Toaddressthisissue,nextsectionassessestheprincipleofpurposelimitationasdesignedinDirective2016/680.

30Seeart2(2)GDPRandRecital19GDPR.31SeeRecital11Directive2016/680.32RespectivelyEuropeanParliamentLegislativeResolutionof12March2014ontheproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)(COM(2012)0011-C7-0025/2012-2012/0011(COD)P7_TA(2014)01[2014],and EuropeanParliament legislativeResolutionontheprotectionofindividualswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposes of prevention, investigation, detection or prosecution of criminal offences or the execution ofcriminal penalties, and the freemovement of such data [COM(2012)0010-C-7-0024/2012-2012/010(COD)]P7_TA(2014)0219[2014].33art 4a Resolution of 12 March 2014, P7_TA(2014)0219, entitled ‘access to data initially processed forpurposesothersthanthosereferredtoinarticle1(1)’.34ibid,art4a(1)(a)-(d).35ibid,art4a(2).36AsdefinedinArt3(7)Directive2016/680.37Asdescribedinart1(1)Directive2016/680,iefor‘theprevention,investigation,detectionorprosecutionofcriminal offences or the execution of criminal penalties, including the safeguarding of threats to publicsecurity.’

112

Chapter 5

RegimeofPurposeLimitationunderDirective2016/680This section describes the principle of purpose limitation in Directive 2016/680 andcomparesitwiththeregimeestablishedundertheGDPR.Italsodiscussesthenatureandcontent of Article 4(2) of the new Directive, which provides the conditions of furtherprocessingofpersonaldatacollectedforadifferentpurpose.

ComparisonwiththeGDPRRegimeAsnotedinSectionII,theprincipleofpurposelimitationissub-dividedintoaprincipleofpurpose specification and a principle of compatible use.38According to Article 4(1) ofDirective 2016/680, personal data are ‘collected for specified, explicit and legitimatepurposesandnotprocessed inamanner that is incompatiblewith thosepurposes.’TheprincipleiswordedinidenticaltermsinArticle5(1)GDPR.However,asexplainedbelow,theprincipleisinterpreteddifferently.Thepurposespecificationprinciplefocusesontheinitialpurposeofcollection.Asobservedby the Article 29 Working Party (A29WP),39‘law enforcement, per se, shall not beconsidered as one specified, explicit and legitimate purpose.’40Each purpose needs tocomplywiththethreecriteriaofspecificity,explicitness,andlegitimacy.Inthescenariosunderreviewinthispaper,theoriginalpurposeofdatacollectionisnotalawenforcementpurpose. It can be a commercial, an administrative or an operational purpose, and ingeneral,anynon-lawenforcementpurposefallingwithinthescopeoftheGDPR.Onlythepurpose of the subsequent use is a law enforcement purpose covered by Directive2016/680.The secondprinciple, compatibleuse,41entails that personal data collected for a specificpurposeareusedfollowingthatpurpose.Theyshouldnotbefurtherprocessedinawayincompatiblewiththeinitialpurposeofprocessing.Whatdoesthisprinciplemeaninthecontext of Directive 2016/680? First, it would be wrong to conclude that unrelatedpurposesarenecessarilyincompatible.Forexample,undertheGDPR,thesubsequentuseofpersonaldataforresearchorarchivepurposesisnotconsideredincompatiblewiththeoriginalpurposeofcollection.42Second,twolawenforcementpurposesarenotnecessarilycompatiblebecausetheybelongtothesamefield.43Itis,therefore,necessarytoassessthe

38A29WP,‘Opinion03/2013onpurposelimitation’[2013]WP203.39A29WPisanindependentadvisorybodytotheEuropeanCommissionondataprotectionmatters,see<http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083> accessed 10 April 2018; it will bereplacedbytheEuropeanDataProtectionBoard(art68etseqGDPR).40A29WP, ‘Opinion 03/2015 on the draft directive on the protection of individuals with regard to theprocessingofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’[2015]WP233,6.41In other instruments, such as in the OECD Privacy Guidelines (n 16), the principle is described as ‘uselimitation’.42art5(1)(b)GDPR.43See EDPS, ‘Opinion of the EuropeanData Protection Supervisor on the Data Protection Reform Package’[2012],para334states:‘itshouldbeclearthatwithinthelawenforcementcontextdifferentpurposescanbe

compatibilitybetweenthepurposestodeterminetheircompatibility.Beforetheadoptionofthenewdataprotectionframework, incaseswherepersonaldatawerefirstcollectedforanon-lawenforcementpurposeandfurtherusedforalawenforcementpurpose,theA29WP recommended the application of several factors to assess their compatibility.44Those factors have been incorporated in the GDPR45but are absent from Directive2016/680.Last,‘irrespectiveofthecompatibilityofpurposes,’Article6(4)GDPRprovidestwolegalgroundsforthefurtherprocessing:thedatasubject’sconsentandanationalorEU law,which is ‘necessary andproportionate’ toprotect specific interests identified inArticle23GDPR.46Theprovisiondoesnot state thatArticle23GDPRconstitutes a legalgroundtoprocessdataforincompatiblepurposesbutonlythatalaw,whichis‘necessaryandproportionate…tosafeguardtheinterestsreferredtoinArticle23(1)’constitutessuchalegalbasis.47The approach followed by Directive 2016/680 is different. Article 4(2) of Directive2016/680onlysetsouttheconditionsunderwhichfurtherprocessingforapurposeotherthantheoriginalpurposeofcollectionisallowed.Inparticular,itprovidesthat:

ProcessingbythesameoranothercontrollerforanyofthepurposessetoutinArticle1(1)otherthanforwhichthepersonaldataarecollectedshallbepermittedinsofaras:1. the controller is authorised toprocess suchpersonal data for such apurpose in

accordancewithUnionorMemberStatelaw;and2. processing is necessary and proportionate to that other purpose in accordance

withUnionorMemberStatelaw.

The scope of the initial processing and the conditions of the further processing areaddressedinthenextsub-sections.

ScopeoftheInitialProcessingThewordingofArticle4(2)inrespecttothecontextoftheinitialprocessingisambiguous.Theprovisiononlymentionstheinitialpurposeofprocessingasapurpose‘otherthanforwhich the personal data are collected.’ Article 4(2) does not state whether the initialpurpose fallswithinoroutsidethescopeofDirective2016/680.Theprovisiondoesnotevenmakealinkbetweentheprincipleofpurposelimitation[definedinArticle4(1)oftheDirective]and theconditionsapplicable to the furtherprocessing.Oneunderstands thatthe twoare linkedthroughRecital29of theDirective.Therecitaldescribes together theprincipleofpurposelimitationandtheconditionsapplicabletothefurtherprocessingfor

incompatible’ <https://edps.europa.eu/sites/edp/files/publication/12-03 07_edps_reform_package_en.pdf >accessed10April2018.44Opinion03/2013(n38),examplesaboutEurodac,PNR.45art6(4)GDPR.46Those interests include public security, but also the prevention, investigation or prosecution of criminaloffencesortheprotectionofindividuals,seeart23(1)(a)-(j)GDPR.47Emphasisadded.

113

5


RegimeofPurposeLimitationunderDirective2016/680This section describes the principle of purpose limitation in Directive 2016/680 andcomparesitwiththeregimeestablishedundertheGDPR.Italsodiscussesthenatureandcontent of Article 4(2) of the new Directive, which provides the conditions of furtherprocessingofpersonaldatacollectedforadifferentpurpose.

ComparisonwiththeGDPRRegimeAsnotedinSectionII,theprincipleofpurposelimitationissub-dividedintoaprincipleofpurpose specification and a principle of compatible use.38According to Article 4(1) ofDirective 2016/680, personal data are ‘collected for specified, explicit and legitimatepurposesandnotprocessed inamanner that is incompatiblewith thosepurposes.’TheprincipleiswordedinidenticaltermsinArticle5(1)GDPR.However,asexplainedbelow,theprincipleisinterpreteddifferently.Thepurposespecificationprinciplefocusesontheinitialpurposeofcollection.Asobservedby the Article 29 Working Party (A29WP),39‘law enforcement, per se, shall not beconsidered as one specified, explicit and legitimate purpose.’40Each purpose needs tocomplywiththethreecriteriaofspecificity,explicitness,andlegitimacy.Inthescenariosunderreviewinthispaper,theoriginalpurposeofdatacollectionisnotalawenforcementpurpose. It can be a commercial, an administrative or an operational purpose, and ingeneral,anynon-lawenforcementpurposefallingwithinthescopeoftheGDPR.Onlythepurpose of the subsequent use is a law enforcement purpose covered by Directive2016/680.The secondprinciple, compatibleuse,41entails that personal data collected for a specificpurposeareusedfollowingthatpurpose.Theyshouldnotbefurtherprocessedinawayincompatiblewiththeinitialpurposeofprocessing.Whatdoesthisprinciplemeaninthecontext of Directive 2016/680? First, it would be wrong to conclude that unrelatedpurposesarenecessarilyincompatible.Forexample,undertheGDPR,thesubsequentuseofpersonaldataforresearchorarchivepurposesisnotconsideredincompatiblewiththeoriginalpurposeofcollection.42Second,twolawenforcementpurposesarenotnecessarilycompatiblebecausetheybelongtothesamefield.43Itis,therefore,necessarytoassessthe

38A29WP,‘Opinion03/2013onpurposelimitation’[2013]WP203.39A29WPisanindependentadvisorybodytotheEuropeanCommissionondataprotectionmatters,see<http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083> accessed 10 April 2018; it will bereplacedbytheEuropeanDataProtectionBoard(art68etseqGDPR).40A29WP, ‘Opinion 03/2015 on the draft directive on the protection of individuals with regard to theprocessingofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata’[2015]WP233,6.41In other instruments, such as in the OECD Privacy Guidelines (n 16), the principle is described as ‘uselimitation’.42art5(1)(b)GDPR.43See EDPS, ‘Opinion of the EuropeanData Protection Supervisor on the Data Protection Reform Package’[2012],para334states:‘itshouldbeclearthatwithinthelawenforcementcontextdifferentpurposescanbe

compatibilitybetweenthepurposestodeterminetheircompatibility.Beforetheadoptionofthenewdataprotectionframework, incaseswherepersonaldatawerefirstcollectedforanon-lawenforcementpurposeandfurtherusedforalawenforcementpurpose,theA29WP recommended the application of several factors to assess their compatibility.44Those factors have been incorporated in the GDPR45but are absent from Directive2016/680.Last,‘irrespectiveofthecompatibilityofpurposes,’Article6(4)GDPRprovidestwolegalgroundsforthefurtherprocessing:thedatasubject’sconsentandanationalorEU law,which is ‘necessary andproportionate’ toprotect specific interests identified inArticle23GDPR.46Theprovisiondoesnot state thatArticle23GDPRconstitutes a legalgroundtoprocessdataforincompatiblepurposesbutonlythatalaw,whichis‘necessaryandproportionate…tosafeguardtheinterestsreferredtoinArticle23(1)’constitutessuchalegalbasis.47The approach followed by Directive 2016/680 is different. Article 4(2) of Directive2016/680onlysetsouttheconditionsunderwhichfurtherprocessingforapurposeotherthantheoriginalpurposeofcollectionisallowed.Inparticular,itprovidesthat:

ProcessingbythesameoranothercontrollerforanyofthepurposessetoutinArticle1(1)otherthanforwhichthepersonaldataarecollectedshallbepermittedinsofaras:1. the controller is authorised toprocess suchpersonal data for such apurpose in

accordancewithUnionorMemberStatelaw;and2. processing is necessary and proportionate to that other purpose in accordance

withUnionorMemberStatelaw.

The scope of the initial processing and the conditions of the further processing areaddressedinthenextsub-sections.

ScopeoftheInitialProcessingThewordingofArticle4(2)inrespecttothecontextoftheinitialprocessingisambiguous.Theprovisiononlymentionstheinitialpurposeofprocessingasapurpose‘otherthanforwhich the personal data are collected.’ Article 4(2) does not state whether the initialpurpose fallswithinoroutsidethescopeofDirective2016/680.Theprovisiondoesnotevenmakealinkbetweentheprincipleofpurposelimitation[definedinArticle4(1)oftheDirective]and theconditionsapplicable to the furtherprocessing.Oneunderstands thatthe twoare linkedthroughRecital29of theDirective.Therecitaldescribes together theprincipleofpurposelimitationandtheconditionsapplicabletothefurtherprocessingfor

incompatible’ <https://edps.europa.eu/sites/edp/files/publication/12-03 07_edps_reform_package_en.pdf >accessed10April2018.44Opinion03/2013(n38),examplesaboutEurodac,PNR.45art6(4)GDPR.46Those interests include public security, but also the prevention, investigation or prosecution of criminaloffencesortheprotectionofindividuals,seeart23(1)(a)-(j)GDPR.47Emphasisadded.

114

Chapter 5

adifferentpurpose.Basedonthatrecital,onecouldclaimthatArticle4(2)onlyappliestothefurtherprocessingofpersonaldatainitiallycollectedforalawenforcementpurpose.However,becausearecitalisanon-bindingprovision,48onecouldalsoarguethatArticle4(2) canapply to the furtherprocessingofpersonaldata collectedoutside the scopeofDirective2016/680.This ambiguity is problematic because it has consequences for the status of thesubsequentuseofGDPRdata fora lawenforcementpurpose. IfArticle4(2)ofDirective2016/680doesnotapplytothefurtherprocessingofGDPRdata,thereisanuncertaintyon thequalificationof this subsequentprocessingoperation. Should it be consideredasinitialprocessingunderDirective2016/680?DuringthenegotiationsonthedraftPoliceand Criminal Justice Directive, the European Commission opined that such processingshouldbe consideredas ‘initialprocessing' of ‘policeor criminal justice'data insteadoffurther processing.49The European Commission believed that ‘the further processingacross the two legal instruments would create problems,’ thus ‘there were no specificarticles [in the draft Directive] to be used for that.’50As a consequence, following thisinterpretation, the further processing of GDPR data would neither be subject to theprincipleofpurposelimitation,asdefinedinArticle4(1)oftheDirective,norbesubjecttotheconditionsapplicabletofurtherprocessingsetoutinArticle4(2)oftheDirective.Thesituationdoesnot seem,however, tobe that simple.No recital orprovision inboth theGDPR andDirective 2016/680 confirms the European Commission’s views.51Both textsare actually silent on thatmatter. Because of the ambiguouswording of Article 4(2) ofDirective2016/680,itcouldbearguedthatbothhypothesescanbeenvisaged.TheconditionsunderwhichArticle4(2)allowsfurtherprocessingareanalysednext.

Article4(2)ofDirective2016/680asDerogationfromthePrincipleofPurposeLimitation?

Article4(2)oftheDirectiveallowsthefurtherprocessingundertheconditionsoflegality[Article4(2)(a)]aswellasnecessityandproportionality[Article4(2)(b)].However,theseconditions are not linked, implicitly or explicitly, to any compatibility requirement. The

48Recitals are, however, interpretative tools; see Roberto Baratta, ‘Complexity of EU law in the domesticimplementingprocess’(Speechatthe19thQualityofLegislationSeminar‘EULegislativeDrafting:ViewsfromthoseapplyingEUlawintheMemberStates’,3July2014)<http://ec.europa.eu/dgs/legal_service/seminars/20140703_baratta_speech.pdf>accessed10April2018.49TheEuropeanCommissionspecifiedthat ‘ifa legalobligationtotransferdatatothepoliceexisted,suchatransfer would be considered as an initial police processing’ in fn 118 of Proposal for a Directive of theEuropean Parliament and of the Council on the protection of individuals with regard to the processing ofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,chsIIandIII,todelegations,14April2015,doc7740/15[2015]<http://www.statewatch.org/news/2015/apr/eu-council-dp-directive-chap-II-7740-15.pdf>accessed10April2018.50ibid.51One could add that statementsmade by the European Commission, as well as by other EU institutions,during the negotiation process of a legislative instrument have no legal binding value in the absence ofreferencetothesestatementsintheinstrumentitself,seeCaseC-292/89RvImmigrationAppealTribunalexparteGustaffDesideriusAntonissen[1991]ECR-I-745,para18.

termisabsentfromtheprovision.Bycomparison,Article3(2)oftheCouncilFrameworkDecision2008/977/JHA,nowreplacedbyDirective2016/680,only applies topurposes‘notincompatible’withthepurposeofcollection.52Thus,itseemsthatArticle3(2)oftheFramework Decision was drafted as an interpretation of the principle of purposelimitationasitonlyauthorisesfurtherprocessing‘notincompatible.’Concerning Article 4(2) of Directive 2016/680, it should bementioned that during thenegotiationsonthedraftPoliceandCriminal JusticeDirective,MemberStatesweresplitonitsscope:somewantedtodefinespecificrulesapplicabletothefurtherprocessingforcompatiblepurposes;others rulesapplicable to incompatiblepurposes.53In theend, theadopted text refers toneither.Thedefinitionof ‘compatiblepurposes' is thus left at thenational level.54Asaconsequence, intheabsenceofcompatibilityrequirement, itcanbededucedthatArticle4(2)ofDirective2016/680applies‘irrespectiveofthecompatibilitybetweenthepurposes.’Assuch,theprovisionconstitutesanexceptiontotheprincipleofpurposelimitationanddiffersfromArticle3(2)oftheFrameworkDecision.Next,ifArticle4(2)ofDirective2016/680isconstruedasaderogationfromtheprincipleof purpose limitation, it is argued that it should be interpreted in accordancewith theCharterofFundamentalRights[Article52(1)oftheCharter]andtheEuropeanConventiononHumanRights[Article8(2)ECHR].55

LowerStandardofProtection?As specified in theGDPR, restrictionsondata subjects’ rightsandon the correspondingdataprotectionprinciples should apply ‘in accordancewith the requirements set out inthe Charter and in the European Convention for the Protection of Human Rights andFundamentalFreedoms.’56OnecouldaddthattherequirementshavetobeunderstoodasinterpretedbytheCJEUandtheEuropeanCourtofHumanRights(ECtHR).Directive2016/680doesnot containa similarprovision. Itonlyprovides, inRecital46,that‘anyrestrictionsoftherightsofthedatasubject’mustbeinaccordancewithboththeCharterandtheECHR.Thus,restrictionsondataprotectionprinciplesarenotexpresslysubject tothesamerequirements. It isarguedherethat,asworded,Directive2016/680

52art3(2)FrameworkDecisionreadsasfollows:‘Furtherprocessingforanotherpurposeshallbepermittedinsofaras:(a)itisnotincompatiblewiththepurposesforwhichthedatawerecollected…’;thisrequirementof‘non-incompatibility’canalsobefoundinPrinciple5oftheCouncilofEurope’sRecommendationR(87)15.53SeediscussionsamongMemberStates,andinparticularthepositionofSwedenopposedtolimittherulesonthefurtherprocessingtocompatiblepurposeswhereastheCzechRepublicsupportedrulesapplicabletopurposes‘notincompatible’withtheinitialpurposeofprocessing;respectivelyfns151and152ofDelegationsDocumentonthedraftproposalDirective,CounciloftheEuropeanUnion,10335/15,29June2015.54Even if this is not expressly mentioned in Directive 2016/680; by comparison, see Recital 6 CouncilFramework Decision that explicitly specifies ‘the Framework Decision should leave it toMember States todeterminemorepreciselyatnationallevelwhichotherpurposesaretobeconsideredincompatiblewiththepurposesforwhichthepersonaldatawereoriginallycollected.’55art 52(1) Charter is a general limitation clause, whereas art 8(2) ECHR is a specific limitation clauseapplyingonlytointerferenceswiththerighttoprivacy.56Recital73GDPRreadtogetherwithart23GDPR;aspreviouslyobserved,onecouldstillwonderwhetheranydatasubject’srightscanbederivedfromtheprincipleofpurposelimitation(see,n15).

115

5


adifferentpurpose.Basedonthatrecital,onecouldclaimthatArticle4(2)onlyappliestothefurtherprocessingofpersonaldatainitiallycollectedforalawenforcementpurpose.However,becausearecitalisanon-bindingprovision,48onecouldalsoarguethatArticle4(2) canapply to the furtherprocessingofpersonaldata collectedoutside the scopeofDirective2016/680.This ambiguity is problematic because it has consequences for the status of thesubsequentuseofGDPRdata fora lawenforcementpurpose. IfArticle4(2)ofDirective2016/680doesnotapplytothefurtherprocessingofGDPRdata,thereisanuncertaintyon thequalificationof this subsequentprocessingoperation. Should it be consideredasinitialprocessingunderDirective2016/680?DuringthenegotiationsonthedraftPoliceand Criminal Justice Directive, the European Commission opined that such processingshouldbe consideredas ‘initialprocessing' of ‘policeor criminal justice'data insteadoffurther processing.49The European Commission believed that ‘the further processingacross the two legal instruments would create problems,’ thus ‘there were no specificarticles [in the draft Directive] to be used for that.’50As a consequence, following thisinterpretation, the further processing of GDPR data would neither be subject to theprincipleofpurposelimitation,asdefinedinArticle4(1)oftheDirective,norbesubjecttotheconditionsapplicabletofurtherprocessingsetoutinArticle4(2)oftheDirective.Thesituationdoesnot seem,however, tobe that simple.No recital orprovision inboth theGDPR andDirective 2016/680 confirms the European Commission’s views.51Both textsare actually silent on thatmatter. Because of the ambiguouswording of Article 4(2) ofDirective2016/680,itcouldbearguedthatbothhypothesescanbeenvisaged.TheconditionsunderwhichArticle4(2)allowsfurtherprocessingareanalysednext.

Article4(2)ofDirective2016/680asDerogationfromthePrincipleofPurposeLimitation?

Article4(2)oftheDirectiveallowsthefurtherprocessingundertheconditionsoflegality[Article4(2)(a)]aswellasnecessityandproportionality[Article4(2)(b)].However,theseconditions are not linked, implicitly or explicitly, to any compatibility requirement. The

48Recitals are, however, interpretative tools; see Roberto Baratta, ‘Complexity of EU law in the domesticimplementingprocess’(Speechatthe19thQualityofLegislationSeminar‘EULegislativeDrafting:ViewsfromthoseapplyingEUlawintheMemberStates’,3July2014)<http://ec.europa.eu/dgs/legal_service/seminars/20140703_baratta_speech.pdf>accessed10April2018.49TheEuropeanCommissionspecifiedthat ‘ifa legalobligationtotransferdatatothepoliceexisted,suchatransfer would be considered as an initial police processing’ in fn 118 of Proposal for a Directive of theEuropean Parliament and of the Council on the protection of individuals with regard to the processing ofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,chsIIandIII,todelegations,14April2015,doc7740/15[2015]<http://www.statewatch.org/news/2015/apr/eu-council-dp-directive-chap-II-7740-15.pdf>accessed10April2018.50ibid.51One could add that statementsmade by the European Commission, as well as by other EU institutions,during the negotiation process of a legislative instrument have no legal binding value in the absence ofreferencetothesestatementsintheinstrumentitself,seeCaseC-292/89RvImmigrationAppealTribunalexparteGustaffDesideriusAntonissen[1991]ECR-I-745,para18.

termisabsentfromtheprovision.Bycomparison,Article3(2)oftheCouncilFrameworkDecision2008/977/JHA,nowreplacedbyDirective2016/680,only applies topurposes‘notincompatible’withthepurposeofcollection.52Thus,itseemsthatArticle3(2)oftheFramework Decision was drafted as an interpretation of the principle of purposelimitationasitonlyauthorisesfurtherprocessing‘notincompatible.’Concerning Article 4(2) of Directive 2016/680, it should bementioned that during thenegotiationsonthedraftPoliceandCriminal JusticeDirective,MemberStatesweresplitonitsscope:somewantedtodefinespecificrulesapplicabletothefurtherprocessingforcompatiblepurposes;others rulesapplicable to incompatiblepurposes.53In theend, theadopted text refers toneither.Thedefinitionof ‘compatiblepurposes' is thus left at thenational level.54Asaconsequence, intheabsenceofcompatibilityrequirement, itcanbededucedthatArticle4(2)ofDirective2016/680applies‘irrespectiveofthecompatibilitybetweenthepurposes.’Assuch,theprovisionconstitutesanexceptiontotheprincipleofpurposelimitationanddiffersfromArticle3(2)oftheFrameworkDecision.Next,ifArticle4(2)ofDirective2016/680isconstruedasaderogationfromtheprincipleof purpose limitation, it is argued that it should be interpreted in accordancewith theCharterofFundamentalRights[Article52(1)oftheCharter]andtheEuropeanConventiononHumanRights[Article8(2)ECHR].55

LowerStandardofProtection?As specified in theGDPR, restrictionsondata subjects’ rightsandon the correspondingdataprotectionprinciples should apply ‘in accordancewith the requirements set out inthe Charter and in the European Convention for the Protection of Human Rights andFundamentalFreedoms.’56OnecouldaddthattherequirementshavetobeunderstoodasinterpretedbytheCJEUandtheEuropeanCourtofHumanRights(ECtHR).Directive2016/680doesnot containa similarprovision. Itonlyprovides, inRecital46,that‘anyrestrictionsoftherightsofthedatasubject’mustbeinaccordancewithboththeCharterandtheECHR.Thus,restrictionsondataprotectionprinciplesarenotexpresslysubject tothesamerequirements. It isarguedherethat,asworded,Directive2016/680

52art3(2)FrameworkDecisionreadsasfollows:‘Furtherprocessingforanotherpurposeshallbepermittedinsofaras:(a)itisnotincompatiblewiththepurposesforwhichthedatawerecollected…’;thisrequirementof‘non-incompatibility’canalsobefoundinPrinciple5oftheCouncilofEurope’sRecommendationR(87)15.53SeediscussionsamongMemberStates,andinparticularthepositionofSwedenopposedtolimittherulesonthefurtherprocessingtocompatiblepurposeswhereastheCzechRepublicsupportedrulesapplicabletopurposes‘notincompatible’withtheinitialpurposeofprocessing;respectivelyfns151and152ofDelegationsDocumentonthedraftproposalDirective,CounciloftheEuropeanUnion,10335/15,29June2015.54Even if this is not expressly mentioned in Directive 2016/680; by comparison, see Recital 6 CouncilFramework Decision that explicitly specifies ‘the Framework Decision should leave it toMember States todeterminemorepreciselyatnationallevelwhichotherpurposesaretobeconsideredincompatiblewiththepurposesforwhichthepersonaldatawereoriginallycollected.’55art 52(1) Charter is a general limitation clause, whereas art 8(2) ECHR is a specific limitation clauseapplyingonlytointerferenceswiththerighttoprivacy.56Recital73GDPRreadtogetherwithart23GDPR;aspreviouslyobserved,onecouldstillwonderwhetheranydatasubject’srightscanbederivedfromtheprincipleofpurposelimitation(see,n15).

116

Chapter 5

providesforalowerstandardofprotectionthantheGDPR.However,sincetheprincipleofpurposelimitationisacomponentofthefundamentalrighttodataprotection,derogationfromthatprincipleshould, inanyevent,be interpretedaccording to thecase lawof theCJEUandtheECtHR.

InterpretationoftheDerogationThe right to the protection of personal data, enshrined in Article 8 of the Charter,expresslyreferstotheprincipleofpurposelimitationasoneofitsconstitutiveelements.Article8,paragraph2,specifiesthatpersonaldata‘mustbeprocessedfairlyforspecifiedpurposes.’FollowingArticle52(1)oftheCharter,restrictionsonfundamentalrightsshouldcomplywith the followingconditions:be ‘providedby law’, ‘respect theessenceof therights’atstake,be ‘subject to theprincipleofproportionality’ and ‘necessaryandgenuinelymeetthe objectives of general interest’ or ‘the need to protect the rights and freedoms ofothers.’AsanalysedbyLynskey,57therequirementsof legality,proportionality,andnecessitysetoutinArticle52(1)canberootedinthecaselawoftheECtHR,whereastherequirementof ‘respect for the essence of the right’ is new.58Thus the legality, necessity andproportionality requirements,providedbyArticle4(2)ofDirective2016/680shouldbeunderstoodasinterpretedbyboththeECtHRandtheCJEU.i.Legality,Necessity,andProportionalityFirst, concerning the legality principle, formulated as ‘in accordance with the law',Directive2016/680 indicates that theprinciple shouldbeunderstoodas interpretedbythetwoCourts.59TheDirectiveis,however,silentontheinterpretationoftheprinciplesofnecessity and proportionality, which are worded in general terms in Article 4(2) ofDirective2016/680.Bycomparison,theGDPRmakesmoreexplicitreferencestothecaselawof theECtHRwhen itdescribes theprinciplesas ‘necessaryandproportionate inademocraticsociety'.60Thiswordingrefersinparticulartotherequirementofnecessitysetout in Article 8(2) ECHR, where any interference with the right to privacy has to be‘necessaryinademocraticsociety’.61Article8ECHRpertainstotherighttoprivacy,whichencompassestherighttotheprotectionofpersonaldataasinterpretedbytheECtHR.62As

57OrlaLynskey,TheFoundationsofEUDataProtectionLaw(OUP2015),ch5,172.58Brkan explains, however, that the requirement of essence can find its origin in several Member States’Constitutions, seeMajaBrkan, ‘In Search of the Concept of Essence of EU Fundamental Rights through thePrismofDataPrivacy’(2017)2017-01MaastrichtFacultyofLawWorkingPaper1,5-10.59Recital33Directive2016/680.60art6(4)GDPR.61TheECtHRhasaddedthecriterionofproportionalityinitsinterpretationofArt8(2)ECHR;egDouweKorff,‘TheStandardApproachunderarticles8-11ECHRandarticle2ECHR’(2009)<http://ec.europa.eu/justice/news/events/conference_dp_2009/presentations_speeches/KORFF_Douwe_a.pdf>accessed10April2018.62egSandMarpervUnitedKingdomAppsnos30562/04and30566/04(ECHR,4December2008),para103where the ECtHR states: ‘[t]he protection of personal data is of fundamental importance to a person’s

suchthecaselawoftheECtHR-asfaras itrelatestotheprotectionofpersonaldataaspart of the right to privacy - is also relevant to the interpretation of the right to theprotectionofpersonaldata.63ii.EssenceoftheRightSecond,ontherequirementof‘respectoftheessenceoftheright’,64verylittlecaselawisavailable onwhat constitutes the ‘essence’ of the fundamental right to data protection.OnlyinSchremsdidtheCourtfindaviolationoftheessenceoftherighttoprivacy(butnotoftherighttodataprotection).65Inmorerecentdecisions,DigitalRightsIrelandandTele2Sverige, the Court checked whether the Data Retention Directive and national dataretention measures violated the essence of the right to data protection. Based on theexistenceof data securityprovisions, theCourt concluded therewasnoviolationof theessenceoftherighttodataprotection.66Thisreasoningpromptedsomeauthorstoarguethat

[t]he Court is therefore perhaps suggesting that the essence of the right to dataprotectionisnotanobjectiveofthatright(suchasprivacyprotectionorindividualcontroloverpersonaldata)butratheritisthemeansofachievingdataprotectionthatconstitutestheessenceoftheright.67

InterestinglyinOpinion01/2015ontheproposedagreementbetweentheEUandCanadaon passenger name record (PNR) data,68the Court seemed to admit that the proposedagreementdoesnotviolatetheessenceoftherighttodataprotectionbecauseitcontains‘rulesintendedtoensure,interalia,thesecurity,confidentialityandintegrityofthatdata,andtoprotectagainstunlawfulaccessandprocessing.’69Thus,theCourtseemstoincludethe principle of purpose limitation (or at least its objective) within the scope of ‘theessence’oftherighttodataprotection.Asaconsequence,thetestoflegality,necessity,andproportionality,setoutinArticle4(2)ofDirective2016/680shouldbe interpretedaccording to the case lawof theCourtsonrespectivelyArticle52(1)oftheCharterandArticle8(2)ECHR.Thecharacteristicsofthedifferent tests are illustrated in the next section with case law. Since Article 4(2) ofDirective2016/680isunderstoodasanexceptiontotheprincipleofpurposelimitation,

enjoyment’s of his or her right to respect for private and family life, as guaranteed by article 8 of theConvention.’63On the relationship between the right to privacy and the right to the protection of personal data, seeLynskey(n57)ch4,89-130.64SeealsoBrkan(n58)13.65Case C-362/14MaximilianSchremsvDataProtectionCommissioner [2015] ECLI:EU:C:2015:650, para 94,where the Court found that ‘permitting the public authorities to have access on a generalised basis to thecontentofelectroniccommunicationsmustberegardedascompromisingtheessenceofthefundamentalrighttorespectforprivatelife.’66DigitalRightsIreland(n3)para40.67Lynskey(n57)ch5,171.68Opinion1/15(n28)69ibidpara150.

117

5


providesforalowerstandardofprotectionthantheGDPR.However,sincetheprincipleofpurposelimitationisacomponentofthefundamentalrighttodataprotection,derogationfromthatprincipleshould, inanyevent,be interpretedaccording to thecase lawof theCJEUandtheECtHR.

InterpretationoftheDerogationThe right to the protection of personal data, enshrined in Article 8 of the Charter,expresslyreferstotheprincipleofpurposelimitationasoneofitsconstitutiveelements.Article8,paragraph2,specifiesthatpersonaldata‘mustbeprocessedfairlyforspecifiedpurposes.’FollowingArticle52(1)oftheCharter,restrictionsonfundamentalrightsshouldcomplywith the followingconditions:be ‘providedby law’, ‘respect theessenceof therights’atstake,be ‘subject to theprincipleofproportionality’ and ‘necessaryandgenuinelymeetthe objectives of general interest’ or ‘the need to protect the rights and freedoms ofothers.’AsanalysedbyLynskey,57therequirementsof legality,proportionality,andnecessitysetoutinArticle52(1)canberootedinthecaselawoftheECtHR,whereastherequirementof ‘respect for the essence of the right’ is new.58Thus the legality, necessity andproportionality requirements,providedbyArticle4(2)ofDirective2016/680shouldbeunderstoodasinterpretedbyboththeECtHRandtheCJEU.i.Legality,Necessity,andProportionalityFirst, concerning the legality principle, formulated as ‘in accordance with the law',Directive2016/680 indicates that theprinciple shouldbeunderstoodas interpretedbythetwoCourts.59TheDirectiveis,however,silentontheinterpretationoftheprinciplesofnecessity and proportionality, which are worded in general terms in Article 4(2) ofDirective2016/680.Bycomparison,theGDPRmakesmoreexplicitreferencestothecaselawof theECtHRwhen itdescribes theprinciplesas ‘necessaryandproportionate inademocraticsociety'.60Thiswordingrefersinparticulartotherequirementofnecessitysetout in Article 8(2) ECHR, where any interference with the right to privacy has to be‘necessaryinademocraticsociety’.61Article8ECHRpertainstotherighttoprivacy,whichencompassestherighttotheprotectionofpersonaldataasinterpretedbytheECtHR.62As

57OrlaLynskey,TheFoundationsofEUDataProtectionLaw(OUP2015),ch5,172.58Brkan explains, however, that the requirement of essence can find its origin in several Member States’Constitutions, seeMajaBrkan, ‘In Search of the Concept of Essence of EU Fundamental Rights through thePrismofDataPrivacy’(2017)2017-01MaastrichtFacultyofLawWorkingPaper1,5-10.59Recital33Directive2016/680.60art6(4)GDPR.61TheECtHRhasaddedthecriterionofproportionalityinitsinterpretationofArt8(2)ECHR;egDouweKorff,‘TheStandardApproachunderarticles8-11ECHRandarticle2ECHR’(2009)<http://ec.europa.eu/justice/news/events/conference_dp_2009/presentations_speeches/KORFF_Douwe_a.pdf>accessed10April2018.62egSandMarpervUnitedKingdomAppsnos30562/04and30566/04(ECHR,4December2008),para103where the ECtHR states: ‘[t]he protection of personal data is of fundamental importance to a person’s

suchthecaselawoftheECtHR-asfaras itrelatestotheprotectionofpersonaldataaspart of the right to privacy - is also relevant to the interpretation of the right to theprotectionofpersonaldata.63ii.EssenceoftheRightSecond,ontherequirementof‘respectoftheessenceoftheright’,64verylittlecaselawisavailable onwhat constitutes the ‘essence’ of the fundamental right to data protection.OnlyinSchremsdidtheCourtfindaviolationoftheessenceoftherighttoprivacy(butnotoftherighttodataprotection).65Inmorerecentdecisions,DigitalRightsIrelandandTele2Sverige, the Court checked whether the Data Retention Directive and national dataretention measures violated the essence of the right to data protection. Based on theexistenceof data securityprovisions, theCourt concluded therewasnoviolationof theessenceoftherighttodataprotection.66Thisreasoningpromptedsomeauthorstoarguethat

[t]he Court is therefore perhaps suggesting that the essence of the right to dataprotectionisnotanobjectiveofthatright(suchasprivacyprotectionorindividualcontroloverpersonaldata)butratheritisthemeansofachievingdataprotectionthatconstitutestheessenceoftheright.67

InterestinglyinOpinion01/2015ontheproposedagreementbetweentheEUandCanadaon passenger name record (PNR) data,68the Court seemed to admit that the proposedagreementdoesnotviolatetheessenceoftherighttodataprotectionbecauseitcontains‘rulesintendedtoensure,interalia,thesecurity,confidentialityandintegrityofthatdata,andtoprotectagainstunlawfulaccessandprocessing.’69Thus,theCourtseemstoincludethe principle of purpose limitation (or at least its objective) within the scope of ‘theessence’oftherighttodataprotection.Asaconsequence,thetestoflegality,necessity,andproportionality,setoutinArticle4(2)ofDirective2016/680shouldbe interpretedaccording to the case lawof theCourtsonrespectivelyArticle52(1)oftheCharterandArticle8(2)ECHR.Thecharacteristicsofthedifferent tests are illustrated in the next section with case law. Since Article 4(2) ofDirective2016/680isunderstoodasanexceptiontotheprincipleofpurposelimitation,

enjoyment’s of his or her right to respect for private and family life, as guaranteed by article 8 of theConvention.’63On the relationship between the right to privacy and the right to the protection of personal data, seeLynskey(n57)ch4,89-130.64SeealsoBrkan(n58)13.65Case C-362/14MaximilianSchremsvDataProtectionCommissioner [2015] ECLI:EU:C:2015:650, para 94,where the Court found that ‘permitting the public authorities to have access on a generalised basis to thecontentofelectroniccommunicationsmustberegardedascompromisingtheessenceofthefundamentalrighttorespectforprivatelife.’66DigitalRightsIreland(n3)para40.67Lynskey(n57)ch5,171.68Opinion1/15(n28)69ibidpara150.

118

Chapter 5

measuresallowingthesubsequentuseofpersonaldatashouldalsobeassessedinrespectoftheirimpactonthe‘essenceofthefundamentalright’todataprotection.Building on the ambiguous wording of Article 4(2) of Directive 2016/680, Section IVsuggestsareadingoftheprovisionthatwouldencompassthefurtherprocessingofGDPRdata.

FurtherProcessingofGDPRDataFallingwithintheScopeofArticle4(2)ofDirective2016/680

Asexplainedintheintroduction,thearticlediscussestheroleoftheprincipleofpurposelimitationwhenGDPR data are re-used for one of the purposes of Directive 2016/680.Whentheprocessingactivitiesarecarriedoutacrossthetwoinstruments,nospecificroleseems to have been assigned to the principle of purpose limitation. For illustrationpurposes, one could refer to the examples provided in the introduction on the furtherprocessing of personal data: the case of law enforcement access and further use ofbiometricdataheldbysocialnetworks,employersorschoolsforadministrationpurposes.Based on other authors’ analysis,70this section suggests a different approach to theprinciple of purpose limitation focusing on the subsequent use of personal data. Article4(2)ofDirective2016/680seemstofollowthisapproachasitregulatestheconditionsoffurther processing, irrespective of the compatibility between the purposes. Thus, thearticle proposes a reading of Article 4(2) that would apply to personal data initiallycollected forapurposewithinoroutside thescopeof theDirective.Tocontrolhow lawenforcementauthoritiesfurtheruseGDPRdata,thearticlesuggeststyingtheprincipleofpurpose limitation to the accountability obligation of law enforcement authorities (i.e.Article19ofDirective2016/680).

FocusontheRegulationofDataUseinsteadofDataCollection?Itcouldbearguedthattheprincipleofpurposelimitationhasnotbeenforgotten,butitsapplication in the specific scenario of reprocessing GDPR data for a law enforcementpurposeislefttothediscretionofMemberStates.Thisinterpretationwould,however,notbe consistent with the fundamental nature of the principle. Thus, it seems difficult tobypasstheprinciple.Butsincethenewtechnologicalenvironmentdidnotexistatthetimetheprinciplewasfirstadopted,someauthorshavequestioneditsapplicabilityasinitiallyconceived.In the context of big data,Morel andPrins have shown the inadequacy of the principlewiththemass-collectionofpersonaldataandproposeinsteadatestbasedonlegitimate

70Inthecontextofbigdataandbigdataanalytics.

interests.71Iftheprincipleofpurposelimitationisnotadaptedtobigdata,72itis,however,questionable if it could be replaced by a test based on the legitimate interests of datacontrollers,assuggestedbytheauthors.MoreinterestinginthecontextofthispaperaretheargumentsbroughtforwardbyCoudertontheapplicationoftheprincipleofpurposelimitation in the field of law enforcement cooperation. In awell-argued article, CoudertanalysestheprovisionsonpurposelimitationinthenewEuropolRegulation.73AccordingtoCoudert,theEuropolRegulationmovestowardsadifferentapproachtotheprincipleofpurposelimitationinthecontextofbigdataanalyticsinthecriminalfield.Inherview,thetraditional approach of the principle that she describes as a ‘silo-based’ approach –referringtotheseparationofdataindistinctdatabases–isreplacedby‘theregulationoflegitimatedatauses’.74However,assheexplains,theEuropolRegulationfallsshortonthepractical implementationof thisnewapproach.75To control theuseofpersonaldatabydata controllers and restrict further processing, Coudert suggests relying on privacy bydesignobligationsandontheoversightbynationaldataprotectionauthorities.76Inthecurrentarticle,thecontextofprocessingdoesnotfocusonbigdataanalyticsbutonthe subsequent use of GDPR data in the context of criminal investigations77or criminalsurveillance.78Theinterpretationsuggestedbyotherscholarsmight,thus,notbeentirelysuitable.Instead,thepaperfocusesonthebreadthofArticle4(2)ofDirective2016/680.The next subsection suggests a reading of the provision thatwould apply to any initialprocessing.Assuch,thefurtherprocessingofGDPRdatawouldbesubjecttoArticle4(2)ofDirective2016/680.

InterpretationofArticle4(2)toEncompassSubsequentUsesofGDPRDataBased on the findings of the previous section, the article attempts to provide aninterpretationofthelegality,necessityandproportionalityofthesubsequentuseofGDPRdata for a law enforcement purpose. Since Article 4(2) of Directive 2016/680 is

71eg Lokke Moerel and Corien Prins, ‘Privacy for the Homo Digitalis, Proposal for a New RegulatoryFramework for Data Protection in the Light of Big Data and the Internet of Things' (SSRN, 25May 2016)<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123>accessed10April2018.72Big data challenges indeed the principle of purpose limitation and other data protection principles, seeChristopher Kuner et al, ‘The Challenge of “Big Data” for Data Protection’ (2012) 2(2) International DataPrivacyLaw47; aswell as IraRubinstein, ‘BigData:TheEndofPrivacyor aNewBeginning?’ (2013)3(2)InternationalDataPrivacyLaw74.73EuropolRegulation(n23).74Coudert(n28)4.75ibid.76ibid10-12.77Criminalinvestigationusuallystartswithanoffenceandfallswithinthecriminalproceduralframework.78Criminalsurveillanceisnotlinkedtoaspecificoffencebutto ‘risksandthreatstosecurity’, it isgenerallyusedtoanticipateorpreventcriminaloffences;dependingonthecountries,criminalsurveillanceiscoveredornot by the criminal procedural framework, see John AE Vervaele, ‘Surveillance and Criminal Investigation:BlurringofThresholdsandBoundariesintheCriminalJusticeSystem’inSergeGutwirth,RonaldLeenesandPaul de Hert (eds), ReloadingDataProtection (Springer 2014) 115-116. The distinction between criminalinvestigationandcriminalsurveillanceisnotalwaysclear-cut,inparticular,criminalsurveillancecanbeusedinacontextofcriminal investigationandtargetspecific individuals,seeIraRubinstein,GregoryNojeimandRonaldLee,‘SystematicGovernmentAccesstoPrivate-SectorData,AComparativeAnalysis’inFredCateandJamesDempsey (eds),Bulkcollection,SystematicGovernment’sAccesstoPrivate-SectorData(OUP2017) 38-42.

119

5


measuresallowingthesubsequentuseofpersonaldatashouldalsobeassessedinrespectoftheirimpactonthe‘essenceofthefundamentalright’todataprotection.Building on the ambiguous wording of Article 4(2) of Directive 2016/680, Section IVsuggestsareadingoftheprovisionthatwouldencompassthefurtherprocessingofGDPRdata.

FurtherProcessingofGDPRDataFallingwithintheScopeofArticle4(2)ofDirective2016/680

Asexplainedintheintroduction,thearticlediscussestheroleoftheprincipleofpurposelimitationwhenGDPR data are re-used for one of the purposes of Directive 2016/680.Whentheprocessingactivitiesarecarriedoutacrossthetwoinstruments,nospecificroleseems to have been assigned to the principle of purpose limitation. For illustrationpurposes, one could refer to the examples provided in the introduction on the furtherprocessing of personal data: the case of law enforcement access and further use ofbiometricdataheldbysocialnetworks,employersorschoolsforadministrationpurposes.Based on other authors’ analysis,70this section suggests a different approach to theprinciple of purpose limitation focusing on the subsequent use of personal data. Article4(2)ofDirective2016/680seemstofollowthisapproachasitregulatestheconditionsoffurther processing, irrespective of the compatibility between the purposes. Thus, thearticle proposes a reading of Article 4(2) that would apply to personal data initiallycollected forapurposewithinoroutside thescopeof theDirective.Tocontrolhow lawenforcementauthoritiesfurtheruseGDPRdata,thearticlesuggeststyingtheprincipleofpurpose limitation to the accountability obligation of law enforcement authorities (i.e.Article19ofDirective2016/680).

FocusontheRegulationofDataUseinsteadofDataCollection?Itcouldbearguedthattheprincipleofpurposelimitationhasnotbeenforgotten,butitsapplication in the specific scenario of reprocessing GDPR data for a law enforcementpurposeislefttothediscretionofMemberStates.Thisinterpretationwould,however,notbe consistent with the fundamental nature of the principle. Thus, it seems difficult tobypasstheprinciple.Butsincethenewtechnologicalenvironmentdidnotexistatthetimetheprinciplewasfirstadopted,someauthorshavequestioneditsapplicabilityasinitiallyconceived.In the context of big data,Morel andPrins have shown the inadequacy of the principlewiththemass-collectionofpersonaldataandproposeinsteadatestbasedonlegitimate

70Inthecontextofbigdataandbigdataanalytics.

interests.71Iftheprincipleofpurposelimitationisnotadaptedtobigdata,72itis,however,questionable if it could be replaced by a test based on the legitimate interests of datacontrollers,assuggestedbytheauthors.MoreinterestinginthecontextofthispaperaretheargumentsbroughtforwardbyCoudertontheapplicationoftheprincipleofpurposelimitation in the field of law enforcement cooperation. In awell-argued article, CoudertanalysestheprovisionsonpurposelimitationinthenewEuropolRegulation.73AccordingtoCoudert,theEuropolRegulationmovestowardsadifferentapproachtotheprincipleofpurposelimitationinthecontextofbigdataanalyticsinthecriminalfield.Inherview,thetraditional approach of the principle that she describes as a ‘silo-based’ approach –referringtotheseparationofdataindistinctdatabases–isreplacedby‘theregulationoflegitimatedatauses’.74However,assheexplains,theEuropolRegulationfallsshortonthepractical implementationof thisnewapproach.75To control theuseofpersonaldatabydata controllers and restrict further processing, Coudert suggests relying on privacy bydesignobligationsandontheoversightbynationaldataprotectionauthorities.76Inthecurrentarticle,thecontextofprocessingdoesnotfocusonbigdataanalyticsbutonthe subsequent use of GDPR data in the context of criminal investigations77or criminalsurveillance.78Theinterpretationsuggestedbyotherscholarsmight,thus,notbeentirelysuitable.Instead,thepaperfocusesonthebreadthofArticle4(2)ofDirective2016/680.The next subsection suggests a reading of the provision thatwould apply to any initialprocessing.Assuch,thefurtherprocessingofGDPRdatawouldbesubjecttoArticle4(2)ofDirective2016/680.

InterpretationofArticle4(2)toEncompassSubsequentUsesofGDPRDataBased on the findings of the previous section, the article attempts to provide aninterpretationofthelegality,necessityandproportionalityofthesubsequentuseofGDPRdata for a law enforcement purpose. Since Article 4(2) of Directive 2016/680 is

71eg Lokke Moerel and Corien Prins, ‘Privacy for the Homo Digitalis, Proposal for a New RegulatoryFramework for Data Protection in the Light of Big Data and the Internet of Things' (SSRN, 25May 2016)<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123>accessed10April2018.72Big data challenges indeed the principle of purpose limitation and other data protection principles, seeChristopher Kuner et al, ‘The Challenge of “Big Data” for Data Protection’ (2012) 2(2) International DataPrivacyLaw47; aswell as IraRubinstein, ‘BigData:TheEndofPrivacyor aNewBeginning?’ (2013)3(2)InternationalDataPrivacyLaw74.73EuropolRegulation(n23).74Coudert(n28)4.75ibid.76ibid10-12.77Criminalinvestigationusuallystartswithanoffenceandfallswithinthecriminalproceduralframework.78Criminalsurveillanceisnotlinkedtoaspecificoffencebutto ‘risksandthreatstosecurity’, it isgenerallyusedtoanticipateorpreventcriminaloffences;dependingonthecountries,criminalsurveillanceiscoveredornot by the criminal procedural framework, see John AE Vervaele, ‘Surveillance and Criminal Investigation:BlurringofThresholdsandBoundariesintheCriminalJusticeSystem’inSergeGutwirth,RonaldLeenesandPaul de Hert (eds), ReloadingDataProtection (Springer 2014) 115-116. The distinction between criminalinvestigationandcriminalsurveillanceisnotalwaysclear-cut,inparticular,criminalsurveillancecanbeusedinacontextofcriminal investigationandtargetspecific individuals,seeIraRubinstein,GregoryNojeimandRonaldLee,‘SystematicGovernmentAccesstoPrivate-SectorData,AComparativeAnalysis’inFredCateandJamesDempsey (eds),Bulkcollection,SystematicGovernment’sAccesstoPrivate-SectorData(OUP2017) 38-42.

120

Chapter 5

109

interpreted as derogation from the principle of purpose limitation, the article alsodiscusseswhetherandhowthe‘essenceoftheright’shouldbeaddedasanextracriterion.

‘InAccordancewiththeLaw’The first condition ‘in accordance with the law’ sets up the legality requirement.ExtensivelyinterpretedbytheECtHR,79theterm‘law’isbroadlyunderstoodanddoesnotneed to result from a legislative procedure.80The law needs, however, to be clear,accessibleandforeseeable.81Thelegalityrequirementdoesnotcallformanyremarks.Onthe foreseeability aspect one could, however, observe that the ECtHR has introducednuances taking into account the context of the interference. In a general context, aforeseeable law is a law, which is ‘formulated with sufficient precision to enable anyindividual –if need bewith appropriate advice – to regulate his conduct.’82A law is forinstance sufficiently precise if it describes its scope; provides safeguards to ensure thesecurity, confidentiality, and safety of the data; and details how the data are stored,retainedandfurtherused.Thoseexamplesoriginatefromcase lawontheretentionandstorage of biometric and DNA data for criminal purposes.83In the context of police-ledsurveillance (such as interceptions of communications)84or secret surveillance in theinterest of national security, 85 the ECtHR has established a different standard.Foreseeability in those contexts ‘cannot mean that an individual should be enabled toforeseepreciselywhat checkswillbemade.’ Instead, the lawshouldbe clearenough togive an ‘appropriate indication’ as to the ‘circumstances’ and ‘conditions’ under whichsurveillancemeasuresareallowed.86In the case of subsequent use of GDPR data for law enforcement purposes, the legalityrequirementcould imply theexistenceofanational criminalprocedural law thatwoulddetail the conditionsunderwhichpersonaldata canbe requested, accessedand furtherused.Ifthedataarenecessaryforsurveillancepurposes,thenational lawwouldhavetoprovide an ’adequate indication’ as to the ‘circumstances’ and ‘conditions’ underwhichsurveillancemeasuresareallowed.AccordingtotheECtHR,thelawmustcontainspecificsafeguards,whichinclude‘proceduretobefollowedforexamining,usingandstoringtheobtaineddata.’87

79egMalonevUKAppno8691/79(ECHR,2August1984),paras66-68;RotaruvRomaniaAppno28341/95(ECHR, 4 May 2000), para 52; Association for European Integration and Human Rights and Ekimdzhiev vBulgariaAppno62540/00(ECHR,28June2007),para71.80Recital33Directive2016/680.81egMalone(n79)para67.82egRotaru(n79)para55;butalso,SandMarper(n62)para95.83SandMarper(n62)para99.84egMalone(n79).85egLeandervSwedenAppno9248/81(ECHR,26March1987).86egMalone(n79)para67ascitedforexampleinLeander(n85)para51andAmannvSwitzerlandAppno27798/95(ECHR,16February2000)para56.87WeberandSaraviavGermanyAppno54934/00(ECHR,29June2006),para95.

110

Onitsside, theCJEUinterpretsthe legalityrequirementbyreferenceandanalogytothecaselawoftheECtHRonArticle8ECHR.88Asaconsequence,anationalorEUlegislationmust‘laydownclearandpreciserules’onthe‘scope’and‘application’ofthemeasureandprovide‘minimumsafeguards’topreventabuses,suchas‘unlawfulaccessanduse’ofdatainthecasesofdataretention.Thesameconditionsapplyirrespectiveofthefield,whetherornotitfallswithinthescopeoflawenforcement.In conclusion, under Article 4(2)(a) of Directive 2016/680, a legality test should beperformed.Thatwould implychecking ifa specificnational law(e.g.anationalcriminalprocedural law)allowing lawenforcementauthorities (e.g.policeauthorities) to furtherprocesspersonaldataheldbythirdpartiescontainstheelementsdescribedbythecourts.Thetwootherrequirements,proportionalityandnecessity,aremoresubjectivethanthelegalityrequirement.Theyaredealtwithseparately,butaspointedoutbytheEuropeanDataProtectionSupervisor(EDPS),theyoverlapandcould‘becarriedoutconcurrentlyoreven in the reverse order.’89However, the order followed here is the one provided byArticle4(2)ofDirective2016/680.Itisfairtosaythatduetotheorderifthemeasurehasnotpassedthe‘testofnecessity’,theprincipleofproportionalityshouldnotbeassessed.90

‘NecessarytothatOtherPurpose’TheECtHRandtheCJEUhaveissuedslightlydifferenttestsofnecessity.AccordingtotheECtHR, ‘necessity’referstoameasurethat ‘isnecessaryinademocraticsociety.’91Inthecontextoftheprotectionofpersonaldata,thismeansthatameasureanswers‘apressingsocialneed’tomeetthenecessityrequirement.92MemberStatesbenefitfromamarginofappreciation to determine the existence of a ‘pressing social need’.93The protection ofnational security constitutes, for instance, a pressing social need.94As analysed by theA29WP, the test of ‘pressing social need’ is definedby the ‘context’ of themeasure and‘evidence’of thenecessityof suchameasure for society.95Asa consequence, theECtHRonlyappliesatestofstrictnecessityifthecircumstancesoftheinterferencerequireit.In

88egDigitalRightsIreland(n 3) para 54; Joined Cases C-203/15 and C-698/15Tele2SverigeABvPost-ochtelestyrelsen and Secretary of State for the Home Department v Tom Watson and others [2016]ECLI:EU:C:2016:970,para109.89EDPS, ‘Assessing thenecessity ofmeasures that limit the fundamental right todataprotection:A toolkit’[2017] <https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf > accessed10April2018.90ibid5.91See Handyside v UK App no 5493/72 (ECHR, 7 December 1976), para 48 where the Court described‘necessity’inthefollowingterms‘whilsttheadjective“necessary”…isnotsynonymouswith“indispensable”…,“thewordsabsolutelynecessary”and“strictlynecessary”…neitherhasittheflexibilityofsuchexpressionsas“admissible”,“ordinary”,…”useful”,“reasonable”…or“desirable.”’92egSandMarper(n62)para101;forfurtherdetailsseeStevenGreer, ‘ExceptionstoArticle8to11oftheEuropeanConventiononHumanRights’ (1997)<http://www.echr.coe.int/LibraryDocs/DG2/HRFILES/DG2-EN-HRFILES-15(1997).pdf>accessed10April2018.93Thismargin depends on ‘the nature of the legitimate aimpursued’ and ‘on the nature of interference atstake’,seeConnorsvtheUnitedKingdomAppno66746/01(ECHR,27May2004),para82.94Leander(n85)para59.95A29WP,‘Opinion01/2014ontheapplicationofnecessityandproportionalityconceptsanddataprotectionwithinthelawenforcementsector’[2014]WP211.

121

5


109

interpreted as derogation from the principle of purpose limitation, the article alsodiscusseswhetherandhowthe‘essenceoftheright’shouldbeaddedasanextracriterion.

‘InAccordancewiththeLaw’The first condition ‘in accordance with the law’ sets up the legality requirement.ExtensivelyinterpretedbytheECtHR,79theterm‘law’isbroadlyunderstoodanddoesnotneed to result from a legislative procedure.80The law needs, however, to be clear,accessibleandforeseeable.81Thelegalityrequirementdoesnotcallformanyremarks.Onthe foreseeability aspect one could, however, observe that the ECtHR has introducednuances taking into account the context of the interference. In a general context, aforeseeable law is a law, which is ‘formulated with sufficient precision to enable anyindividual –if need bewith appropriate advice – to regulate his conduct.’82A law is forinstance sufficiently precise if it describes its scope; provides safeguards to ensure thesecurity, confidentiality, and safety of the data; and details how the data are stored,retainedandfurtherused.Thoseexamplesoriginatefromcase lawontheretentionandstorage of biometric and DNA data for criminal purposes.83In the context of police-ledsurveillance (such as interceptions of communications)84or secret surveillance in theinterest of national security, 85 the ECtHR has established a different standard.Foreseeability in those contexts ‘cannot mean that an individual should be enabled toforeseepreciselywhat checkswillbemade.’ Instead, the lawshouldbe clearenough togive an ‘appropriate indication’ as to the ‘circumstances’ and ‘conditions’ under whichsurveillancemeasuresareallowed.86In the case of subsequent use of GDPR data for law enforcement purposes, the legalityrequirementcould imply theexistenceofanational criminalprocedural law thatwoulddetail the conditionsunderwhichpersonaldata canbe requested, accessedand furtherused.Ifthedataarenecessaryforsurveillancepurposes,thenational lawwouldhavetoprovide an ’adequate indication’ as to the ‘circumstances’ and ‘conditions’ underwhichsurveillancemeasuresareallowed.AccordingtotheECtHR,thelawmustcontainspecificsafeguards,whichinclude‘proceduretobefollowedforexamining,usingandstoringtheobtaineddata.’87

79egMalonevUKAppno8691/79(ECHR,2August1984),paras66-68;RotaruvRomaniaAppno28341/95(ECHR, 4 May 2000), para 52; Association for European Integration and Human Rights and Ekimdzhiev vBulgariaAppno62540/00(ECHR,28June2007),para71.80Recital33Directive2016/680.81egMalone(n79)para67.82egRotaru(n79)para55;butalso,SandMarper(n62)para95.83SandMarper(n62)para99.84egMalone(n79).85egLeandervSwedenAppno9248/81(ECHR,26March1987).86egMalone(n79)para67ascitedforexampleinLeander(n85)para51andAmannvSwitzerlandAppno27798/95(ECHR,16February2000)para56.87WeberandSaraviavGermanyAppno54934/00(ECHR,29June2006),para95.

110

Onitsside, theCJEUinterpretsthe legalityrequirementbyreferenceandanalogytothecaselawoftheECtHRonArticle8ECHR.88Asaconsequence,anationalorEUlegislationmust‘laydownclearandpreciserules’onthe‘scope’and‘application’ofthemeasureandprovide‘minimumsafeguards’topreventabuses,suchas‘unlawfulaccessanduse’ofdatainthecasesofdataretention.Thesameconditionsapplyirrespectiveofthefield,whetherornotitfallswithinthescopeoflawenforcement.In conclusion, under Article 4(2)(a) of Directive 2016/680, a legality test should beperformed.Thatwould implychecking ifa specificnational law(e.g.anationalcriminalprocedural law)allowing lawenforcementauthorities (e.g.policeauthorities) to furtherprocesspersonaldataheldbythirdpartiescontainstheelementsdescribedbythecourts.Thetwootherrequirements,proportionalityandnecessity,aremoresubjectivethanthelegalityrequirement.Theyaredealtwithseparately,butaspointedoutbytheEuropeanDataProtectionSupervisor(EDPS),theyoverlapandcould‘becarriedoutconcurrentlyoreven in the reverse order.’89However, the order followed here is the one provided byArticle4(2)ofDirective2016/680.Itisfairtosaythatduetotheorderifthemeasurehasnotpassedthe‘testofnecessity’,theprincipleofproportionalityshouldnotbeassessed.90

‘NecessarytothatOtherPurpose’TheECtHRandtheCJEUhaveissuedslightlydifferenttestsofnecessity.AccordingtotheECtHR, ‘necessity’referstoameasurethat ‘isnecessaryinademocraticsociety.’91Inthecontextoftheprotectionofpersonaldata,thismeansthatameasureanswers‘apressingsocialneed’tomeetthenecessityrequirement.92MemberStatesbenefitfromamarginofappreciation to determine the existence of a ‘pressing social need’.93The protection ofnational security constitutes, for instance, a pressing social need.94As analysed by theA29WP, the test of ‘pressing social need’ is definedby the ‘context’ of themeasure and‘evidence’of thenecessityof suchameasure for society.95Asa consequence, theECtHRonlyappliesatestofstrictnecessityifthecircumstancesoftheinterferencerequireit.In

88egDigitalRightsIreland(n 3) para 54; Joined Cases C-203/15 and C-698/15Tele2SverigeABvPost-ochtelestyrelsen and Secretary of State for the Home Department v Tom Watson and others [2016]ECLI:EU:C:2016:970,para109.89EDPS, ‘Assessing thenecessity ofmeasures that limit the fundamental right todataprotection:A toolkit’[2017] <https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf > accessed10April2018.90ibid5.91See Handyside v UK App no 5493/72 (ECHR, 7 December 1976), para 48 where the Court described‘necessity’inthefollowingterms‘whilsttheadjective“necessary”…isnotsynonymouswith“indispensable”…,“thewordsabsolutelynecessary”and“strictlynecessary”…neitherhasittheflexibilityofsuchexpressionsas“admissible”,“ordinary”,…”useful”,“reasonable”…or“desirable.”’92egSandMarper(n62)para101;forfurtherdetailsseeStevenGreer, ‘ExceptionstoArticle8to11oftheEuropeanConventiononHumanRights’ (1997)<http://www.echr.coe.int/LibraryDocs/DG2/HRFILES/DG2-EN-HRFILES-15(1997).pdf>accessed10April2018.93Thismargin depends on ‘the nature of the legitimate aimpursued’ and ‘on the nature of interference atstake’,seeConnorsvtheUnitedKingdomAppno66746/01(ECHR,27May2004),para82.94Leander(n85)para59.95A29WP,‘Opinion01/2014ontheapplicationofnecessityandproportionalityconceptsanddataprotectionwithinthelawenforcementsector’[2014]WP211.

122

Chapter 5

thecontextof ‘secretsurveillance’, theCourtruled inparticular that interferencehadtomeetthecriteriaof‘strictnecessity.’96As for the CJEU, the Court has developed a test of ‘strict necessity’ in its case law onArticles7and8oftheCharterofFundamentalRights.Thetestofnecessityapplieseveninthecontextoflawenforcementorinrelationtosurveillancemeasures.97AccordingtotheEDPS,

therequirementof‘strictnecessity’flowsfromtheimportantroletheprocessingofpersonal data entails for a series of fundamental rights, including freedom ofexpression. Even if specific rules are adopted in the field of law enforcement, forinstance, Directive 2016/680, this does not justify a different assessment ofnecessity.98

OnecouldgetinspirationfromthetoolkitdevelopedbytheEDPSonthetestofnecessitytoguidetheEUinstitutionsbeforetheadoptionofnewlegislativemeasures.BasedonthecaselawoftheCJEUandtheECtHR,thetestofnecessityrequiresa‘factual’analysis,theidentification of the fundamental rights impaired, the objective of themeasure and the‘less intrusive’ option to achieve the samegoal.99Transposed to ameasure allowing thesubsequent use of GDPR for a law enforcement purpose, the test of necessity wouldrequire going through the four steps. First, the factual assessment of the furtherprocessing could determine whether the processing is strictly necessary to the lawenforcement purpose. That would imply identifying the purpose, such as criminalinvestigation or criminal surveillance (and whether targeted or not). Different factorscould be taken into account such as the individuals impacted by the further processing(suspects, witnesses, victims or citizens); the type of data processed (sensitive data orpersonaldata);thekindsofprocessingoperationsaswellasthepersonswhohaveaccessto theprocesseddata.Anassessmentof impactsondata subjects’ rights should alsobecarriedout,andinparticularhowindividualswillbeabletoexercisetheirrighttoremedy.Finally,itmightbeessentialtoconsidertheinitialcontextofprocessing,especiallywhendataarefurtherusedforcriminalsurveillance.

‘ProportionatetothatOtherPurpose’Asobservedbysomeauthors,itmightbedifficulttodistinguishthetestofnecessityfromthetestofproportionality.100AdvocateGeneralMadurowrote inHuber that ‘theconceptofnecessity…iswellestablishedaspartoftheproportionalitytest.’101Inanarrowsense,however,thetestofproportionalityrefersto‘proportionalitystrictosensu’.Accordingto

96SzabóandVissyvHungaryAppno37138/14(ECHR,12January2016),para73.97egDigitalRightsIreland(n3);Tele2Sverige(n88),andSchrems(n65).98EDPS(n89)7.99EDPS(n89).100StevePeersandSachaPrechal,‘Article52’inStevePeersetal(eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014),1480101Case C-524/06 Heinz Huber v Bundesrepublik Deutschland [2008] ECLI:EU:C:2008:194, Opinion of AGMaduro,para27.

theCJEU,proportionatemeasuresare‘appropriate’inrelationtotheirobjectivesand‘donot go beyond what is necessary’.102The analysis of what constitutes a measure that‘wouldgobeyondwhatisnecessary’ isveryfactual.Forexample,theCJEUhasreliedontheexistenceof‘specificguarantees’toensurethattheprocessingofsensitivedata(suchasfingerprints)was‘effectivelyprotectedfrommisuseandabuse’.103Concerning the subsequent use of GDPR data for a law enforcement purpose, theproportionalityofthemeasuremightbeassessedtakingintoaccountexistingsafeguards(suchaslimitedstorageofdatainanidentifiableform,descriptionofuses,procedurestopreservetheconfidentiality,security,andintegrityofthedata).104

MissingCriterion:RespectoftheEssenceoftheFundamentalRighttoDataProtection?

As explained, the requirement of ‘respect of the essence of the right’ is a conditionimposedbyArticle52(1)oftheCharteronthelimitationstofundamentalrights.Yet,ifasargued in the previous section, Article 4(2) of Directive 2016/680 is construed as anexception to the principle of purpose limitation, its application should complywith therequirementsoftheCharterandtheECHRasrespectivelyinterpretedbytheCJEUandtheECtHR.On the constitutive elementsof the ‘essenceof the right’ todataprotection, fewdetailsareavailable.However,asmentionedintheprevioussection,inOpinion1/15,theCJEUestablishedthe ‘protect[ion]againstunlawfulaccessandprocessing’asanelementoftheessenceoftheright.105Thecriterionof‘essenceoftheright’isabsentfromArticle4(2)ofDirective2016/680.IfitisacceptedthattheprovisionshouldbeinterpretedincompliancewithArticle52(1)oftheCharter,theessencecriterionshouldalsobeassessed.

AccountabilityofLawEnforcementAuthoritiesasAdditionalSafeguard?Last, as already suggested,106a different approach to theprinciple of purpose limitationshouldbesupportedbyadditionalsafeguards.Article19ofDirective2016/680setsoutthe accountability of law enforcement authorities to enable them to demonstratecompliance with their data protection obligations. As worded,107 the principle ofaccountability relates to theobligation that lawenforcementauthoritieshave tocomplywiththeirdataprotectionobligations.Eveniftheprovisionisvague,ittiestheobligationofaccountabilitytotheimplementationof appropriate technical and organisational measures, such as the obligation of ‘dataprotectionbydesign’.Thatcould includetheadoptionofpoliciesdescribing the legality,

102egCaseC-291/12MichaelSchwarzvStadtBochum[2013]ECLI:EU:C:2013:670,para40.103ibidpara55etseq,referringtoSandMarper(n62)para103.104egSandMarper(n62)para99.105Opinion1/15(n28)para150.106Coudert(n28).107art19Directive2016/680.

123

5


thecontextof ‘secretsurveillance’, theCourtruled inparticular that interferencehadtomeetthecriteriaof‘strictnecessity.’96As for the CJEU, the Court has developed a test of ‘strict necessity’ in its case law onArticles7and8oftheCharterofFundamentalRights.Thetestofnecessityapplieseveninthecontextoflawenforcementorinrelationtosurveillancemeasures.97AccordingtotheEDPS,

therequirementof‘strictnecessity’flowsfromtheimportantroletheprocessingofpersonal data entails for a series of fundamental rights, including freedom ofexpression. Even if specific rules are adopted in the field of law enforcement, forinstance, Directive 2016/680, this does not justify a different assessment ofnecessity.98

OnecouldgetinspirationfromthetoolkitdevelopedbytheEDPSonthetestofnecessitytoguidetheEUinstitutionsbeforetheadoptionofnewlegislativemeasures.BasedonthecaselawoftheCJEUandtheECtHR,thetestofnecessityrequiresa‘factual’analysis,theidentification of the fundamental rights impaired, the objective of themeasure and the‘less intrusive’ option to achieve the samegoal.99Transposed to ameasure allowing thesubsequent use of GDPR for a law enforcement purpose, the test of necessity wouldrequire going through the four steps. First, the factual assessment of the furtherprocessing could determine whether the processing is strictly necessary to the lawenforcement purpose. That would imply identifying the purpose, such as criminalinvestigation or criminal surveillance (and whether targeted or not). Different factorscould be taken into account such as the individuals impacted by the further processing(suspects, witnesses, victims or citizens); the type of data processed (sensitive data orpersonaldata);thekindsofprocessingoperationsaswellasthepersonswhohaveaccessto theprocesseddata.Anassessmentof impactsondata subjects’ rights should alsobecarriedout,andinparticularhowindividualswillbeabletoexercisetheirrighttoremedy.Finally,itmightbeessentialtoconsidertheinitialcontextofprocessing,especiallywhendataarefurtherusedforcriminalsurveillance.

‘ProportionatetothatOtherPurpose’Asobservedbysomeauthors,itmightbedifficulttodistinguishthetestofnecessityfromthetestofproportionality.100AdvocateGeneralMadurowrote inHuber that ‘theconceptofnecessity…iswellestablishedaspartoftheproportionalitytest.’101Inanarrowsense,however,thetestofproportionalityrefersto‘proportionalitystrictosensu’.Accordingto

96SzabóandVissyvHungaryAppno37138/14(ECHR,12January2016),para73.97egDigitalRightsIreland(n3);Tele2Sverige(n88),andSchrems(n65).98EDPS(n89)7.99EDPS(n89).100StevePeersandSachaPrechal,‘Article52’inStevePeersetal(eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014),1480101Case C-524/06 Heinz Huber v Bundesrepublik Deutschland [2008] ECLI:EU:C:2008:194, Opinion of AGMaduro,para27.

theCJEU,proportionatemeasuresare‘appropriate’inrelationtotheirobjectivesand‘donot go beyond what is necessary’.102The analysis of what constitutes a measure that‘wouldgobeyondwhatisnecessary’ isveryfactual.Forexample,theCJEUhasreliedontheexistenceof‘specificguarantees’toensurethattheprocessingofsensitivedata(suchasfingerprints)was‘effectivelyprotectedfrommisuseandabuse’.103Concerning the subsequent use of GDPR data for a law enforcement purpose, theproportionalityofthemeasuremightbeassessedtakingintoaccountexistingsafeguards(suchaslimitedstorageofdatainanidentifiableform,descriptionofuses,procedurestopreservetheconfidentiality,security,andintegrityofthedata).104

MissingCriterion:RespectoftheEssenceoftheFundamentalRighttoDataProtection?

As explained, the requirement of ‘respect of the essence of the right’ is a conditionimposedbyArticle52(1)oftheCharteronthelimitationstofundamentalrights.Yet,ifasargued in the previous section, Article 4(2) of Directive 2016/680 is construed as anexception to the principle of purpose limitation, its application should complywith therequirementsoftheCharterandtheECHRasrespectivelyinterpretedbytheCJEUandtheECtHR.On the constitutive elementsof the ‘essenceof the right’ todataprotection, fewdetailsareavailable.However,asmentionedintheprevioussection,inOpinion1/15,theCJEUestablishedthe ‘protect[ion]againstunlawfulaccessandprocessing’asanelementoftheessenceoftheright.105Thecriterionof‘essenceoftheright’isabsentfromArticle4(2)ofDirective2016/680.IfitisacceptedthattheprovisionshouldbeinterpretedincompliancewithArticle52(1)oftheCharter,theessencecriterionshouldalsobeassessed.

AccountabilityofLawEnforcementAuthoritiesasAdditionalSafeguard?Last, as already suggested,106a different approach to theprinciple of purpose limitationshouldbesupportedbyadditionalsafeguards.Article19ofDirective2016/680setsoutthe accountability of law enforcement authorities to enable them to demonstratecompliance with their data protection obligations. As worded,107 the principle ofaccountability relates to theobligation that lawenforcementauthoritieshave tocomplywiththeirdataprotectionobligations.Eveniftheprovisionisvague,ittiestheobligationofaccountabilitytotheimplementationof appropriate technical and organisational measures, such as the obligation of ‘dataprotectionbydesign’.Thatcould includetheadoptionofpoliciesdescribing the legality,

102egCaseC-291/12MichaelSchwarzvStadtBochum[2013]ECLI:EU:C:2013:670,para40.103ibidpara55etseq,referringtoSandMarper(n62)para103.104egSandMarper(n62)para99.105Opinion1/15(n28)para150.106Coudert(n28).107art19Directive2016/680.

124

Chapter 5

necessity and proportionality assessment of the subsequent use of GDPR data and theimpactsondatasubjects.Inthenextsection,thehypothesisfollowingwhichthesubsequentuseofGDPRdatafallsoutsidethescopeofArticle4(2)ofDirective2016/680isaddressed.

Shortcomings:ConsequencesofSubsequentUsesofGDPRDataoutsidetheScopeofArticle4(2)ofDirective2016/680

Inthatsection,Article4(2)ofDirective2016/680isconsideredasapplyingexclusivelytothe further processing of personal data initially collected for one of the purposes ofDirective2016/680.This interpretation, favoured by the European Commission,108will most likely prevailamongMember States. As amatter of illustration, severalMember States have alreadydecidedtoclearuptheambiguityintheirdraftimplementinglaws.Forexample,boththeUKandtheDutchdraftlawsspecifythenatureoftheinitialpurposeofcollection.IntheUnitedKingdom, Section 34 of theData ProtectionBill defines the principle of purposelimitationandrestrictstherulesonthefurtherprocessingtopersonaldata‘collectedforalaw enforcement purpose.’109The Dutch draft law suggests a similar implementation ofArticle4(2)of theDirective since the ruleson the furtherprocessingwill only apply to‘police’data(‘politiegegevens’).110

SubsequentUseofGDPRDataas‘InitialProcessing’undertheDirective?Following the analysismade in theprevious sections, the subsequentuse ofGDPRdatafallswithintheremitofDirective2016/680butisnotexpresslyincludedintothescopeofArticle 4(2) of the Directive. In case Article 4(2) exclusively applies to the furtherprocessingofpersonaldatainitiallycollectedinalawenforcementcontext,doesitmeanthatthefurtherprocessingofGDPRdataisconsideredasinitialprocessingof‘police’dataundertheDirective?Ifso,whataretheconsequences?

Firstofall,suchaninterpretationdoesnotseemtobeinlinewiththepositionsdefendedbytheEDPSandtheA29WPonvariousoccasions.Theybothreiteratedtheimportanceoftheprincipleofpurpose limitation in scenarioswherepersonaldatawereaccessedandfurtherusedbylawenforcementauthoritiesforapurposeunrelatedtotheinitialpurpose

108See the position of the European Commission (n 49); it also seems consistent with Recital 29 of theDirective(n48).109Seesection36(1)-(3)oftheUKDataProtectionBill,22https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/18190.pdfaccessed10April2018.110 DutchDraftlaw,art3<https://www.tweedekamer.nl/kamerstukken/wetsvoorstellen/detail?cfg=wetsvoorsteldetails&qry=wetsvoorstel:34889>accessed10April2018.

114

ofcollection.111Inparticular,theyhaveissuedopinionsinthecontextofthePNRDirective,the repurposing of Eurodac data for law enforcement purposes, and during thenegotiations of the new data protection framework.112For instance, concerning theproposalforaPNRDirective,theEDPScriticizedthelackofobjectivecriteriatolimittheaccess to and the subsequent use of the PNR data by law enforcement authorities. TheEDPSfoundthatthepurposesforwhichthedatacouldbere-usedhadnotbeenpreciselyidentified.113Similar critics were formulated about the recast of the Eurodac database,originally constituted to manage asylum applications among Member States. In 2012already, the EDPS found that the extension of the scope of the database for lawenforcement purposes was ‘difficult to reconcile with the purpose limitation principle,whichisoneofthekeyprinciplesofdataprotectionlaw.’114TheEDPSalsoopinedthat‘theassessmentas to thenecessityandproportionalityof thecreationof theEurodacwouldhave been completely different if law enforcement access was envisaged from theoutset.’115Second,thisqualificationhasconsequencesonthedeterminationoftheapplicableregime.Asexplainedintheprevioussection,furtherprocessingof‘police'dataforadifferentlawenforcementpurposeissubjecttotheconditionsoflegality,necessityandproportionalityset out in Article 4(2) of the Directive. The question that arises is whether the rulesimposed on the initial processing are similar to the ones applicable to the furtherprocessing,i.e.whethertheinitialprocessingunderDirective2016/680isalsosubjecttoconditions of legality, necessity, and proportionality. The rules applicable to initialprocessingundertheDirectivearethereforeassessed.According to Article 8 of Directive 2016/680,116a processing operation is lawful if it is‘necessaryfortheperformanceofataskcarriedoutbyacompetentauthority’foroneofthepurposesof theDirectiveand ‘isbasedonUnionorState law.’An initialprocessingoperationis,thus,alsosubjecttoalegalityrequirement.Thisrequirementisunderstood

111egA29WP,Opinion 03/2013 (n 38); EDPS, ‘Opinion of the EuropeanData Protection Supervisor on theCommunication from the Commission to the European Parliament and the Council on an area of freedom,securityandjusticeservingthecitizen’[2009]OJC276/09,para41.112egEDPS,‘Opinion5/2015,SecondOpinionontheProposalforaDirectiveoftheEuropeanParliamentandof the Council on the use of Passenger Name Record data for the prevention, detection, investigation andprosecutionofterroristoffencesandseriouscrime[2015]<https://edps.europa.eu/sites/edp/files/publication/15-09-24_pnr_en.pdf>accessed10April2018.EDPS,‘Opinion07/2016,EDPSOpinionontheFirstreformpackageontheCommonEuropeanAsylumSystem(Eurodac,EASOandDublinregulations)’[2016]<https://edps.europa.eu/sites/edp/files/publication/16-09-21_ceas_opinion_en.pdf>accessed10April2016.113EDPS,Opinion5/2015(n112)paras25-27.114EDPS,‘OpinionontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheestablishmentof ‘Eurodac’ for the comparisonof fingerprints for theeffectiveapplicationofRegulation(EU)No[…][…](Recast version) [2012], para28<https://edps.europa.eu/sites/edp/files/publication/12-09-05_eurodac_en.pdf>accessed10April2018.115ibidpara27.116art8Directive2016/680entitled‘lawfulnessofprocessing.’

125

5


necessity and proportionality assessment of the subsequent use of GDPR data and theimpactsondatasubjects.Inthenextsection,thehypothesisfollowingwhichthesubsequentuseofGDPRdatafallsoutsidethescopeofArticle4(2)ofDirective2016/680isaddressed.

Shortcomings:ConsequencesofSubsequentUsesofGDPRDataoutsidetheScopeofArticle4(2)ofDirective2016/680

Inthatsection,Article4(2)ofDirective2016/680isconsideredasapplyingexclusivelytothe further processing of personal data initially collected for one of the purposes ofDirective2016/680.This interpretation, favoured by the European Commission,108will most likely prevailamongMember States. As amatter of illustration, severalMember States have alreadydecidedtoclearuptheambiguityintheirdraftimplementinglaws.Forexample,boththeUKandtheDutchdraftlawsspecifythenatureoftheinitialpurposeofcollection.IntheUnitedKingdom, Section 34 of theData ProtectionBill defines the principle of purposelimitationandrestrictstherulesonthefurtherprocessingtopersonaldata‘collectedforalaw enforcement purpose.’109The Dutch draft law suggests a similar implementation ofArticle4(2)of theDirective since the ruleson the furtherprocessingwill only apply to‘police’data(‘politiegegevens’).110

SubsequentUseofGDPRDataas‘InitialProcessing’undertheDirective?Following the analysismade in theprevious sections, the subsequentuse ofGDPRdatafallswithintheremitofDirective2016/680butisnotexpresslyincludedintothescopeofArticle 4(2) of the Directive. In case Article 4(2) exclusively applies to the furtherprocessingofpersonaldatainitiallycollectedinalawenforcementcontext,doesitmeanthatthefurtherprocessingofGDPRdataisconsideredasinitialprocessingof‘police’dataundertheDirective?Ifso,whataretheconsequences?

Firstofall,suchaninterpretationdoesnotseemtobeinlinewiththepositionsdefendedbytheEDPSandtheA29WPonvariousoccasions.Theybothreiteratedtheimportanceoftheprincipleofpurpose limitation in scenarioswherepersonaldatawereaccessedandfurtherusedbylawenforcementauthoritiesforapurposeunrelatedtotheinitialpurpose

108See the position of the European Commission (n 49); it also seems consistent with Recital 29 of theDirective(n48).109Seesection36(1)-(3)oftheUKDataProtectionBill,22https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/18190.pdfaccessed10April2018.110 DutchDraftlaw,art3<https://www.tweedekamer.nl/kamerstukken/wetsvoorstellen/detail?cfg=wetsvoorsteldetails&qry=wetsvoorstel:34889>accessed10April2018.

114

ofcollection.111Inparticular,theyhaveissuedopinionsinthecontextofthePNRDirective,the repurposing of Eurodac data for law enforcement purposes, and during thenegotiations of the new data protection framework.112For instance, concerning theproposalforaPNRDirective,theEDPScriticizedthelackofobjectivecriteriatolimittheaccess to and the subsequent use of the PNR data by law enforcement authorities. TheEDPSfoundthatthepurposesforwhichthedatacouldbere-usedhadnotbeenpreciselyidentified.113Similar critics were formulated about the recast of the Eurodac database,originally constituted to manage asylum applications among Member States. In 2012already, the EDPS found that the extension of the scope of the database for lawenforcement purposes was ‘difficult to reconcile with the purpose limitation principle,whichisoneofthekeyprinciplesofdataprotectionlaw.’114TheEDPSalsoopinedthat‘theassessmentas to thenecessityandproportionalityof thecreationof theEurodacwouldhave been completely different if law enforcement access was envisaged from theoutset.’115Second,thisqualificationhasconsequencesonthedeterminationoftheapplicableregime.Asexplainedintheprevioussection,furtherprocessingof‘police'dataforadifferentlawenforcementpurposeissubjecttotheconditionsoflegality,necessityandproportionalityset out in Article 4(2) of the Directive. The question that arises is whether the rulesimposed on the initial processing are similar to the ones applicable to the furtherprocessing,i.e.whethertheinitialprocessingunderDirective2016/680isalsosubjecttoconditions of legality, necessity, and proportionality. The rules applicable to initialprocessingundertheDirectivearethereforeassessed.According to Article 8 of Directive 2016/680,116a processing operation is lawful if it is‘necessaryfortheperformanceofataskcarriedoutbyacompetentauthority’foroneofthepurposesof theDirectiveand ‘isbasedonUnionorState law.’An initialprocessingoperationis,thus,alsosubjecttoalegalityrequirement.Thisrequirementisunderstood

111egA29WP,Opinion 03/2013 (n 38); EDPS, ‘Opinion of the EuropeanData Protection Supervisor on theCommunication from the Commission to the European Parliament and the Council on an area of freedom,securityandjusticeservingthecitizen’[2009]OJC276/09,para41.112egEDPS,‘Opinion5/2015,SecondOpinionontheProposalforaDirectiveoftheEuropeanParliamentandof the Council on the use of Passenger Name Record data for the prevention, detection, investigation andprosecutionofterroristoffencesandseriouscrime[2015]<https://edps.europa.eu/sites/edp/files/publication/15-09-24_pnr_en.pdf>accessed10April2018.EDPS,‘Opinion07/2016,EDPSOpinionontheFirstreformpackageontheCommonEuropeanAsylumSystem(Eurodac,EASOandDublinregulations)’[2016]<https://edps.europa.eu/sites/edp/files/publication/16-09-21_ceas_opinion_en.pdf>accessed10April2016.113EDPS,Opinion5/2015(n112)paras25-27.114EDPS,‘OpinionontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheestablishmentof ‘Eurodac’ for the comparisonof fingerprints for theeffectiveapplicationofRegulation(EU)No[…][…](Recast version) [2012], para28<https://edps.europa.eu/sites/edp/files/publication/12-09-05_eurodac_en.pdf>accessed10April2018.115ibidpara27.116art8Directive2016/680entitled‘lawfulnessofprocessing.’

126

Chapter 5

115

as interpreted by the ECtHR and the CJEU, i.e. the law must be clear, accessible andforeseeable.117Article 8 also provides for a condition of necessity.However, that condition is differentfrom the testofnecessityunderArticle4(2)ofDirective2016/680.Asobservedby theEDPS, the condition of ‘necessity’ can be a requirement for the ‘lawfulness of theprocessing’ as well as a condition applicable to the restrictions on fundamental rights.However, the two concepts of necessity are distinct.118As explained in the previoussection,theconditionofnecessityreferredtoinArticle4(2)ofDirective2016/680shouldbeinterpretedasaconditionofstrictnecessity.ThisresultsfromthecaselawoftheCJEUontheapplicationofArticle52(1)of theCharteron interferenceswith theright todataprotection.Therefore,onthenecessityrequirement,initialprocessingdoesnotseemtobesubjectedtothesametestasfurtherprocessing.AninitialprocessingoperationmustalsocomplywiththecriteriasetoutinArticle4(1)oftheDirective, i.e. thedataprotectionprinciplesapplicable toanyprocessing.Amongthedifferentprinciples,theonedescribedinArticle4(1)(c)isofparticularinterest.Itrelatesto the principle of data minimisation in the context of law enforcement. As such, itrequires the processing of personal data ‘not to be excessive in relation to [their]purposes.’ It could be argued that the provision only provides a mild obligation ofproportionality since the criterionused todetermine the amountofdata collected (‘notexcessive’)islessprecisethantherequirementofproportionalityimposedbythecourts(‘notbeyondwhat isnecessary’).Assuch, theobligationofproportionalityapplicable totheinitialprocessing[Article4(1)oftheDirective]isnotidenticaltotheoneapplicabletothefurtherprocessing[Article4(2)oftheDirective].In conclusion, the conditions of necessity and proportionality to which an initialprocessing operationwould be subject are not comparable to the conditions set out inArticle4(2)of theDirective,as interpreted in thisarticle.Likewise,an initialprocessingoperation isnotsubject to therequirementof ‘respectofessenceof theright.’Last,onemightwonderifconsideringasubsequentuseofGDPRdataasinitialprocessingof‘police’data would not impair the fundamental right to data protection since the principle ofpurposelimitationisoneofitsconstitutiveelements.119

ConsequencesonDataSubjects’RightsFinally,thereisacriticalshortcominglinkedtotheregulationofdataprocessingthroughtwodistinctinstruments.DatasubjectswhosepersonaldataarefirstcollectedforaGDPR

117Recital33Directive2016/680tobereadtogetherwithart8Directive2016/680.118EDPS,‘Developinga“Toolkit”forAssessingtheNecessityoftheMeasuresthatInterferewithFundamentalRights’(BackgroundPaperforconsultation[2016],4<https://edps.europa.eu/sites/edp/files/publication/16-06-16_necessity_paper_for_consultation_en.pdf>accessed10April2018.119art8(2)Charter.

116

purpose have specific rights attached to that processing operation.120However, if theirdata are further used in a law enforcement context, they do not benefit from the samesafeguards. In particular, they are not informed that their data have been furtherprocessed for law enforcement purposes. The nature of law enforcement activitiesobviouslyrequiressomeadjustmentsinrespectofdatasubjects’rightstoprotecton-goinginvestigationforexample.However,thecurrentrighttoinformationsetoutinArticle13ofDirective2016/680onlyimposesanobligationtomakespecific informationavailabletoindividuals.Itdoesnot,expressly,provideforanobligationtonotifyindividualsabouttheprocessingoftheirpersonaldata.Yet,accordingtotheCJEU’scaselaw,121individualswhose personal data have been accessed by law enforcement authorities should benotifiedoncetheinvestigationsareoverorcannolongerbejeopardised.Thepurposeofthenotificationistoallowindividualstoexercisetheirrighttoremedy.122One could claim that a national law that would inform individuals about the possibleaccesstoandfurtheruseoftheirpersonaldatabylawenforcementauthoritieswouldnotbesufficient in lightof theCJEU’s case law.123Transparencyaboutapossibleprocessingoperation is not the same as notification of an actual processing operation. As arguedelsewhere,124it might be necessary to interpret Article 13 of Directive 2016/680 asobligingMember States to adopt national laws to notify individuals about the access toandsubsequentuseoftheirpersonaldatabylawenforcementauthorities.Onthisspecificissue,theCouncilofEuropeseemstofollowthisapproachinits‘practicalguideintheuseofpersonaldatainthepolicesector.’125Thereportemphasizesthat

even if restrictions or derogations to the right to information were applied,information should be provided to the data subjects as soon as it no longerjeopardisesthepurposeforwhichthedatawereused.126

Last, the absence of obligation of notification is even less understandable in a situationwherethefurtherprocessingrelatestoindividualswhoarenotsuspects-butwhocanbewitnesses or victims - in the context of a criminal investigation and even more in theabsenceofanysuspectsinthecaseofcriminalsurveillance.

120arts12-20GDPR.121Tele2Sverige(n88).122Tele2Sverige(n88)para121.123Suchasnationaldataretentionlawoncommunicationsdata.124SeealsoJasserand(n29).125Consultative Committee of the Convention for the Protection of Individuals with regard to automaticprocessingofpersonaldata,‘practicalguideontheuseofpersonaldatainthepolicesector’,T-PD(2018)01,15February2018.126ibid6.

127

5


115

as interpreted by the ECtHR and the CJEU, i.e. the law must be clear, accessible andforeseeable.117Article 8 also provides for a condition of necessity.However, that condition is differentfrom the testofnecessityunderArticle4(2)ofDirective2016/680.Asobservedby theEDPS, the condition of ‘necessity’ can be a requirement for the ‘lawfulness of theprocessing’ as well as a condition applicable to the restrictions on fundamental rights.However, the two concepts of necessity are distinct.118As explained in the previoussection,theconditionofnecessityreferredtoinArticle4(2)ofDirective2016/680shouldbeinterpretedasaconditionofstrictnecessity.ThisresultsfromthecaselawoftheCJEUontheapplicationofArticle52(1)of theCharteron interferenceswith theright todataprotection.Therefore,onthenecessityrequirement,initialprocessingdoesnotseemtobesubjectedtothesametestasfurtherprocessing.AninitialprocessingoperationmustalsocomplywiththecriteriasetoutinArticle4(1)oftheDirective, i.e. thedataprotectionprinciplesapplicable toanyprocessing.Amongthedifferentprinciples,theonedescribedinArticle4(1)(c)isofparticularinterest.Itrelatesto the principle of data minimisation in the context of law enforcement. As such, itrequires the processing of personal data ‘not to be excessive in relation to [their]purposes.’ It could be argued that the provision only provides a mild obligation ofproportionality since the criterionused todetermine the amountofdata collected (‘notexcessive’)islessprecisethantherequirementofproportionalityimposedbythecourts(‘notbeyondwhat isnecessary’).Assuch, theobligationofproportionalityapplicable totheinitialprocessing[Article4(1)oftheDirective]isnotidenticaltotheoneapplicabletothefurtherprocessing[Article4(2)oftheDirective].In conclusion, the conditions of necessity and proportionality to which an initialprocessing operationwould be subject are not comparable to the conditions set out inArticle4(2)of theDirective,as interpreted in thisarticle.Likewise,an initialprocessingoperation isnotsubject to therequirementof ‘respectofessenceof theright.’Last,onemightwonderifconsideringasubsequentuseofGDPRdataasinitialprocessingof‘police’data would not impair the fundamental right to data protection since the principle ofpurposelimitationisoneofitsconstitutiveelements.119

ConsequencesonDataSubjects’RightsFinally,thereisacriticalshortcominglinkedtotheregulationofdataprocessingthroughtwodistinctinstruments.DatasubjectswhosepersonaldataarefirstcollectedforaGDPR

117Recital33Directive2016/680tobereadtogetherwithart8Directive2016/680.118EDPS,‘Developinga“Toolkit”forAssessingtheNecessityoftheMeasuresthatInterferewithFundamentalRights’(BackgroundPaperforconsultation[2016],4<https://edps.europa.eu/sites/edp/files/publication/16-06-16_necessity_paper_for_consultation_en.pdf>accessed10April2018.119art8(2)Charter.

116

purpose have specific rights attached to that processing operation.120However, if theirdata are further used in a law enforcement context, they do not benefit from the samesafeguards. In particular, they are not informed that their data have been furtherprocessed for law enforcement purposes. The nature of law enforcement activitiesobviouslyrequiressomeadjustmentsinrespectofdatasubjects’rightstoprotecton-goinginvestigationforexample.However,thecurrentrighttoinformationsetoutinArticle13ofDirective2016/680onlyimposesanobligationtomakespecific informationavailabletoindividuals.Itdoesnot,expressly,provideforanobligationtonotifyindividualsabouttheprocessingoftheirpersonaldata.Yet,accordingtotheCJEU’scaselaw,121individualswhose personal data have been accessed by law enforcement authorities should benotifiedoncetheinvestigationsareoverorcannolongerbejeopardised.Thepurposeofthenotificationistoallowindividualstoexercisetheirrighttoremedy.122One could claim that a national law that would inform individuals about the possibleaccesstoandfurtheruseoftheirpersonaldatabylawenforcementauthoritieswouldnotbesufficient in lightof theCJEU’s case law.123Transparencyaboutapossibleprocessingoperation is not the same as notification of an actual processing operation. As arguedelsewhere,124it might be necessary to interpret Article 13 of Directive 2016/680 asobligingMember States to adopt national laws to notify individuals about the access toandsubsequentuseoftheirpersonaldatabylawenforcementauthorities.Onthisspecificissue,theCouncilofEuropeseemstofollowthisapproachinits‘practicalguideintheuseofpersonaldatainthepolicesector.’125Thereportemphasizesthat

even if restrictions or derogations to the right to information were applied,information should be provided to the data subjects as soon as it no longerjeopardisesthepurposeforwhichthedatawereused.126

Last, the absence of obligation of notification is even less understandable in a situationwherethefurtherprocessingrelatestoindividualswhoarenotsuspects-butwhocanbewitnesses or victims - in the context of a criminal investigation and even more in theabsenceofanysuspectsinthecaseofcriminalsurveillance.

120arts12-20GDPR.121Tele2Sverige(n88).122Tele2Sverige(n88)para121.123Suchasnationaldataretentionlawoncommunicationsdata.124SeealsoJasserand(n29).125Consultative Committee of the Convention for the Protection of Individuals with regard to automaticprocessingofpersonaldata,‘practicalguideontheuseofpersonaldatainthepolicesector’,T-PD(2018)01,15February2018.126ibid6.

128

Chapter 5

117

ConclusionsAsdemonstratedinthisarticleandsurprisingly,theprincipleofpurposelimitationdoesnot seem to play any role in the reprocessing of GDPR data for one of the purposes ofDirective2016/680.Still, theprincipleofpurpose limitation isaconstitutiveelementofthefundamentalrighttodataprotection.Firstofall, iftheGDPRandDirective2016/680defineinidenticaltermstheprincipleofpurpose limitation, they do not provide similar rules concerning its application. Inparticular,Directive2016/680doesnotprovideanyguidanceonthenotionof‘compatibleuse’, leaving the issue up to Member States. Instead, Directive 2016/680 provides, inArticle4(2),rulesapplicabletofurtherprocessing.Intheabsenceofprecision,theserulesseem to apply irrespective of the compatibility between the initial and secondarypurposesofprocessing.Assuch,Article4(2)ofDirective2016/680canbeconstruedasanexceptiontotheprincipleofpurposelimitation.Second,thescopeoftheexceptionisnotclearlydefined.FromthewordingofArticle4(2)ofDirective2016/680, it isunclearwhether itcoversthefurtherprocessingofpersonaldatainitiallycollectedforalawenforcementpurposeorthefurtherprocessingofpersonaldatainitiallycollectedforanypurpose(whichwouldincludeGDPRdata).Building on this textual ambiguity, the article has suggested two diverging paths: theapplicationofArticle4(2)ofDirective2016/680tothesubsequentuseofGDPRdataoritsexclusive application to ‘police and criminal justice’ data. In the first hypothesis, theprincipleofpurposelimitationmightplayarole,whichneeds,however,toberedefined.Inthe second hypothesis,where the subsequent use of GDPRdatamost likely qualifies asinitialprocessingunderDirective2016/680,theprincipleofpurposelimitationdoesnotplayanyrole.Thatisproblematic.First,Directive2016/680isa‘minimumharmonisation’Directive, leaving non-harmonised areas of Directive 2016/680 to the discretion ofMember States. One could argue that the rules applicable to the further processing ofGDPRdataby lawenforcementauthoritiesaredomestic issues. Second, like theUnitedKingdomandtheNetherlands,MemberStateswillmostlikelyexcludethesubsequentuseof GDPR data for a law enforcement purpose from the scope of the provisionimplementingArticle4(2)ofDirective2016/680.Ultimately, and contrary to the European Commission’s views, not providing a specificlegalbasisforthefurtherprocessingofGDPRdatainalawenforcementcontextdoesnotavoid ‘creatingproblems’.The issue is thus left in thehandsofMemberStatesandtheirnationalcourtsuntilitgetschallengedbeforetheCJEU.

117

ConclusionsAsdemonstratedinthisarticleandsurprisingly,theprincipleofpurposelimitationdoesnot seem to play any role in the reprocessing of GDPR data for one of the purposes ofDirective2016/680.Still, theprincipleofpurpose limitation isaconstitutiveelementofthefundamentalrighttodataprotection.Firstofall, iftheGDPRandDirective2016/680defineinidenticaltermstheprincipleofpurpose limitation, they do not provide similar rules concerning its application. Inparticular,Directive2016/680doesnotprovideanyguidanceonthenotionof‘compatibleuse’, leaving the issue up to Member States. Instead, Directive 2016/680 provides, inArticle4(2),rulesapplicabletofurtherprocessing.Intheabsenceofprecision,theserulesseem to apply irrespective of the compatibility between the initial and secondarypurposesofprocessing.Assuch,Article4(2)ofDirective2016/680canbeconstruedasanexceptiontotheprincipleofpurposelimitation.Second,thescopeoftheexceptionisnotclearlydefined.FromthewordingofArticle4(2)ofDirective2016/680, it isunclearwhether itcoversthefurtherprocessingofpersonaldatainitiallycollectedforalawenforcementpurposeorthefurtherprocessingofpersonaldatainitiallycollectedforanypurpose(whichwouldincludeGDPRdata).Building on this textual ambiguity, the article has suggested two diverging paths: theapplicationofArticle4(2)ofDirective2016/680tothesubsequentuseofGDPRdataoritsexclusive application to ‘police and criminal justice’ data. In the first hypothesis, theprincipleofpurposelimitationmightplayarole,whichneeds,however,toberedefined.Inthe second hypothesis,where the subsequent use of GDPRdatamost likely qualifies asinitialprocessingunderDirective2016/680,theprincipleofpurposelimitationdoesnotplayanyrole.Thatisproblematic.First,Directive2016/680isa‘minimumharmonisation’Directive, leaving non-harmonised areas of Directive 2016/680 to the discretion ofMember States. One could argue that the rules applicable to the further processing ofGDPRdataby lawenforcementauthoritiesaredomestic issues. Second, like theUnitedKingdomandtheNetherlands,MemberStateswillmostlikelyexcludethesubsequentuseof GDPR data for a law enforcement purpose from the scope of the provisionimplementingArticle4(2)ofDirective2016/680.Ultimately, and contrary to the European Commission’s views, not providing a specificlegalbasisforthefurtherprocessingofGDPRdatainalawenforcementcontextdoesnotavoid ‘creatingproblems’.The issue is thus left in thehandsofMemberStatesandtheirnationalcourtsuntilitgetschallengedbeforetheCJEU.

Chapter 6Accountability and Mititgation of Risks

132

the principle requires data controllers to adoptappropriatetechnicalandorganisationalmeasures.Todoso,theymusttakeintoaccountthenature,scope,contextandpurposesofprocessingaswellasthepossibleriskstodatasubjects’rightsandfreedoms.Theprincipleofaccountability isnotanewconcept,but ithasbeenintroducedasanewobligationinthe data protection regulatory landscape.7It replaces the previous ‘administrativeburdens’imposedundertheDataProtectionDirective,andinparticularthecumbersomenotificationtodataprotectionauthoritiesbeforeprocessingpersonaldata.8Theprincipleofaccountabilityencompassesmorethantheprinciplesofdataprotectionby design and by default and data protection impact assessment. It also includes datasecurity, data breach notification, the recording of processing activities as well as thelogging obligation.9The purpose of this chapter is not to describe the differentcomponentsoftheprincipleofaccountability,buttofocusonthetwokeymeasuresthatareDPbDandDPIAs.10Concerningdataprotectionbydesignanddataprotectionbydefault,thechapterdoesnotdiscuss how to engineer the principles. This task is left to engineers and computerscientists. Technical experts have abundantly written on the engineering of Privacy byDesign,11a close concept that has inspired theDPbDobligations.12Leaving the technicalaspects of the concept aside, the chapter suggests some recommendations on dataprotectionpoliciesthatshouldbeadoptedbeforelawenforcementauthoritiescanfurther

reviewed and updated where necessary.’ The obligation is worded in similar terms in Art 19 Directive2016/680, except that the obligation is addressed to Member States that should impose an obligation ofaccountabilitytodatacontrollersintheirnationallegislationinapplicationoftheDirective.7ForadetailedanalysisoftheprincipleofaccountabilityundertheGDPR,seeMagdalenaBrewczyńska, ‘thePrincipleofAccountabilityintheGeneralDataProtectionRegulation:CallingtheEULegislatortoAccountforLimiting the Wording of Article 5(2) GDPR to Data Controllers' [2018] (LL.M thesis)<arno.uvt.nl/show.cgi?fid=144595> accessed 30 September 2018; see also EDPS, ‘EDPS launchesAccountability Initiative' [2016], factsheet <https://edps.europa.eu/sites/edp/files/publication/16-06-07_accountability_factsheet_en.pdf>accessed30September2018.8See arts 18 and 19 Directive 95/46/EC, aswell as the pre-GDPR area analysis of the A29WP in A29WP,‘Opinion 3/2010 on the principle of accountability' [2010]WP173, 15, and the Commission StaffWorkingPaper,ImpactAssessmentAccompanyingtheproposalsforaRegulationandaDirective,SEC(2012)72final[2012],79.9See for instance, section ‘Accountability and Governance’ in ICO, ‘Guide to the General Data ProtectionRegulation (GDPR)’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/>accessed30December2018.10TheA29WPdescribesDPIAsas ‘akeyaccountabilitytool’ inA29WP, ‘GuidelinesonAutomatedIndividualDecision-MakingandProfiling for thePurposesofRegulation2016/679’ [2018]WP251rev.01,29; and theEDPSviews‘privacybydesign[as]anelementofaccountability’inEDPS,‘OpinionontheCommunicationfromthe Commission to the European Parliament, the Council, the Economic and Social Committee and theCommitteeof theRegions–Acomprehensiveapproachonpersonaldataprotection in theEuropeanUnion’[2011],para108.11On engineering privacy by design, see for example ENISA ‘Privacy and Data Protection by Design- fromprivacy to engineering’ (Report 2014) <https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design>accessedon30September2018;seealsoSedaGürses,CarmelaTroncosoandClaudiaDiaz‘EngineeringPrivacybyDesign’(2011),paperpresentedattheComputers,PrivacyandDataProtectionConference; Jaap-HenkHoepman, ‘PrivacyDesignStrategies’,Proceedings ICTSystemsSecurityandPrivacyProtection- 29th IFIP TC 11 International Information Security Conference (SEC 2014)<https://hal.inria.fr/hal-01370395/document>accessedon30September2018.12Accordingtosomescholars,forinstance,LuizCostaandYvesPoullet,‘PrivacyandtheRegulationof2012’(2012)28(3)ComputerLaw&SecurityReview254,260.

Chapter6:AccountabilityandMitigationofRisks

Through the Use of Data Protection Impact Assessment and Data Protection byDesignandbyDefaultMeasuresAbstract:The new data protection framework imposes an obligation of accountability to datacontrollers,who are responsible for theway theymanage the personal data they process.Underthisobligation,datacontrollersneedtodemonstratetheircompliancewiththedataprotection rules. Both the GDPR and Directive 2016/680 provide tools to ‘implement' theaccountabilityprinciple.Thosetoolsare,inparticular,thedataprotectionbydesignandbydefault measures (DPbD) and the data protection impact assessment mechanism (DPIA).This chapter describes the tools and analyses how they could be used to protect theindividuals’righttodataprotectioninthescenarioofre-useofGDPRbiometricdataforoneofthelawenforcementpurposescoveredbythe‘police’Directive.

IntroductionThenewdataprotection frameworkhas introducedtheprinciplesofDataProtectionbyDesignandbyDefault(DPbD)1andDataProtectionImpactAssessment(DPIA)mechanismin theGDPRand the ‘police’Directive.2Thesemeasuresarepartof thedata controller’saccountability and serve as safeguards to protect individuals’ rights and freedoms(including the rights to data protection and privacy).3The term ‘accountability’ ismentionedinArticle5(2)GDPRdescribingthedataprotectionprinciplesapplicabletotheprocessingofdata,and inrecitalsofboth theGDPRand the ‘police’Directive.4Althoughthe term does not appear elsewhere, several authors have linked the obligation ofaccountabilitytoArticle24GDPR(‘responsibilityofthecontroller')andArticle19ofthe‘police'Directive(‘obligationsofthecontroller').5Similarlywordedinbothinstruments,6

1Recital78andart25GDPR,andRecital53andart20Directive2016/680.2Recital84andart35GDPR,aswellasRecital58andart27Directive2016/680.3Seeinparticular,EDPS,‘Opinion05/2018,PreliminaryOpiniononPrivacybyDesign’[2018],8;andA29WP,‘GuidelinesonDataProtection ImpactAssessment (DPIA)anddeterminingwhetherprocessing is ' likely toresultinahighrisk'forthepurposesofRegulation2016/679’[2017]WP248rev.01,4[GuidelinesonDPIAs].4Recital85GDPRandRecital61Directive2016/680.5Evenifthetwoarticlesdonotmentiontheterm‘accountability,theprovisionsareanalysedasdescribingthecontentof theprinciple;seeanalysisby JamesXDempsey,FredHCate,andMartinAbrams, ‘OrganizationalAccountability, Government Use of Private-Sector Data, National Security, and Individual Privacy’, ch 15 inFred Cate and James X Dempsey (eds),BulkCollection:SystematicGovernmentAccesstoPrivate-SectorData(OUP2017)311.6art24(1)GDPRreadsasfollows:‘Takingintoaccountthenature,scope,contextandpurposesofprocessingas well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, thecontroller shall implement appropriate technical and organisationalmeasures to ensure and to be able todemonstrate that processing is performed in accordance with this Regulation. Those measures shall be

133

6

Accountability and Mititgation of Risks

the principle requires data controllers to adoptappropriatetechnicalandorganisationalmeasures.Todoso,theymusttakeintoaccountthenature,scope,contextandpurposesofprocessingaswellasthepossibleriskstodatasubjects’rightsandfreedoms.Theprincipleofaccountability isnotanewconcept,but ithasbeenintroducedasanewobligationinthe data protection regulatory landscape.7It replaces the previous ‘administrativeburdens’imposedundertheDataProtectionDirective,andinparticularthecumbersomenotificationtodataprotectionauthoritiesbeforeprocessingpersonaldata.8Theprincipleofaccountabilityencompassesmorethantheprinciplesofdataprotectionby design and by default and data protection impact assessment. It also includes datasecurity, data breach notification, the recording of processing activities as well as thelogging obligation.9The purpose of this chapter is not to describe the differentcomponentsoftheprincipleofaccountability,buttofocusonthetwokeymeasuresthatareDPbDandDPIAs.10Concerningdataprotectionbydesignanddataprotectionbydefault,thechapterdoesnotdiscuss how to engineer the principles. This task is left to engineers and computerscientists. Technical experts have abundantly written on the engineering of Privacy byDesign,11a close concept that has inspired theDPbDobligations.12Leaving the technicalaspects of the concept aside, the chapter suggests some recommendations on dataprotectionpoliciesthatshouldbeadoptedbeforelawenforcementauthoritiescanfurther

reviewed and updated where necessary.’ The obligation is worded in similar terms in Art 19 Directive2016/680, except that the obligation is addressed to Member States that should impose an obligation ofaccountabilitytodatacontrollersintheirnationallegislationinapplicationoftheDirective.7ForadetailedanalysisoftheprincipleofaccountabilityundertheGDPR,seeMagdalenaBrewczyńska, ‘thePrincipleofAccountabilityintheGeneralDataProtectionRegulation:CallingtheEULegislatortoAccountforLimiting the Wording of Article 5(2) GDPR to Data Controllers' [2018] (LL.M thesis)<arno.uvt.nl/show.cgi?fid=144595> accessed 30 September 2018; see also EDPS, ‘EDPS launchesAccountability Initiative' [2016], factsheet <https://edps.europa.eu/sites/edp/files/publication/16-06-07_accountability_factsheet_en.pdf>accessed30September2018.8See arts 18 and 19 Directive 95/46/EC, aswell as the pre-GDPR area analysis of the A29WP in A29WP,‘Opinion 3/2010 on the principle of accountability' [2010]WP173, 15, and the Commission StaffWorkingPaper,ImpactAssessmentAccompanyingtheproposalsforaRegulationandaDirective,SEC(2012)72final[2012],79.9See for instance, section ‘Accountability and Governance’ in ICO, ‘Guide to the General Data ProtectionRegulation (GDPR)’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/>accessed30December2018.10TheA29WPdescribesDPIAsas ‘akeyaccountabilitytool’ inA29WP, ‘GuidelinesonAutomatedIndividualDecision-MakingandProfiling for thePurposesofRegulation2016/679’ [2018]WP251rev.01,29; and theEDPSviews‘privacybydesign[as]anelementofaccountability’inEDPS,‘OpinionontheCommunicationfromthe Commission to the European Parliament, the Council, the Economic and Social Committee and theCommitteeof theRegions–Acomprehensiveapproachonpersonaldataprotection in theEuropeanUnion’[2011],para108.11On engineering privacy by design, see for example ENISA ‘Privacy and Data Protection by Design- fromprivacy to engineering’ (Report 2014) <https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design>accessedon30September2018;seealsoSedaGürses,CarmelaTroncosoandClaudiaDiaz‘EngineeringPrivacybyDesign’(2011),paperpresentedattheComputers,PrivacyandDataProtectionConference; Jaap-HenkHoepman, ‘PrivacyDesignStrategies’,Proceedings ICTSystemsSecurityandPrivacyProtection- 29th IFIP TC 11 International Information Security Conference (SEC 2014)<https://hal.inria.fr/hal-01370395/document>accessedon30September2018.12Accordingtosomescholars,forinstance,LuizCostaandYvesPoullet,‘PrivacyandtheRegulationof2012’(2012)28(3)ComputerLaw&SecurityReview254,260.

Chapter6:AccountabilityandMitigationofRisks

Through the Use of Data Protection Impact Assessment and Data Protection byDesignandbyDefaultMeasuresAbstract:The new data protection framework imposes an obligation of accountability to datacontrollers,who are responsible for theway theymanage the personal data they process.Underthisobligation,datacontrollersneedtodemonstratetheircompliancewiththedataprotection rules. Both the GDPR and Directive 2016/680 provide tools to ‘implement' theaccountabilityprinciple.Thosetoolsare,inparticular,thedataprotectionbydesignandbydefault measures (DPbD) and the data protection impact assessment mechanism (DPIA).This chapter describes the tools and analyses how they could be used to protect theindividuals’righttodataprotectioninthescenarioofre-useofGDPRbiometricdataforoneofthelawenforcementpurposescoveredbythe‘police’Directive.

IntroductionThenewdataprotection frameworkhas introducedtheprinciplesofDataProtectionbyDesignandbyDefault(DPbD)1andDataProtectionImpactAssessment(DPIA)mechanismin theGDPRand the ‘police’Directive.2Thesemeasuresarepartof thedata controller’saccountability and serve as safeguards to protect individuals’ rights and freedoms(including the rights to data protection and privacy).3The term ‘accountability’ ismentionedinArticle5(2)GDPRdescribingthedataprotectionprinciplesapplicabletotheprocessingofdata,and inrecitalsofboth theGDPRand the ‘police’Directive.4Althoughthe term does not appear elsewhere, several authors have linked the obligation ofaccountabilitytoArticle24GDPR(‘responsibilityofthecontroller')andArticle19ofthe‘police'Directive(‘obligationsofthecontroller').5Similarlywordedinbothinstruments,6

1Recital78andart25GDPR,andRecital53andart20Directive2016/680.2Recital84andart35GDPR,aswellasRecital58andart27Directive2016/680.3Seeinparticular,EDPS,‘Opinion05/2018,PreliminaryOpiniononPrivacybyDesign’[2018],8;andA29WP,‘GuidelinesonDataProtection ImpactAssessment (DPIA)anddeterminingwhetherprocessing is ' likely toresultinahighrisk'forthepurposesofRegulation2016/679’[2017]WP248rev.01,4[GuidelinesonDPIAs].4Recital85GDPRandRecital61Directive2016/680.5Evenifthetwoarticlesdonotmentiontheterm‘accountability,theprovisionsareanalysedasdescribingthecontentof theprinciple;seeanalysisby JamesXDempsey,FredHCate,andMartinAbrams, ‘OrganizationalAccountability, Government Use of Private-Sector Data, National Security, and Individual Privacy’, ch 15 inFred Cate and James X Dempsey (eds),BulkCollection:SystematicGovernmentAccesstoPrivate-SectorData(OUP2017)311.6art24(1)GDPRreadsasfollows:‘Takingintoaccountthenature,scope,contextandpurposesofprocessingas well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, thecontroller shall implement appropriate technical and organisationalmeasures to ensure and to be able todemonstrate that processing is performed in accordance with this Regulation. Those measures shall be

134

Chapter 6

process biometric data originating from private parties. A part of the section on dataprotection by design and by default is based on a conference paper discussing therelationship between the concept of Privacy by Design and the principle of purposelimitationinthepre-GDPRarea.13Lastbutnot least,sincetheliteratureonthetopic inthefieldof lawenforcementisstillscarce14andtheobligationsarewordedinsimilartermsinbothinstruments,thischapterbuilds on the analysis of the GDPR rules and their doctrinal interpretation.15However,ultimately,therecommendationsareonlyprovidedforthereprocessingofbiometricdatainalawenforcementcontext.Against this background, Section II analyses the principles of data protection by designandbydefault,whileSectionIIIfocusesontheDPIAmechanism.Finally,SectionIVofferssomerecommendationsontheapplicationofthemeasurestothesubsequentuseofGDPRbiometricdatabylawenforcementauthorities.

DataProtectionbyDesignandDataProtectionbyDefault:OverarchingObligations

Data protection by design and data protection by default are two legal requirementsintroducedbyArticle25GDPRandArticle20ofDirective2016/680.Dataprotectionbydesignrequiresthatdatacontrollersimplementtechnicalandorganisationalmeasurestomanage personal data and protect individuals’ rights (including, but not limited to theright to data protection). The obligation must be implemented before and during theprocessing operations. Data protection by default is conceived as a separate obligation,which focuseson the implementationof theprincipleofdataminimisation.This sectionexplains the origin of the requirements through their link to the concept of Privacy byDesign and discusses how data protection principles – in particular, the principle ofpurposelimitation-couldbeimplementedbeforepersonaldataarereprocessedforalawenforcementpurpose.

13Catherine Jasserand, ‘Legal Perspectives on the Difficult Relationship between the Concept of Privacy byDesign and the Principle of Purpose Limitation at European Level' Conference Paper (Amsterdam PrivacyConference2015).14One shouldmention a Project Deliverable on DPIAs in the field of law enforcement, see Eva Schlehahn,Thomas Marquenie, and Els Kindt, ‘Data Protection Impact Assessments (DPIAs) in the Law EnforcementSectoraccording toDirective(EU)2016/680-AComparativeAnalysisofMethodologies’ (2016)Deliverablefor the VALCRI project (Visual Analytics for Sense-Making in Criminal Intelligence Analysis)<http://valcri.org/our-content/uploads/2018/06/VALCRI-DPIA-Guidelines-Methodological-Comparison.pdf>accessed30December2018;itshouldbeobservedthatthemethodologiesreviewedareallbasedontheGDPRregime.15The literature on GDPR provisions is already abundant; to name a few scholars, see for instance, LinaJasmontaiteetal,‘DataProtectionbyDesignandbyDefault:FramingGuidingPrinciplesintoLegalObligationsin theGDPR’(2018)4(2)EDPL168;RaphaëlGellert, ‘Understanding theNotionofRisk in theGeneralDataProtection Regulation’ (2018) 34(2) Computer Law and Security Review 279; Dariusz Kloza et al, ‘DataProtectionImpactAssessmentsintheEuropeanUnion:ComplementingtheNewLegalFrameworkTowardsaMore Robust Protection of Individuals’ (2017) d.pia.lab Policy Brief No. 1/2017<https://cris.vub.be/files/32009890/dpialab_pb2017_1_final.pdf>accessed30September2018.

121

BuildingontheConceptofPrivacybyDesign?Accordingtosomeauthors,16dataprotectionbydesignanddataprotectionbydesignhavebeeninspiredbyPrivacybyDesign.Iftheconceptsarerelated,theyarealsodistinct.

PrivacybyDesignThere isnot a singledefinitionor approach to the conceptof ‘PrivacybyDesign.’ SomeauthorshavelinkedthenotiontoPrivacy-EnhancingTechnologies(PETs),17totheethicalconcept of ‘value-sensitive design’18- implying that human values should be taken intoaccountinthedesignoftechnologies-ortoLaurenceLessig’sconceptof ‘codeaslaw.’19Theconceptcanthustakemanyformsandhavedifferentmeanings.However,fromalegalandpolicyperspective,oneapproachhasdominated.Inthe90s,theformerInformationandPrivacyCommissionerofOntario,AnnCavoukian,popularised the termanddevelopedapolicy conceptaround7foundationalprinciples.20TheideabehindPrivacybyDesignistotakeintoaccountprivacyissues-understoodasissuesrelatingtothemanagementofpersonaldata-fromthedesignphaseofaproduct,system,orservice,toitsdeploymentanduse.Endorsedbydataprotectionauthoritiesatinternational level,21this approach was, however, harshly criticised for not beingoperational and implementable.22As analysed by Rubinstein and Good, Cavoukianpublished numerous papers on the application of Privacy by Design (including tobiometric systems), but she did not translate the principles into an engineeringapproach.23To address this issue, several computer scientists suggested differentstrategiesandmethodsengineeringtheconcept.24According to the European Network and Information Security Agency (ENISA), themeaningoftheconceptdependsonitscontextofuse.Itreferstoa‘general’principleinalegalcontext,whileitmeansPrivacy-EnhancingTechnologiesinascientificcontext(such

16Inparticular,CostaandPoullet(n12).17SeeEnterprisePrivacyGroup,‘PrivacybyDesign:AnOverviewofPrivacyEnhancingTechnologies’(2008)<http://www.dsp.utoronto.ca/projects/surveillance/docs/pbd_pets_paper.pdf>accessed30December2018.18See in particular, the application of value sensitive design to technology design by Friedman in BatyaFriedman,‘ValueSensitiveDesign’(1996)Interactions(November-DecemberIssue).19LawrenceLessig,‘Code,Version2.0’(BasicBooks,2006);ontheoriginsofPbD,seeDemetriusKlitou,‘TheValue,RoleandChallengesofPrivacybyDesign’ch9inPrivacy-InvadingTechnologiesandPrivacybyDesign:SafeguardingPrivacy,LibertyandSecurityinthe21stCentury(T.M.CAsserPress2014).20The7foundationalprinciplesare(1)ProactivenotReactive,PreventativenotRemedial,(2)PrivacyastheDefault Setting, (3) PrivacyEmbedded intoDesign, (4) Full Functionality - Positive-Sum, not Zero-Sum, (5)End-to-EndSecurity–FullLifecycleProtection,(6)VisibilityandTransparency-KeepitOpen,and(7)RespectforUserPrivacy-KeepitUser-Centric<https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf>accessed30September2018.2132nd International Conference of Data Protection and Privacy Commissioners, ‘Resolution on Privacy byDesign’Jerusalem,Israel,27-29October2010[2010]<https://icdppc.org/wp-content/uploads/2015/02/32-Conference-Israel-resolution-on-Privacy-by-Design.pdf>accessed30September2018.22Gürses,TroncosoandDiaz(n11);IraRubinsteinandNathanielGood,‘PrivacybyDesign:ACounterfactualAnalysisofGoogleandFacebookPrivacyIncidents'(2013)28BerkeleyTechnologyLawJournal1133.23RubinsteinandGood(n20)1338,fn15.24ibid;seealsoENISA(n11).

135

6


process biometric data originating from private parties. A part of the section on dataprotection by design and by default is based on a conference paper discussing therelationship between the concept of Privacy by Design and the principle of purposelimitationinthepre-GDPRarea.13Lastbutnot least,sincetheliteratureonthetopic inthefieldof lawenforcementisstillscarce14andtheobligationsarewordedinsimilartermsinbothinstruments,thischapterbuilds on the analysis of the GDPR rules and their doctrinal interpretation.15However,ultimately,therecommendationsareonlyprovidedforthereprocessingofbiometricdatainalawenforcementcontext.Against this background, Section II analyses the principles of data protection by designandbydefault,whileSectionIIIfocusesontheDPIAmechanism.Finally,SectionIVofferssomerecommendationsontheapplicationofthemeasurestothesubsequentuseofGDPRbiometricdatabylawenforcementauthorities.

DataProtectionbyDesignandDataProtectionbyDefault:OverarchingObligations

Data protection by design and data protection by default are two legal requirementsintroducedbyArticle25GDPRandArticle20ofDirective2016/680.Dataprotectionbydesignrequiresthatdatacontrollersimplementtechnicalandorganisationalmeasurestomanage personal data and protect individuals’ rights (including, but not limited to theright to data protection). The obligation must be implemented before and during theprocessing operations. Data protection by default is conceived as a separate obligation,which focuseson the implementationof theprincipleofdataminimisation.This sectionexplains the origin of the requirements through their link to the concept of Privacy byDesign and discusses how data protection principles – in particular, the principle ofpurposelimitation-couldbeimplementedbeforepersonaldataarereprocessedforalawenforcementpurpose.

13Catherine Jasserand, ‘Legal Perspectives on the Difficult Relationship between the Concept of Privacy byDesign and the Principle of Purpose Limitation at European Level' Conference Paper (Amsterdam PrivacyConference2015).14One shouldmention a Project Deliverable on DPIAs in the field of law enforcement, see Eva Schlehahn,Thomas Marquenie, and Els Kindt, ‘Data Protection Impact Assessments (DPIAs) in the Law EnforcementSectoraccording toDirective(EU)2016/680-AComparativeAnalysisofMethodologies’ (2016)Deliverablefor the VALCRI project (Visual Analytics for Sense-Making in Criminal Intelligence Analysis)<http://valcri.org/our-content/uploads/2018/06/VALCRI-DPIA-Guidelines-Methodological-Comparison.pdf>accessed30December2018;itshouldbeobservedthatthemethodologiesreviewedareallbasedontheGDPRregime.15The literature on GDPR provisions is already abundant; to name a few scholars, see for instance, LinaJasmontaiteetal,‘DataProtectionbyDesignandbyDefault:FramingGuidingPrinciplesintoLegalObligationsin theGDPR’(2018)4(2)EDPL168;RaphaëlGellert, ‘Understanding theNotionofRisk in theGeneralDataProtection Regulation’ (2018) 34(2) Computer Law and Security Review 279; Dariusz Kloza et al, ‘DataProtectionImpactAssessmentsintheEuropeanUnion:ComplementingtheNewLegalFrameworkTowardsaMore Robust Protection of Individuals’ (2017) d.pia.lab Policy Brief No. 1/2017<https://cris.vub.be/files/32009890/dpialab_pb2017_1_final.pdf>accessed30September2018.

121

BuildingontheConceptofPrivacybyDesign?Accordingtosomeauthors,16dataprotectionbydesignanddataprotectionbydesignhavebeeninspiredbyPrivacybyDesign.Iftheconceptsarerelated,theyarealsodistinct.

PrivacybyDesignThere isnot a singledefinitionor approach to the conceptof ‘PrivacybyDesign.’ SomeauthorshavelinkedthenotiontoPrivacy-EnhancingTechnologies(PETs),17totheethicalconcept of ‘value-sensitive design’18- implying that human values should be taken intoaccountinthedesignoftechnologies-ortoLaurenceLessig’sconceptof ‘codeaslaw.’19Theconceptcanthustakemanyformsandhavedifferentmeanings.However,fromalegalandpolicyperspective,oneapproachhasdominated.Inthe90s,theformerInformationandPrivacyCommissionerofOntario,AnnCavoukian,popularised the termanddevelopedapolicy conceptaround7foundationalprinciples.20TheideabehindPrivacybyDesignistotakeintoaccountprivacyissues-understoodasissuesrelatingtothemanagementofpersonaldata-fromthedesignphaseofaproduct,system,orservice,toitsdeploymentanduse.Endorsedbydataprotectionauthoritiesatinternational level,21this approach was, however, harshly criticised for not beingoperational and implementable.22As analysed by Rubinstein and Good, Cavoukianpublished numerous papers on the application of Privacy by Design (including tobiometric systems), but she did not translate the principles into an engineeringapproach.23To address this issue, several computer scientists suggested differentstrategiesandmethodsengineeringtheconcept.24According to the European Network and Information Security Agency (ENISA), themeaningoftheconceptdependsonitscontextofuse.Itreferstoa‘general’principleinalegalcontext,whileitmeansPrivacy-EnhancingTechnologiesinascientificcontext(such

16Inparticular,CostaandPoullet(n12).17SeeEnterprisePrivacyGroup,‘PrivacybyDesign:AnOverviewofPrivacyEnhancingTechnologies’(2008)<http://www.dsp.utoronto.ca/projects/surveillance/docs/pbd_pets_paper.pdf>accessed30December2018.18See in particular, the application of value sensitive design to technology design by Friedman in BatyaFriedman,‘ValueSensitiveDesign’(1996)Interactions(November-DecemberIssue).19LawrenceLessig,‘Code,Version2.0’(BasicBooks,2006);ontheoriginsofPbD,seeDemetriusKlitou,‘TheValue,RoleandChallengesofPrivacybyDesign’ch9inPrivacy-InvadingTechnologiesandPrivacybyDesign:SafeguardingPrivacy,LibertyandSecurityinthe21stCentury(T.M.CAsserPress2014).20The7foundationalprinciplesare(1)ProactivenotReactive,PreventativenotRemedial,(2)PrivacyastheDefault Setting, (3) PrivacyEmbedded intoDesign, (4) Full Functionality - Positive-Sum, not Zero-Sum, (5)End-to-EndSecurity–FullLifecycleProtection,(6)VisibilityandTransparency-KeepitOpen,and(7)RespectforUserPrivacy-KeepitUser-Centric<https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf>accessed30September2018.2132nd International Conference of Data Protection and Privacy Commissioners, ‘Resolution on Privacy byDesign’Jerusalem,Israel,27-29October2010[2010]<https://icdppc.org/wp-content/uploads/2015/02/32-Conference-Israel-resolution-on-Privacy-by-Design.pdf>accessed30September2018.22Gürses,TroncosoandDiaz(n11);IraRubinsteinandNathanielGood,‘PrivacybyDesign:ACounterfactualAnalysisofGoogleandFacebookPrivacyIncidents'(2013)28BerkeleyTechnologyLawJournal1133.23RubinsteinandGood(n20)1338,fn15.24ibid;seealsoENISA(n11).

136

Chapter 6

122

as computer sciences).25Regardlessof itsoriginandexactmeaning, the ideabehind theconcept is to ‘build-in’, ‘integrate’, ‘embed’ or ‘incorporate’ data protection or privacyprinciplesinproducts,services,businesspracticesandpolicies.26IntheEUdataprotectionframework,theconcepthasnotbeenintroducedas‘PrivacybyDesign’butas‘DataProtectionbyDesignandbyDefault.’27Beyondtheterminology,therearedifferencesbetweenthetwonotions.

TheConceptinEUDataProtectionLegislationMuchbeforetheformalintroductionoftheconceptintheEUdataprotectionframework,referencestothenotioncouldbefoundinRecital46andArticle17oftheDataProtectionDirective.28Limited to securitymeasures and IT systems, both provisions required datacontrollersto‘implementappropriatetechnicalandorganisationalmeasures’29atthetimeof‘thedesignoftheprocessingsystemand(…)oftheprocessingitself.’30The term ‘Privacy by Design’ is not used in the data protection framework, nor was itintroducedinthelegislativeproposalsofthenewrules.Theconceptisreplacedinsteadbythe obligations of ‘data protection by design’ and ‘data protection by default.’31Someauthors consider the notions of ‘Privacy by Design’ and ‘Data Protection by Design’ asbeing synonymous,32whereas others distinguish them.33For instance, according to

25ENISA(n11)3-7.26egEuropeanCommission,Communication fromtheCommission to theEuropeanParliament, theCouncil,theEconomicandSocialCommitteeoftheRegions:AComprehensiveApproachtoPersonalDataProtectionintheEuropeanUnion’COM(2010)609 final [2010]12,n30where theCommissionmadea reference to itscommunicationonPETs (COM(2007)228)and stated that ‘theprincipleof ‘PrivacybyDesign’means thatprivacy and data protection are embedded throughout the entire life cycle of technologies, from the earlydesign stage to their deployment, use and ultimate disposal’ (emphasis added); see also Ann Cavoukiandefining ‘Privacy by Design’ as ‘an approach to protecting privacy by embedding it into the designspecificationsofinformationtechnologies,accountablebusinesspractices,andnetworkinfrastructures’inAnnCavoukian,‘PrivacybyDesigninLaw,PolicyandPractice,AWhitePaperforRegulators,Decision-MakersandPolicy-Makers’(2011)3<http://www.ontla.on.ca/library/repository/mon/25008/312239.pdf>accessed30November2018.27TitleofbothArt25GDPRandArt20Directive2016/680.28PeterSchaar,‘PrivacybyDesign’(2010)2(3)IdentityintheInformationSociety267.29art17(1)oftheDataProtectionDirectivereadsasfollows:‘Member States shall provide that the controllermust implement appropriate technical and organisationalmeasures to protect personal data against accidental or unlawful destruction or accidental loss, alteration,unauthoriseddisclosureoraccess,inparticularwheretheprocessinginvolvesthetransmissionofdataoveranetwork,andagainstallotherunlawfulformsofprocessing.’30Recital46oftheDataProtectionDirectivereadsasfollows:‘Whereastheprotectionoftherightsandfreedomsofdatasubjectswithregardtotheprocessingofpersonaldatarequiresthatappropriatetechnicalandorganisationalmeasuresbetaken,bothatthetimeofthedesignoftheprocessingsystemandatthetimeoftheprocessingitself,particularlyinordertomaintainsecurityandtherebytopreventunauthorisedprocessing(…).’31art25GDPRandart20Directive2016/680.32egENISA(n11).33CostaandPoullet(n12)askwhether‘thechangefromPbDtoDataProtectionbyDesign[is]aspecializationof meaning or [whether] the expressions [should] be considered as synonyms’ (p. 260); Kung writes that‘Privacy-by-Design (PbD) focuses on requirements and measures that take into account the respect ofindividuals’ privacy, while data protection by design focuses on requirements and measures to protectpersonaldata’ inAntonioKung, ‘PEARS:PrivacyEnhancingArchitectures’ inBartPreneelandDemosthenesIkonomou(eds),PrivacyTechnologiesandPolicies(Springer2014)18;seealsoJasmontaiteetal(n15)wheretheauthorsclearlydistinguishthetwoconcepts.

Hansen, the expression ‘data protection by design and by default’ hasmost likely beenintroducedinthenewdataprotectionrulestoreflectthefieldofrevision.34However,asexplained in the next subsection, data protection by design (and by default) is not themereimplementationoftheconceptofPrivacybyDesigninthedataprotectionfield.Theprinciplesof‘dataprotectionbydesign’and‘dataprotectionbydefault’aredescribedintheGDPRandDirective2016/680asfollows:35

1.Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverity for rights and freedoms of natural persons posed by the processing, thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandat the time of the processing itself, implement appropriate technical andorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples, such as dataminimisation, in an effectivemanner and tointegrate the necessary safeguards into the processing in order to meet therequirements of this Regulation [/Directive] and protect the rights of data subjects.[‘DataProtectionbyDesign’]

2.Thecontrollershall implementappropriatetechnicalandorganisationalmeasuresforensuringthat,bydefault,onlypersonaldatawhicharenecessaryforeachspecificpurpose of the processing are processed. That obligation applies to the amount ofpersonaldatacollected,theextentoftheirprocessing,theperiodoftheirstorageandtheiraccessibility. Inparticular, suchmeasuresshallensure thatbydefaultpersonaldata are not made accessible without the individual’s intervention to an indefinitenumberofnaturalpersons.[‘DataProtectionbyDefault’](…)

Inspiredby,butDifferentfrom,PrivacybyDesign

Like Privacy by Design, data protection by design requires to take into account dataprotectionprinciplesfromtheconceptionofthedesigntothedeploymentanduseoftheservicesorproducts.Asfordataprotectionbydefault,theprinciplehasbeendraftedasaseparate obligation from data protection by design. This distinction constitutes adifferencewiththeconceptofPrivacybyDesign-asconceptualisedbyCavoukian-wherePrivacybyDefaultisoneoftheelementsoftheconcept.AsanalysedbyJasmontaiteetal.,in the EU data protection framework, dataprotectionbydesign covers ‘the design andexistence of embedded safeguards andmechanisms’ whereas dataprotectionbydefault

34Marit Hansen, ‘Data Protection by Default in Identity-Related Applications,’ in Simone Fischer-Hübner,ElisabethdeLeeuw,andChrisMitchell(eds),PoliciesandResearchinIdentityManagement(Springer2013)4.35art25GDPRandart20Directive2016/680;theobligationsintheDirectiveareaddressedtoMemberStatesthatmustimposeanobligationofdataprotectionbydesignandbydefaulttodatacontrollersthroughtheirnationallegislation.

137

6


122

as computer sciences).25Regardlessof itsoriginandexactmeaning, the ideabehind theconcept is to ‘build-in’, ‘integrate’, ‘embed’ or ‘incorporate’ data protection or privacyprinciplesinproducts,services,businesspracticesandpolicies.26IntheEUdataprotectionframework,theconcepthasnotbeenintroducedas‘PrivacybyDesign’butas‘DataProtectionbyDesignandbyDefault.’27Beyondtheterminology,therearedifferencesbetweenthetwonotions.

TheConceptinEUDataProtectionLegislationMuchbeforetheformalintroductionoftheconceptintheEUdataprotectionframework,referencestothenotioncouldbefoundinRecital46andArticle17oftheDataProtectionDirective.28Limited to securitymeasures and IT systems, both provisions required datacontrollersto‘implementappropriatetechnicalandorganisationalmeasures’29atthetimeof‘thedesignoftheprocessingsystemand(…)oftheprocessingitself.’30The term ‘Privacy by Design’ is not used in the data protection framework, nor was itintroducedinthelegislativeproposalsofthenewrules.Theconceptisreplacedinsteadbythe obligations of ‘data protection by design’ and ‘data protection by default.’31Someauthors consider the notions of ‘Privacy by Design’ and ‘Data Protection by Design’ asbeing synonymous,32whereas others distinguish them.33For instance, according to

25ENISA(n11)3-7.26egEuropeanCommission,Communication fromtheCommission to theEuropeanParliament, theCouncil,theEconomicandSocialCommitteeoftheRegions:AComprehensiveApproachtoPersonalDataProtectionintheEuropeanUnion’COM(2010)609 final [2010]12,n30where theCommissionmadea reference to itscommunicationonPETs (COM(2007)228)and stated that ‘theprincipleof ‘PrivacybyDesign’means thatprivacy and data protection are embedded throughout the entire life cycle of technologies, from the earlydesign stage to their deployment, use and ultimate disposal’ (emphasis added); see also Ann Cavoukiandefining ‘Privacy by Design’ as ‘an approach to protecting privacy by embedding it into the designspecificationsofinformationtechnologies,accountablebusinesspractices,andnetworkinfrastructures’inAnnCavoukian,‘PrivacybyDesigninLaw,PolicyandPractice,AWhitePaperforRegulators,Decision-MakersandPolicy-Makers’(2011)3<http://www.ontla.on.ca/library/repository/mon/25008/312239.pdf>accessed30November2018.27TitleofbothArt25GDPRandArt20Directive2016/680.28PeterSchaar,‘PrivacybyDesign’(2010)2(3)IdentityintheInformationSociety267.29art17(1)oftheDataProtectionDirectivereadsasfollows:‘Member States shall provide that the controllermust implement appropriate technical and organisationalmeasures to protect personal data against accidental or unlawful destruction or accidental loss, alteration,unauthoriseddisclosureoraccess,inparticularwheretheprocessinginvolvesthetransmissionofdataoveranetwork,andagainstallotherunlawfulformsofprocessing.’30Recital46oftheDataProtectionDirectivereadsasfollows:‘Whereastheprotectionoftherightsandfreedomsofdatasubjectswithregardtotheprocessingofpersonaldatarequiresthatappropriatetechnicalandorganisationalmeasuresbetaken,bothatthetimeofthedesignoftheprocessingsystemandatthetimeoftheprocessingitself,particularlyinordertomaintainsecurityandtherebytopreventunauthorisedprocessing(…).’31art25GDPRandart20Directive2016/680.32egENISA(n11).33CostaandPoullet(n12)askwhether‘thechangefromPbDtoDataProtectionbyDesign[is]aspecializationof meaning or [whether] the expressions [should] be considered as synonyms’ (p. 260); Kung writes that‘Privacy-by-Design (PbD) focuses on requirements and measures that take into account the respect ofindividuals’ privacy, while data protection by design focuses on requirements and measures to protectpersonaldata’ inAntonioKung, ‘PEARS:PrivacyEnhancingArchitectures’ inBartPreneelandDemosthenesIkonomou(eds),PrivacyTechnologiesandPolicies(Springer2014)18;seealsoJasmontaiteetal(n15)wheretheauthorsclearlydistinguishthetwoconcepts.

Hansen, the expression ‘data protection by design and by default’ hasmost likely beenintroducedinthenewdataprotectionrulestoreflectthefieldofrevision.34However,asexplained in the next subsection, data protection by design (and by default) is not themereimplementationoftheconceptofPrivacybyDesigninthedataprotectionfield.Theprinciplesof‘dataprotectionbydesign’and‘dataprotectionbydefault’aredescribedintheGDPRandDirective2016/680asfollows:35

1.Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverity for rights and freedoms of natural persons posed by the processing, thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandat the time of the processing itself, implement appropriate technical andorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples, such as dataminimisation, in an effectivemanner and tointegrate the necessary safeguards into the processing in order to meet therequirements of this Regulation [/Directive] and protect the rights of data subjects.[‘DataProtectionbyDesign’]

2.Thecontrollershall implementappropriatetechnicalandorganisationalmeasuresforensuringthat,bydefault,onlypersonaldatawhicharenecessaryforeachspecificpurpose of the processing are processed. That obligation applies to the amount ofpersonaldatacollected,theextentoftheirprocessing,theperiodoftheirstorageandtheiraccessibility. Inparticular, suchmeasuresshallensure thatbydefaultpersonaldata are not made accessible without the individual’s intervention to an indefinitenumberofnaturalpersons.[‘DataProtectionbyDefault’](…)

Inspiredby,butDifferentfrom,PrivacybyDesign

Like Privacy by Design, data protection by design requires to take into account dataprotectionprinciplesfromtheconceptionofthedesigntothedeploymentanduseoftheservicesorproducts.Asfordataprotectionbydefault,theprinciplehasbeendraftedasaseparate obligation from data protection by design. This distinction constitutes adifferencewiththeconceptofPrivacybyDesign-asconceptualisedbyCavoukian-wherePrivacybyDefaultisoneoftheelementsoftheconcept.AsanalysedbyJasmontaiteetal.,in the EU data protection framework, dataprotectionbydesign covers ‘the design andexistence of embedded safeguards andmechanisms’ whereas dataprotectionbydefault

34Marit Hansen, ‘Data Protection by Default in Identity-Related Applications,’ in Simone Fischer-Hübner,ElisabethdeLeeuw,andChrisMitchell(eds),PoliciesandResearchinIdentityManagement(Springer2013)4.35art25GDPRandart20Directive2016/680;theobligationsintheDirectiveareaddressedtoMemberStatesthatmustimposeanobligationofdataprotectionbydesignandbydefaulttodatacontrollersthroughtheirnationallegislation.

138

Chapter 6

encompasses‘theimplementationofsuchsafeguardsasadefaultsetting.’36Theyarethuscomplementary.Second,thematerialscopeofdataprotectionbydesignanddataprotectionbydefaultismorelimitedthanthatofPrivacybyDesign.TheholisticprincipleofPrivacybyDesign-asapproachedbyCavoukian-appliestoalltheactorsinvolvedinthelifecycleofthedata:fromthedevelopersandmanufacturersofsystemsorproductstotheirvendorsandend-users(i.e.thedatacontrollers).Bycontrast,dataprotectionbydesign(andbydefault)islimited to data controllers. Following Recital 78 GDPR, producers (of the products,services and applications) are only encouraged to take into account the right to dataprotection ‘when developing, designing, selecting and using applications, services andproducts that are basedon theprocessing of personal data or process personal data tofulfiltheirtask.’Thisencouragementisnotlegallybinding.However,datacontrollerswillmostlikelyrequireproducersandmanufacturerstodeliverproducts,servicesorappsthatwillenablethemtocomplywiththeirdataprotectionobligations.37Thescopeofthedataprotectionbydesign andbydefault principles ismore limited thanwhat theArticle 29WorkingPartyandtheEuropeanDataProtectionSupervisorhadrecommended:theybothtooktheviewthattheprinciplesshouldbebindingondesigners,producers,aswellasondatacontrollers.38

NotallDataProtectionPrinciplesareTechnicallyEmbeddableTheaimoftheprinciplesofdataprotectionbydesignanddataprotectionbydefaultistoensurethatdatacontrollersadopttechnicalandorganisationalmeasuresthatimplementdata protection principles. However, neither the GDPR nor the newDirective expresslyidentifies data protection principles. Likewise, neither instrument explains what the‘technical and organisational measures’ are, to the exception of anonymisation andpseudonymisationprovidedasexamplesoftechnicalmeasures.Finally,intheproposalfortheGDPR,thetaskoftranslatingtheprinciplesintotechnicalrequirementswasdelegatedtotheEuropeanCommission,39butsuchadelegationdisappearedinthefinaltextadoptedbytheEUinstitutions.40

36Jasmontaiteetal(n15).37Throughcontractualobligations;seealsotheanalysisofRecital78GDPRbyBygraveinLeeABygrave,‘DataProtectionbyDesignandbyDefault:Deciphering theEU’sLegislativeRequirements’ (2017)4(2)OsloLawReview105,116-118.38A29WP and the Working Party on Police and Justice, ‘The Future of Privacy’, Joint contribution to theConsultationof theEuropeanCommissionon the legal framework to the fundamentalright toprotectionofpersonaldata,WP168[2009],13;A29WP,‘Opinion8/2014onRecentDevelopmentsontheInternetofThings’WP223[2014];EDPS,‘Opiniononthedataprotectionreformpackage’[2012],30.39Seeart.23(4)oftheproposedGeneralDataProtectionRegulationreadasfollowed:‘TheCommissionmaylaydowntechnicalstandardsfortherequirementslaiddowninparagraph1and2.ThoseimplementingactsshallbeadoptedinaccordancewiththeexaminationprocedurereferredtoinArticle87(2).’40art25GDPRandart20Directive2016/680.

DataProtectionPrinciplesBothArticle25GDPRandArticle20ofDirective2016/680referto‘dataminimisation’asa data protection principle that should be implemented through organisational andtechnical measures. But they do not explain further what the other data protectionprinciplesare.NeithertheGDPRnorthe‘police’Directivesetsoutalistofthoseprinciples.41Theydolist‘principles relating to theprocessingofpersonaldata’ in respectivelyArticle5(1)GDPRandArticle4(1)ofthe‘police’Directive,butthenotioncoversmorethantheseprinciples.Asamatterofexample,theGDPRdescribes,inanon-exhaustivemanner,whatthenotionencompasses in Article 47(2)(d) GDPR. This provision refers to the ‘general dataprotectionprinciples’asincludingtheprinciplesof‘purposelimitation,dataminimisation,limitedstorageperiods,dataquality,dataprotectionbydesignandbydefault,legalbasisforprocessing,processingofspecialcategoriesofpersonaldata,measurestoensuredatasecurity,andtherequirementsinrespectofonwardtransferstobodiesnorboundbythebindingcorporaterules.’42ThereisthussomeuncertaintyconcerningtheprinciplesthatshouldbeimplementedinapplicationofArticle25GDPRandArticle20oftheDirective.But,sincebothprovisionsrefer to data minimisation, it makes sense to consider, at least, that the principlesapplicable to the processing of personal data should be implemented by design and bydefault.Thatbeingsaid,datacontrollersshouldnotlimitthemselvestotheseprinciples,asthe notion of ‘data protection principles’ is rather broad. But, for the purpose of thischapter and because the researchmainly focuses on the application of the principle ofpurpose limitation, the analysis only investigates the implementation of the principlesdescribedinArticle5(1)GDPRandArticle4(1)oftheDirective.

OrganisationalandTechnicalMeasuresBoth theGDPR andDirective 2016/680 formulate the obligations of data protection bydesignandbydefaultas‘organisationalandtechnicalmeasures'thatdatacontrollersmustadopt. But neither instrument defines these measures. They only refer to‘pseudonymisation' as one of themeans to implement the obligations. It is argued thattechnicalmeasures cover technical tools (such as anonymisation, pseudonymisation ordata aggregation) that can implement data protection principles, whereas operationalmeasuresrelatetoproceduresandpoliciesthatcanbeadoptedtomanagedataprocessing.This chapter focuses on the latter, as the technical solutions should be elaborated incollaborationwithtechnicalexperts.Thedistinctionbetweenorganisationalandtechnicalmeasures is very useful since the paper claims that not all data protection principles –

41As a matter of comparison, it is interesting to note that the Council of Europe Convention 108 is morespecificonthenotionas itdescribesthe ‘basicprinciples fordataprotection' iedataqualitythatcoverstherules applicable to data processing, data security, processing of special categories of data, and additionalsafeguardstodatasubjects(ChapterIIofConvention108).42art47(2)(d)GDPR,thelistisnon-exhaustive.

139

6


encompasses‘theimplementationofsuchsafeguardsasadefaultsetting.’36Theyarethuscomplementary.Second,thematerialscopeofdataprotectionbydesignanddataprotectionbydefaultismorelimitedthanthatofPrivacybyDesign.TheholisticprincipleofPrivacybyDesign-asapproachedbyCavoukian-appliestoalltheactorsinvolvedinthelifecycleofthedata:fromthedevelopersandmanufacturersofsystemsorproductstotheirvendorsandend-users(i.e.thedatacontrollers).Bycontrast,dataprotectionbydesign(andbydefault)islimited to data controllers. Following Recital 78 GDPR, producers (of the products,services and applications) are only encouraged to take into account the right to dataprotection ‘when developing, designing, selecting and using applications, services andproducts that are basedon theprocessing of personal data or process personal data tofulfiltheirtask.’Thisencouragementisnotlegallybinding.However,datacontrollerswillmostlikelyrequireproducersandmanufacturerstodeliverproducts,servicesorappsthatwillenablethemtocomplywiththeirdataprotectionobligations.37Thescopeofthedataprotectionbydesign andbydefault principles ismore limited thanwhat theArticle 29WorkingPartyandtheEuropeanDataProtectionSupervisorhadrecommended:theybothtooktheviewthattheprinciplesshouldbebindingondesigners,producers,aswellasondatacontrollers.38

NotallDataProtectionPrinciplesareTechnicallyEmbeddableTheaimoftheprinciplesofdataprotectionbydesignanddataprotectionbydefaultistoensurethatdatacontrollersadopttechnicalandorganisationalmeasuresthatimplementdata protection principles. However, neither the GDPR nor the newDirective expresslyidentifies data protection principles. Likewise, neither instrument explains what the‘technical and organisational measures’ are, to the exception of anonymisation andpseudonymisationprovidedasexamplesoftechnicalmeasures.Finally,intheproposalfortheGDPR,thetaskoftranslatingtheprinciplesintotechnicalrequirementswasdelegatedtotheEuropeanCommission,39butsuchadelegationdisappearedinthefinaltextadoptedbytheEUinstitutions.40

36Jasmontaiteetal(n15).37Throughcontractualobligations;seealsotheanalysisofRecital78GDPRbyBygraveinLeeABygrave,‘DataProtectionbyDesignandbyDefault:Deciphering theEU’sLegislativeRequirements’ (2017)4(2)OsloLawReview105,116-118.38A29WP and the Working Party on Police and Justice, ‘The Future of Privacy’, Joint contribution to theConsultationof theEuropeanCommissionon the legal framework to the fundamentalright toprotectionofpersonaldata,WP168[2009],13;A29WP,‘Opinion8/2014onRecentDevelopmentsontheInternetofThings’WP223[2014];EDPS,‘Opiniononthedataprotectionreformpackage’[2012],30.39Seeart.23(4)oftheproposedGeneralDataProtectionRegulationreadasfollowed:‘TheCommissionmaylaydowntechnicalstandardsfortherequirementslaiddowninparagraph1and2.ThoseimplementingactsshallbeadoptedinaccordancewiththeexaminationprocedurereferredtoinArticle87(2).’40art25GDPRandart20Directive2016/680.

DataProtectionPrinciplesBothArticle25GDPRandArticle20ofDirective2016/680referto‘dataminimisation’asa data protection principle that should be implemented through organisational andtechnical measures. But they do not explain further what the other data protectionprinciplesare.NeithertheGDPRnorthe‘police’Directivesetsoutalistofthoseprinciples.41Theydolist‘principles relating to theprocessingofpersonaldata’ in respectivelyArticle5(1)GDPRandArticle4(1)ofthe‘police’Directive,butthenotioncoversmorethantheseprinciples.Asamatterofexample,theGDPRdescribes,inanon-exhaustivemanner,whatthenotionencompasses in Article 47(2)(d) GDPR. This provision refers to the ‘general dataprotectionprinciples’asincludingtheprinciplesof‘purposelimitation,dataminimisation,limitedstorageperiods,dataquality,dataprotectionbydesignandbydefault,legalbasisforprocessing,processingofspecialcategoriesofpersonaldata,measurestoensuredatasecurity,andtherequirementsinrespectofonwardtransferstobodiesnorboundbythebindingcorporaterules.’42ThereisthussomeuncertaintyconcerningtheprinciplesthatshouldbeimplementedinapplicationofArticle25GDPRandArticle20oftheDirective.But,sincebothprovisionsrefer to data minimisation, it makes sense to consider, at least, that the principlesapplicable to the processing of personal data should be implemented by design and bydefault.Thatbeingsaid,datacontrollersshouldnotlimitthemselvestotheseprinciples,asthe notion of ‘data protection principles’ is rather broad. But, for the purpose of thischapter and because the researchmainly focuses on the application of the principle ofpurpose limitation, the analysis only investigates the implementation of the principlesdescribedinArticle5(1)GDPRandArticle4(1)oftheDirective.

OrganisationalandTechnicalMeasuresBoth theGDPR andDirective 2016/680 formulate the obligations of data protection bydesignandbydefaultas‘organisationalandtechnicalmeasures'thatdatacontrollersmustadopt. But neither instrument defines these measures. They only refer to‘pseudonymisation' as one of themeans to implement the obligations. It is argued thattechnicalmeasures cover technical tools (such as anonymisation, pseudonymisation ordata aggregation) that can implement data protection principles, whereas operationalmeasuresrelatetoproceduresandpoliciesthatcanbeadoptedtomanagedataprocessing.This chapter focuses on the latter, as the technical solutions should be elaborated incollaborationwithtechnicalexperts.Thedistinctionbetweenorganisationalandtechnicalmeasures is very useful since the paper claims that not all data protection principles –

41As a matter of comparison, it is interesting to note that the Council of Europe Convention 108 is morespecificonthenotionas itdescribesthe ‘basicprinciples fordataprotection' iedataqualitythatcoverstherules applicable to data processing, data security, processing of special categories of data, and additionalsafeguardstodatasubjects(ChapterIIofConvention108).42art47(2)(d)GDPR,thelistisnon-exhaustive.

140

Chapter 6

limitedheretotheprinciplesrelatingtodataprocessing-canbeembeddedintothedesignof technologies. Some principles, such as data minimisation or data security, aretechnologicallyimplementable,whereasotherssuchastheprincipleofpurposelimitationhaveapolicycomponentorrequireanassessmenttobeapplicable.Thus,thoseprinciplescanbeimplementedthroughpoliciesorprocedures,insteadoftechnicalsolutions.The classification of principles according to their ability to be ‘technologically’implementedisinspiredbytheresearchmadebytwocomputerscientists.InEngineeringPrivacy,SarahSpiekermannandLorrieCranorsuggestamethodtoengineertheUSFairPracticesPrinciplesbasedonthedistinctionbetweennoticeandchoiceprinciplesononehand anddataminimisationon their otherhand.43They translate this distinction into aprivacy-by-policy approach focusing on individuals’ rights (such as information andconsent) where individuals retain some control over their data and a privacy-by-architecture approach focusing on the architecture of IT systems (through dataminimisationanddataanonymisation).Based on Spiekermann and Cranor’s approach, this chapter argues that data protectionprinciplescanbedividedintoimplementableandnon-implementableprinciples.Thefirstcategory covers data protection principles that can be built into a systemor a product,such as data minimisation, data retention, or transparency.44The second categorycomprisesprinciples thatcannotbe technologically implementedwithout firstassessingtheir applicability or making a policy choice. It is the case of the principle of purposelimitation.45

PrincipleofPurposeLimitationThe principle of purpose limitation is laid down in Article 5(1)(b) GDPR and Article4(1)(b)ofDirective2016/680.Itissplitbetweenaprincipleofpurposespecificationanda prohibition of incompatible processing.46The first sub-principle describes the criteriathatthepurposeofdatacollectionmustmeet,i.e.be‘specific’,‘explicit’and‘legitimate’.47Thesecondsub-principlerelatestotheprohibitionofincompatibleprocessingofpersonaldatawiththepurpose(s)forwhichtheywerecollected.48Itisarguedherethat,atthestageofthedesignoftechnologiesandsystems,notall(legal)subsequent uses of data can be foreseen. Some authors have suggested privacy design

43Sarah Spiekermann and Lorrie Faith Cranor, ‘Engineering Privacy’ (2009) 35(1) IEEE Transactions onSoftwareEngineering67.44Ondataminimisationsee,forinstance,Gürses,TroncosoandDiaz(n11);SpiekermannandCranor(n42),andHoepman(n11).45ForadetailedanalysisoftheprincipleofpurposelimitationunderboththeGDPRandDirective2016/680,seeChapter5ofthisdissertation.46Seeanalysisby theA29WPon thecomponentsof theprincipleofpurpose limitation inA29WP, ‘Opinion03/2013onpurposelimitation’[2013]WP2013,11-13.47art5(1)(b)GDPRandart4(1)(b)Directive2016/680.48ibid;seealsothedescriptionofthe‘blockofcompatibleuse’bytheA29WPinA29WP,Opinion3/2013(n43)12-13.

strategies to implement the principle of purpose limitation into the design of ITproducts.49Thesestrategiesinclude,forinstance,theunlinkabilityofdatabasescontainingpersonal data and the separation between processing and storage of personal data.However, to implement these strategies, one first needs to assess the legal ground onwhichthefurtherprocessingcanbecarriedout:itmustbedeterminediftheprocessingisbased on the compatibility between the purposes of processing,50the existence of aspecificlaw51ortheindividual'sconsent.52Thustheapplicationoftheprincipleofpurposelimitation requires an assessment. Its interpretation is subject to changes to take intoaccountthecontextorcircumstancesoftheprocessing.Asanalysedinpreviouschaptersofthisstudy,53theprincipleofpurposelimitationisanessentialprinciplethatdoesnotseemtoplayasignificantroleinthecasesofsubsequentusesofGDPRdataforalawenforcementpurpose.Shouldsuchprocessingfollowtherulesapplicable to the furtherprocessingunder4(2)of the ‘police’Directive?Or should suchprocessingbe consideredas initialprocessingunder the ‘police’Directive?54Neither the‘police’DirectivenortheGDPRcoverstheissueandthusanswersthequestion.Thisissuemightbethenbetteraddressedindataprotectionpolicies(‘organisationalmeasures’)thatdescribe the procedures to be followed in case the data originating from third parties(includingprivateparties)areaccessedforfurtherusebylawenforcementauthorities.As a suggestion, such a data protection policy could, at least, identify the followingelements:(1)the legalground(s)onwhichtheaccesstoandsubsequentuseofthedataareallowed;(2)thesourceofthedata(i.e.privatesector);(3)thecategorisationofdatasubjects(e.g.victims,suspects,witnesses,orthird-party);(4)theclassificationofpersonaldata(biometricdata,includingthetype,suchasfingerprints,facialimages,voicesamples,etc.);(5)thepurpose(s)oflawenforcementuse(s)(suchascriminalinvestigation,police-ledsurveillance);(6)the(numberof)personsauthorisedtohaveaccesstothedata;(7)the rules/procedures applicable to themanagement of the accessed data (such as theirretentionperiod,storage,etc.);(8)therules/proceduresapplicableto(orprohibiting)anytransferoftheaccesseddata(tootherlawenforcementauthoritiesinternally,withintheEU, or outside the EU; to private parties, or to other public parties), and (9) the datasubjects’rights(andinparticularwhetherdatasubjectswillbenotifiedthattheirpersonaldatahavebeentransferredtoandusedbylawenforcementauthorities).55

49Hoepman(n11)7-9.50InthecontextofGDPRprocessing,seeart6(4)GDPR.51InthecontextofGDPRprocessing,seeart6(4)GDPR,andinthecontextoflawenforcementprocessing,seeart4(2)Directive2016/680.52InthecontextofGDPRprocessingonly,seeart6(4)GDPR.53SeeChapters4and5ofthisdissertation.54See,inparticular,theanalysisinChapter5ofthedissertation.55Thereissomeuncertaintyconcerningthescopeoftherighttoinformationinalawenforcementcontext,seepreviousChapters4and5ofthisdissertation.

141

6


limitedheretotheprinciplesrelatingtodataprocessing-canbeembeddedintothedesignof technologies. Some principles, such as data minimisation or data security, aretechnologicallyimplementable,whereasotherssuchastheprincipleofpurposelimitationhaveapolicycomponentorrequireanassessmenttobeapplicable.Thus,thoseprinciplescanbeimplementedthroughpoliciesorprocedures,insteadoftechnicalsolutions.The classification of principles according to their ability to be ‘technologically’implementedisinspiredbytheresearchmadebytwocomputerscientists.InEngineeringPrivacy,SarahSpiekermannandLorrieCranorsuggestamethodtoengineertheUSFairPracticesPrinciplesbasedonthedistinctionbetweennoticeandchoiceprinciplesononehand anddataminimisationon their otherhand.43They translate this distinction into aprivacy-by-policy approach focusing on individuals’ rights (such as information andconsent) where individuals retain some control over their data and a privacy-by-architecture approach focusing on the architecture of IT systems (through dataminimisationanddataanonymisation).Based on Spiekermann and Cranor’s approach, this chapter argues that data protectionprinciplescanbedividedintoimplementableandnon-implementableprinciples.Thefirstcategory covers data protection principles that can be built into a systemor a product,such as data minimisation, data retention, or transparency.44The second categorycomprisesprinciples thatcannotbe technologically implementedwithout firstassessingtheir applicability or making a policy choice. It is the case of the principle of purposelimitation.45

PrincipleofPurposeLimitationThe principle of purpose limitation is laid down in Article 5(1)(b) GDPR and Article4(1)(b)ofDirective2016/680.Itissplitbetweenaprincipleofpurposespecificationanda prohibition of incompatible processing.46The first sub-principle describes the criteriathatthepurposeofdatacollectionmustmeet,i.e.be‘specific’,‘explicit’and‘legitimate’.47Thesecondsub-principlerelatestotheprohibitionofincompatibleprocessingofpersonaldatawiththepurpose(s)forwhichtheywerecollected.48Itisarguedherethat,atthestageofthedesignoftechnologiesandsystems,notall(legal)subsequent uses of data can be foreseen. Some authors have suggested privacy design

43Sarah Spiekermann and Lorrie Faith Cranor, ‘Engineering Privacy’ (2009) 35(1) IEEE Transactions onSoftwareEngineering67.44Ondataminimisationsee,forinstance,Gürses,TroncosoandDiaz(n11);SpiekermannandCranor(n42),andHoepman(n11).45ForadetailedanalysisoftheprincipleofpurposelimitationunderboththeGDPRandDirective2016/680,seeChapter5ofthisdissertation.46Seeanalysisby theA29WPon thecomponentsof theprincipleofpurpose limitation inA29WP, ‘Opinion03/2013onpurposelimitation’[2013]WP2013,11-13.47art5(1)(b)GDPRandart4(1)(b)Directive2016/680.48ibid;seealsothedescriptionofthe‘blockofcompatibleuse’bytheA29WPinA29WP,Opinion3/2013(n43)12-13.

strategies to implement the principle of purpose limitation into the design of ITproducts.49Thesestrategiesinclude,forinstance,theunlinkabilityofdatabasescontainingpersonal data and the separation between processing and storage of personal data.However, to implement these strategies, one first needs to assess the legal ground onwhichthefurtherprocessingcanbecarriedout:itmustbedeterminediftheprocessingisbased on the compatibility between the purposes of processing,50the existence of aspecificlaw51ortheindividual'sconsent.52Thustheapplicationoftheprincipleofpurposelimitation requires an assessment. Its interpretation is subject to changes to take intoaccountthecontextorcircumstancesoftheprocessing.Asanalysedinpreviouschaptersofthisstudy,53theprincipleofpurposelimitationisanessentialprinciplethatdoesnotseemtoplayasignificantroleinthecasesofsubsequentusesofGDPRdataforalawenforcementpurpose.Shouldsuchprocessingfollowtherulesapplicable to the furtherprocessingunder4(2)of the ‘police’Directive?Or should suchprocessingbe consideredas initialprocessingunder the ‘police’Directive?54Neither the‘police’DirectivenortheGDPRcoverstheissueandthusanswersthequestion.Thisissuemightbethenbetteraddressedindataprotectionpolicies(‘organisationalmeasures’)thatdescribe the procedures to be followed in case the data originating from third parties(includingprivateparties)areaccessedforfurtherusebylawenforcementauthorities.As a suggestion, such a data protection policy could, at least, identify the followingelements:(1)the legalground(s)onwhichtheaccesstoandsubsequentuseofthedataareallowed;(2)thesourceofthedata(i.e.privatesector);(3)thecategorisationofdatasubjects(e.g.victims,suspects,witnesses,orthird-party);(4)theclassificationofpersonaldata(biometricdata,includingthetype,suchasfingerprints,facialimages,voicesamples,etc.);(5)thepurpose(s)oflawenforcementuse(s)(suchascriminalinvestigation,police-ledsurveillance);(6)the(numberof)personsauthorisedtohaveaccesstothedata;(7)the rules/procedures applicable to themanagement of the accessed data (such as theirretentionperiod,storage,etc.);(8)therules/proceduresapplicableto(orprohibiting)anytransferoftheaccesseddata(tootherlawenforcementauthoritiesinternally,withintheEU, or outside the EU; to private parties, or to other public parties), and (9) the datasubjects’rights(andinparticularwhetherdatasubjectswillbenotifiedthattheirpersonaldatahavebeentransferredtoandusedbylawenforcementauthorities).55

49Hoepman(n11)7-9.50InthecontextofGDPRprocessing,seeart6(4)GDPR.51InthecontextofGDPRprocessing,seeart6(4)GDPR,andinthecontextoflawenforcementprocessing,seeart4(2)Directive2016/680.52InthecontextofGDPRprocessingonly,seeart6(4)GDPR.53SeeChapters4and5ofthisdissertation.54See,inparticular,theanalysisinChapter5ofthedissertation.55Thereissomeuncertaintyconcerningthescopeoftherighttoinformationinalawenforcementcontext,seepreviousChapters4and5ofthisdissertation.

142

Chapter 6

Finally, theprinciplesofdataprotectionbydesignandbydefaultare linked to thedataprotectionimpactassessmentmechanism.Thetwotypesofmeasuresarenotexclusiveofeachotherbutcomplementary.AsacknowledgedinRecital53ofDirective2016/680,theresultsofaDPIAshouldbetakenintoaccountwhendevelopingspecificdataprotectionbydesignandbydefaultsolutions.

DPIA:AComplementaryRisk-ManagementTool

Before theadoptionof thedataprotection reformpackage,Privacy ImpactAssessments(PIAs)wereconductedvoluntarily.Theterm‘dataprotectionimpactassessment'wasnotused.56IntheUK,forinstance,PIAswerepartof‘bestpractices’undertheDataProtectionAct1998(implementingthepreviousDataProtectionDirective)57andwerealsousedbypolice authorities.58The novelty is their introduction in the new legal framework as arequirementtriggeredbythelevelofrisksthatdataprocessingactivitiesarelikelytoposetoindividuals.AsacknowledgedbyKlozaetal., therisk-basedapproachintheGDPR(aswellas inthenewDirective)originatesfromthefieldofriskmanagement. Inparticular,“[t]heGDPRbroughttothedataprotectionforeterminologyfromriskmanagement,suchas ‘highrisk’, ‘likelihood’, ‘impact’or ‘severity’”.59It isthusdifficulttodefinethesetermswithprecision, and theymightnotbe adapted to the legal fieldsof dataprotectionandhumanrights.60AccordingtotheA29WP,thisrisk-basedapproachcouldalreadybefoundin Directive 95/46/EC, butwas limited to ‘security (Article 17) and [to] the DPA priorcheckingobligations(Article20).’61TheDPIArequirement,formulatedinArticle27(1)ofDirective2016/680,isdescribedasfollows:62

Whereatypeofprocessing, inparticular,usingnewtechnologiesandtakingintoaccountthenature,scope,contextandpurposesoftheprocessingislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,MemberStatesshallprovide for thecontroller tocarryout,prior to theprocessing,anassessmentof

56In the context of this paper, ‘PIAs' and ‘DPIAs' are used interchangeably; as it is often the case in otherdocuments;seeforinstance,A29WP,GuidelinesonDPIA(n3)4,fn2.57Forexample,InformationCommissioner’sOffice,‘GuidetotheGeneralDataProtectionRegulation(GDPR),Data Protection Impact Assessments (DPIAs)’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/>accessedon30December2018.58See, for instance, Nottinghamshire police, ‘Privacy Impact Assessment (PIA)' [2012] (updated in 2013)<https://www.nottinghamshire.police.uk/sites/default/files/documents/files/PD608Privacy%20Impact%20Assessment%20v1%200.pdf> accessed 30December 2018;NorthWales Police, ‘Body-WornVideo: PrivacyImpact Assessment of Body Worn Video’ [2014], updated in 2015 <https://www.north-wales.police.uk/media/427114/privacy-impact-assessment-body-worn-cameras.pdf> accessed 30 December2018.59Klozaetal(n15).60ibid.61A29WP, ‘Statement on the Role of a Risk-Based Approach in Data Protection Legal Frameworks’ [2014]WP218,2.62TobereadtogetherwithRecital58Directive2016/680.

129

the impactof the envisagedprocessingoperationson theprotectionofpersonaldata.63

Asaresult,onlydataprocessingoperationsthatare ‘likelytoresult inahighrisktotherights and freedoms of data subjects’ lead to a DPIA. It must first be assessed when aprocessingoperationtriggersaDPIAbeforedescribingitscontent.

InitialAssessment:RiskAnalysisThekeycriterionisthelevelofrisksposedbytheprocessingoperation(s)toindividuals’rightsandfreedoms.ADPIAcoverstherighttodataprotection,aswellasotherrightsandfreedoms relating todataprocessing.These rights and freedomsare, amongothers, therighttoinformation,therighttonon-discrimination,therighttoprivacy,andfreedomofexpression.64

a. High-RiskProcessing‘High risk' and ‘risk’ are not defined in the texts. Instead, the GDPR and Directive2016/680 provide factors to determine the existence of high-risk processing. Thosefactorsaretheuseofnewtechnologies,aswellasthenature,scope,contextandpurposesoftheprocessing.i.LevelofRiskAccording toRecital 52ofDirective2016/680,65the level of risk shouldbe assessedbyreferencetothelikelihoodofitsoccurrenceandseverity.Theevaluationoftheriskshouldresult from an ‘objective assessment.’ However, the thresholds of ‘severity’, ‘likelihood’,and thenotionof riskremainundefined.Likewise,neither instrumentspecifieswhatan‘objectiveassessment’is.Inthelawenforcementcontext,Recital52ofDirective2016/680providesthathighriskis‘aparticularriskofprejudicetotherightsandfreedomsofdatasubjects.’OnlyinthecontextofGDPRdataprocessing,doestheRegulationidentifythreeexamples of ‘high-risk’ processing leading to a DPIA. Those cases are the systematicevaluation(includingprofiling)of individuals,theprocessingofsensitivedataonalargescale, and the systematicmonitoring of publicly accessible areas on a large scale.66Thenotionof‘largescale’isundefinedaswell.AccordingtotheA29WP,‘largescale’shouldbeassessed thanks to the number of individuals affected by the processing, the type andvolume of data, the duration of the processing aswell as the geographical scope of theprocessing.67

63art35(1)GDPRisworded in identical terms, totheexceptionthat theDirective imposesanobligationonMemberStatestoimplementtherule.64A29WP, ‘Statement on the role of a risk-based approach in data protection legal frameworks’ (n 57) 4,wheretheA29WPobservedthat“thescopeof‘therightsandfreedoms’ofthedatasubjectsprimarilyconcernsthe right to privacy butmay also involve other fundamental rights such as freedom of speech, freedom ofthought,freedomofmovement,prohibitionofdiscrimination,righttoliberty,conscienceandreligion.”65andRecital78GDPR.66art35(3)GDPR.67A29WP,GuidelinesonDPIAs(n3)10.

143

6


Finally, theprinciplesofdataprotectionbydesignandbydefaultare linked to thedataprotectionimpactassessmentmechanism.Thetwotypesofmeasuresarenotexclusiveofeachotherbutcomplementary.AsacknowledgedinRecital53ofDirective2016/680,theresultsofaDPIAshouldbetakenintoaccountwhendevelopingspecificdataprotectionbydesignandbydefaultsolutions.

DPIA:AComplementaryRisk-ManagementTool

Before theadoptionof thedataprotection reformpackage,Privacy ImpactAssessments(PIAs)wereconductedvoluntarily.Theterm‘dataprotectionimpactassessment'wasnotused.56IntheUK,forinstance,PIAswerepartof‘bestpractices’undertheDataProtectionAct1998(implementingthepreviousDataProtectionDirective)57andwerealsousedbypolice authorities.58The novelty is their introduction in the new legal framework as arequirementtriggeredbythelevelofrisksthatdataprocessingactivitiesarelikelytoposetoindividuals.AsacknowledgedbyKlozaetal., therisk-basedapproachintheGDPR(aswellas inthenewDirective)originatesfromthefieldofriskmanagement. Inparticular,“[t]heGDPRbroughttothedataprotectionforeterminologyfromriskmanagement,suchas ‘highrisk’, ‘likelihood’, ‘impact’or ‘severity’”.59It isthusdifficulttodefinethesetermswithprecision, and theymightnotbe adapted to the legal fieldsof dataprotectionandhumanrights.60AccordingtotheA29WP,thisrisk-basedapproachcouldalreadybefoundin Directive 95/46/EC, butwas limited to ‘security (Article 17) and [to] the DPA priorcheckingobligations(Article20).’61TheDPIArequirement,formulatedinArticle27(1)ofDirective2016/680,isdescribedasfollows:62

Whereatypeofprocessing, inparticular,usingnewtechnologiesandtakingintoaccountthenature,scope,contextandpurposesoftheprocessingislikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,MemberStatesshallprovide for thecontroller tocarryout,prior to theprocessing,anassessmentof

56In the context of this paper, ‘PIAs' and ‘DPIAs' are used interchangeably; as it is often the case in otherdocuments;seeforinstance,A29WP,GuidelinesonDPIA(n3)4,fn2.57Forexample,InformationCommissioner’sOffice,‘GuidetotheGeneralDataProtectionRegulation(GDPR),Data Protection Impact Assessments (DPIAs)’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/>accessedon30December2018.58See, for instance, Nottinghamshire police, ‘Privacy Impact Assessment (PIA)' [2012] (updated in 2013)<https://www.nottinghamshire.police.uk/sites/default/files/documents/files/PD608Privacy%20Impact%20Assessment%20v1%200.pdf> accessed 30December 2018;NorthWales Police, ‘Body-WornVideo: PrivacyImpact Assessment of Body Worn Video’ [2014], updated in 2015 <https://www.north-wales.police.uk/media/427114/privacy-impact-assessment-body-worn-cameras.pdf> accessed 30 December2018.59Klozaetal(n15).60ibid.61A29WP, ‘Statement on the Role of a Risk-Based Approach in Data Protection Legal Frameworks’ [2014]WP218,2.62TobereadtogetherwithRecital58Directive2016/680.

129

the impactof the envisagedprocessingoperationson theprotectionofpersonaldata.63

Asaresult,onlydataprocessingoperationsthatare ‘likelytoresult inahighrisktotherights and freedoms of data subjects’ lead to a DPIA. It must first be assessed when aprocessingoperationtriggersaDPIAbeforedescribingitscontent.

InitialAssessment:RiskAnalysisThekeycriterionisthelevelofrisksposedbytheprocessingoperation(s)toindividuals’rightsandfreedoms.ADPIAcoverstherighttodataprotection,aswellasotherrightsandfreedoms relating todataprocessing.These rights and freedomsare, amongothers, therighttoinformation,therighttonon-discrimination,therighttoprivacy,andfreedomofexpression.64

a. High-RiskProcessing‘High risk' and ‘risk’ are not defined in the texts. Instead, the GDPR and Directive2016/680 provide factors to determine the existence of high-risk processing. Thosefactorsaretheuseofnewtechnologies,aswellasthenature,scope,contextandpurposesoftheprocessing.i.LevelofRiskAccording toRecital 52ofDirective2016/680,65the level of risk shouldbe assessedbyreferencetothelikelihoodofitsoccurrenceandseverity.Theevaluationoftheriskshouldresult from an ‘objective assessment.’ However, the thresholds of ‘severity’, ‘likelihood’,and thenotionof riskremainundefined.Likewise,neither instrumentspecifieswhatan‘objectiveassessment’is.Inthelawenforcementcontext,Recital52ofDirective2016/680providesthathighriskis‘aparticularriskofprejudicetotherightsandfreedomsofdatasubjects.’OnlyinthecontextofGDPRdataprocessing,doestheRegulationidentifythreeexamples of ‘high-risk’ processing leading to a DPIA. Those cases are the systematicevaluation(includingprofiling)of individuals,theprocessingofsensitivedataonalargescale, and the systematicmonitoring of publicly accessible areas on a large scale.66Thenotionof‘largescale’isundefinedaswell.AccordingtotheA29WP,‘largescale’shouldbeassessed thanks to the number of individuals affected by the processing, the type andvolume of data, the duration of the processing aswell as the geographical scope of theprocessing.67

63art35(1)GDPRisworded in identical terms, totheexceptionthat theDirective imposesanobligationonMemberStatestoimplementtherule.64A29WP, ‘Statement on the role of a risk-based approach in data protection legal frameworks’ (n 57) 4,wheretheA29WPobservedthat“thescopeof‘therightsandfreedoms’ofthedatasubjectsprimarilyconcernsthe right to privacy butmay also involve other fundamental rights such as freedom of speech, freedom ofthought,freedomofmovement,prohibitionofdiscrimination,righttoliberty,conscienceandreligion.”65andRecital78GDPR.66art35(3)GDPR.67A29WP,GuidelinesonDPIAs(n3)10.

144

Chapter 6

TheA29WPhasestablishedfurtherguidanceonthenotionof‘highrisk’initsGuidelinesonDPIAs in the contextofGDPRdataprocessing.According to theWorkingParty, ninecriteriacanbeusedtoevaluatewhetheraspecificprocessingoperationconstituteshigh-riskprocessing.Acombinationoftwoofthesecriteriais,atleast,necessarytoreachsucha conclusion. These criteria are described as 1) evaluation or scoring; 2) automateddecision making with legal or similar significant effect; 3) systematic monitoring; 4)sensitivedataordataofahighlypersonalnature;5)dataprocessedona largescale;6)matching or combining datasets; 7) data concerning vulnerable data subjects; 8)innovative use or applying new technological or organisational solutions, and 9)processing that prevents data subjects from exercising a right or using a service or acontract.In the UK, the Information Commissioner’s Office (ICO) invites law enforcementauthoritiestofollowtheguidanceithasdevelopedforGDPRdataprocessing.Itsguidancerefers to thecriteriaestablishedby theA29WP.Onecouldobserve that someUKpoliceauthoritieshavealreadyreproducedtheICO’sguideontheGDPRintheirdataprotectionimpactassessmentpolicy.68ii.ObjectiveAssessment,Likelihood,andSeveritySeveral national DPAs have provided examples of DPIAs and explained the notion of‘objectiveassessment’.Forinstance,intheUK,theICOsuggestsusingamatrixcombiningboth the severity and likelihood of risks to determine the level of risk. Following thisapproach, severity is split into ‘serious harm’, ‘some impact’, and ‘minimal impact’;whereasthelikelihoodofharmisdividedinto‘remote',‘reasonable',and‘morelikelythannot.'Forexample,seriousharmcombinedwitharemotelikelihoodwillresultinlowrisk(andthusnoDPIA),whereasseriousharmwillresultinhighriskifitiscombinedwitha‘reasonable possibility' of harm or a ‘more likely than not' harm.69In France, the CNIL(CommissionNationaledel’InformatiqueetdesLibertés)scalesthe likelihoodandseverityof risks through a four-level typology: negligible risk, limited risk, significant risk, andmaximumrisk.70Thusdifferentmethodologiesonthelevelofriskswillapplyatnationallevel.71

68In particular, Dyfed Powys Police, ‘Data Protection Impact Assessment Policy’, 8 <https://www.dyfed-powys.police.uk/media/5874/data-protection-impact-assessment-policy.pdf>accessed30December2018.69For an overview of the matrix built by the ICO, see ICO’s Guide ‘Accountability and Governance: DataProtectionImpactAssessments(DPIAs)'[2018]33<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias-1-0.pdf> accessed 30September2018.70CNIL,‘PrivacyImpactAssessment(PIA):KnowledgeBases’[2018]4–5<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf>accessed30September2018.71SeealsotheothermethodologiesdescribedintheVALCRIdeliverable(n14):TheGerman ‘StandardDataProtection Model’ established by the German Data Protection Authorities (to the exception of Bavaria)<https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V1.0.pdf> accessed 30 December2018; theDPIAGuidelinesof theBelgiumDataProtectionAuthority (CommissievoordeBeschermingvandePersoonlijkeLevenssfeer)<https://www.gegevensbeschermingsautoriteit.be/aanbeveling-uit-eigen-beweging-mbt-de-gegevensbeschermingseffectbeoordeling-nr-012018>accessed30December2018; theSpanishData

iii.RiskLeadingtoPotentialDamageNeither theGDPRnorDirective2016/680requires theexistenceofactualdamage,onlypossibleharmtoindividuals,whetherphysical,materialornon-material,issufficient.72

b. FactorsThe‘nature,scope,contextandpurposesoftheprocessing'arefactorsthatwillalsohelpestablishtheriskynatureofaprocessingoperation.73InitsGuidelinesonDPIAs,theA29WPdoesnotprovidemuchguidanceonthesefactors.Atnationallevel,theICOoffersmoredetailsonthesefactors.74Theauthorityspecifiesthatthenature of the processing relates towhat the data controller ‘plan[s] to dowith thepersonaldata.’Itincludeshowthedataarecollected,stored,used,sharedbutalsoforhowlongtheyarekept,andhowtheyareprotected.75Thescopeoftheprocessingisthecoreofthe processing, in the sense that it covers the nature of the personal data at stake(includingtheirsensitivity),theamountofdataprocessed,76thenumberofdatasubjects,etc. The context of the processing provides ‘the wider picture, including internal andexternal factors which might affect expectations and impact.’77Those factors are, forinstance, the source of the data, the control that individuals can exercise over theirpersonal data, but also the extent towhich individuals expect the processing. Last, thepurposeoftheprocessingdescribesthereasonsfortheprocessing.78Itsdescriptionshouldincludetheoutcomesforindividuals,butalsotheexpectedbenefitsforsocietyatlargeaswellastheexistenceoflegitimateinterestsforprocessingonthedatacontroller’sside.79The use of new technologies is another factor that should be taken into account in theassessment of the necessity of aDPIA. In itsGuidelines onDPIAs, theA29WPgives theexampleofatechnologicalsolutionthatwoulduseboth‘fingerprintandfacerecognition'for access control.80As the use of such technology might ‘involve new forms of datacollection and usage, possibly with a high risk to individuals' rights and freedoms,'81aDPIAmightbenecessary.

ElementsofaDPIAA DPIA results in mitigating the ‘high risks’ that have been identified. Thus, if datacontrollers conclude that theyhave to conduct aDPIA, they shouldprovide solutions tomitigate,i.e.eliminate,minimiseorreduce,theriskstodatasubjects’rightsandfreedoms.Protection Authority (Agencia española de protección de datos<https://www.aepd.es/media/guias/guia-evaluaciones-de-impacto-rgpd.pdf>accessed30December2018.72Recital75GDPRandRecital51Directive2016/680.73A29WP,GuidelinesonDPIAs(n3)17.74ICO(n56).75ibid,see‘Step2:Howdowedescribetheprocessing?'76ibid.77ibid.78ibid.79ibid.80A29WP,GuidelinesonDPIAs(n3)10.81ibid.

145

6


TheA29WPhasestablishedfurtherguidanceonthenotionof‘highrisk’initsGuidelinesonDPIAs in the contextofGDPRdataprocessing.According to theWorkingParty, ninecriteriacanbeusedtoevaluatewhetheraspecificprocessingoperationconstituteshigh-riskprocessing.Acombinationoftwoofthesecriteriais,atleast,necessarytoreachsucha conclusion. These criteria are described as 1) evaluation or scoring; 2) automateddecision making with legal or similar significant effect; 3) systematic monitoring; 4)sensitivedataordataofahighlypersonalnature;5)dataprocessedona largescale;6)matching or combining datasets; 7) data concerning vulnerable data subjects; 8)innovative use or applying new technological or organisational solutions, and 9)processing that prevents data subjects from exercising a right or using a service or acontract.In the UK, the Information Commissioner’s Office (ICO) invites law enforcementauthoritiestofollowtheguidanceithasdevelopedforGDPRdataprocessing.Itsguidancerefers to thecriteriaestablishedby theA29WP.Onecouldobserve that someUKpoliceauthoritieshavealreadyreproducedtheICO’sguideontheGDPRintheirdataprotectionimpactassessmentpolicy.68ii.ObjectiveAssessment,Likelihood,andSeveritySeveral national DPAs have provided examples of DPIAs and explained the notion of‘objectiveassessment’.Forinstance,intheUK,theICOsuggestsusingamatrixcombiningboth the severity and likelihood of risks to determine the level of risk. Following thisapproach, severity is split into ‘serious harm’, ‘some impact’, and ‘minimal impact’;whereasthelikelihoodofharmisdividedinto‘remote',‘reasonable',and‘morelikelythannot.'Forexample,seriousharmcombinedwitharemotelikelihoodwillresultinlowrisk(andthusnoDPIA),whereasseriousharmwillresultinhighriskifitiscombinedwitha‘reasonable possibility' of harm or a ‘more likely than not' harm.69In France, the CNIL(CommissionNationaledel’InformatiqueetdesLibertés)scalesthe likelihoodandseverityof risks through a four-level typology: negligible risk, limited risk, significant risk, andmaximumrisk.70Thusdifferentmethodologiesonthelevelofriskswillapplyatnationallevel.71

68In particular, Dyfed Powys Police, ‘Data Protection Impact Assessment Policy’, 8 <https://www.dyfed-powys.police.uk/media/5874/data-protection-impact-assessment-policy.pdf>accessed30December2018.69For an overview of the matrix built by the ICO, see ICO’s Guide ‘Accountability and Governance: DataProtectionImpactAssessments(DPIAs)'[2018]33<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias-1-0.pdf> accessed 30September2018.70CNIL,‘PrivacyImpactAssessment(PIA):KnowledgeBases’[2018]4–5<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf>accessed30September2018.71SeealsotheothermethodologiesdescribedintheVALCRIdeliverable(n14):TheGerman ‘StandardDataProtection Model’ established by the German Data Protection Authorities (to the exception of Bavaria)<https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V1.0.pdf> accessed 30 December2018; theDPIAGuidelinesof theBelgiumDataProtectionAuthority (CommissievoordeBeschermingvandePersoonlijkeLevenssfeer)<https://www.gegevensbeschermingsautoriteit.be/aanbeveling-uit-eigen-beweging-mbt-de-gegevensbeschermingseffectbeoordeling-nr-012018>accessed30December2018; theSpanishData

iii.RiskLeadingtoPotentialDamageNeither theGDPRnorDirective2016/680requires theexistenceofactualdamage,onlypossibleharmtoindividuals,whetherphysical,materialornon-material,issufficient.72

b. FactorsThe‘nature,scope,contextandpurposesoftheprocessing'arefactorsthatwillalsohelpestablishtheriskynatureofaprocessingoperation.73InitsGuidelinesonDPIAs,theA29WPdoesnotprovidemuchguidanceonthesefactors.Atnationallevel,theICOoffersmoredetailsonthesefactors.74Theauthorityspecifiesthatthenature of the processing relates towhat the data controller ‘plan[s] to dowith thepersonaldata.’Itincludeshowthedataarecollected,stored,used,sharedbutalsoforhowlongtheyarekept,andhowtheyareprotected.75Thescopeoftheprocessingisthecoreofthe processing, in the sense that it covers the nature of the personal data at stake(includingtheirsensitivity),theamountofdataprocessed,76thenumberofdatasubjects,etc. The context of the processing provides ‘the wider picture, including internal andexternal factors which might affect expectations and impact.’77Those factors are, forinstance, the source of the data, the control that individuals can exercise over theirpersonal data, but also the extent towhich individuals expect the processing. Last, thepurposeoftheprocessingdescribesthereasonsfortheprocessing.78Itsdescriptionshouldincludetheoutcomesforindividuals,butalsotheexpectedbenefitsforsocietyatlargeaswellastheexistenceoflegitimateinterestsforprocessingonthedatacontroller’sside.79The use of new technologies is another factor that should be taken into account in theassessment of the necessity of aDPIA. In itsGuidelines onDPIAs, theA29WPgives theexampleofatechnologicalsolutionthatwoulduseboth‘fingerprintandfacerecognition'for access control.80As the use of such technology might ‘involve new forms of datacollection and usage, possibly with a high risk to individuals' rights and freedoms,'81aDPIAmightbenecessary.

ElementsofaDPIAA DPIA results in mitigating the ‘high risks’ that have been identified. Thus, if datacontrollers conclude that theyhave to conduct aDPIA, they shouldprovide solutions tomitigate,i.e.eliminate,minimiseorreduce,theriskstodatasubjects’rightsandfreedoms.Protection Authority (Agencia española de protección de datos<https://www.aepd.es/media/guias/guia-evaluaciones-de-impacto-rgpd.pdf>accessed30December2018.72Recital75GDPRandRecital51Directive2016/680.73A29WP,GuidelinesonDPIAs(n3)17.74ICO(n56).75ibid,see‘Step2:Howdowedescribetheprocessing?'76ibid.77ibid.78ibid.79ibid.80A29WP,GuidelinesonDPIAs(n3)10.81ibid.

146

Chapter 6

132

IfaDPIAismandatory,itshouldbecarriedout‘priortotheprocessing.’82AsnotedbytheA29WP, a DPIA is not a static process, and it needs to be reviewed, updated andmonitored.83

Scope:SingleProcessingoraSeriesofProcessingOperations?FollowingRecital 58ofDirective2016/680, adataprotection impact assessment in thecontext of law enforcement cannot relate to a single processing operation. It should,instead,cover‘systemsandprocessesofprocessingoperations.’ThisisdifferentfromtheGDPRruleswhereaDPIAcanrelatetoasingleproject.84

FeaturesofaDPIA

According to Article 27(2) of Directive 2016/680,85a DPIA should, at least, contain thefollowingelements:

a)ageneraldescriptionoftheprocessingoperations;b)ariskassessment(includingtheidentificationofindividuals’rightsandfreedomsthatmightbeaffected);c)themitigatingsolutions(‘measuresenvisagedtoaddresstherisks’),andd)safeguards,securitymeasuresandmechanismsfortheprotectionofpersonaldata.

Datacontrollershavealotofflexibilityconcerning‘theprecisestructureandformoftheDPIA.’86Severalnationaldataprotectionauthoritieshaveissuedtemplatesorexamplesofframeworkstoguidedatacontrollers.Forexample,theICOhaspublisheda‘sampleDPIAtemplate’ taking into account the GDPR provisions.87The process is composed of ninesteps: from the identification of the need for a DPIA to the revision of the DPIA. Inbetween,datacontrollersmustidentifytherisksandfindsolutionstomitigatetherisks.Thus,thepreliminaryassessmentoftheexistenceof‘highrisk'processingcanconstituteapartofaDPIA.TheCNILhas releasedaPrivacy ImpactAssessment template,88togetherwith a methodology and a ‘knowledge base’ document.89However, they have not beenspecificallydesignedforlawenforcementprocessing.

RiskMitigationThepurposeofaDPIAistoidentifysolutionstominimisetheriskstodatasubjects’rightsand freedoms. As interpretedby the ICO, amitigatingmeasure should be envisaged for82art35(1)GDPRandart27(1)Directive2016/680.83A29WP,GuidelinesonDPIAs(n3)14.84art35(1)GDPR.85Seealsoart35(2)GDPR.86A29WP,GuidelinesonDPIAs(n3)17.87ICO,‘SampleDPIATemplate’versionv0.4of22June2018,downloadablefromthesection‘DataProtectionImpactAssessments’intheGuidetotheGeneralDataProtectionRegulation(n56).88CNIL,‘PrivacyImpactAssessment(PIA):Templates’[2018]<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-2-en-templates.pdf> accessed 30 September2018.89CNIL,‘CNILpublishesanupdateofitsPIAGuides’(cnil.fr,26February2018)<https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides>accessed30September2018.

each risk identified.90There is no exhaustive list of solutions to address the risks. Themeasureshave tobe tailor-made to the risks identified, but theyneed to integratedataprotectionbydesignandbydefaultsolutions.Theycanvaryfrom‘decidingnottocollectcertaintypesofpersonaldata'91to‘anonymisingorpseudonymising’92thedataor‘makingchangestoprivacynotices.’93InitsDPIAtemplate,theICOadvisestomeasuretheeffectofthe solutions on the risk (risk eliminated, reduced or accepted) and the existence ofresidualrisk(low,medium,high).94Ifaresidual‘highrisk’hasbeenidentified,thenationaldataprotectionauthorityneedstobeconsultedbeforetheprocessingiscarriedout.95ThedatacontrollershouldprovidetheDPIAasconductedtothedataprotectionauthority.96Basedontheanalysisoftheprovisionsmadeinthissection,thenextsectionevaluatesthelevelofrisksassociatedwiththelawenforcementreprocessingofbiometricdatacollectedundertheGDPRandprovidessomerecommendations.

LawEnforcementReprocessingofGDPRBiometricDataIn the scenariounder review,personaldataofa specific type -biometricdata - initiallycollected under the GDPR are accessed and subsequently used for a law enforcementpurpose. Such a scenario lies at the intersection between the GDPR and the ‘police’Directive. The two instruments cover different fields, and some adjustments to theindividuals’ rights are necessary and justified in the context of law enforcementprocessing.97However,inthatcontextlikeintheGDPRcontext,98thepurposeofaDPIAistoassesstheimpactoftheprocessingonindividuals’rights.Itseems,therefore,legitimatetoinvestigateifandhowthefurtherprocessingofindividuals’biometricdataacrossfieldsimpact their rights (including their right to remedy). Should the mere reprocessing ofpersonaldataacrossinstrumentsnotjustify,onitsown,aDPIA?Orshouldotherelementsbe taken intoaccount toassess the levelof risk thatsuchprocessing is likely topose toindividuals?Buildingonthefindingsoftheprevioussections,thispartanalysesdifferentelements,whichcouldbeusedtoassessthenecessityofaDPIA.ItalsoofferssuggestionsonthecontentofsuchaDPIA.

90ICO(n56)91ICO(n56)see‘Step6:Howdoweidentifymitigatingmeasures?’92ibid.93ibid.94ibid.95art36(1)GDPRandart28(1)(a)Directive2016/680.96art36(3)(e)GDPRandart28(4)Directive2016/680.97Such as the need to not provide information about the data collected when a criminal investigation isongoing.98AsobservedbytheA29WPinA29WP,GuidelinesonDPIAs(n3)17,aDPIAis‘atoolformanagingriskstotherightsofdatasubjects,andthustakestheirperspective.’

147

6


132

IfaDPIAismandatory,itshouldbecarriedout‘priortotheprocessing.’82AsnotedbytheA29WP, a DPIA is not a static process, and it needs to be reviewed, updated andmonitored.83

Scope:SingleProcessingoraSeriesofProcessingOperations?FollowingRecital 58ofDirective2016/680, adataprotection impact assessment in thecontext of law enforcement cannot relate to a single processing operation. It should,instead,cover‘systemsandprocessesofprocessingoperations.’ThisisdifferentfromtheGDPRruleswhereaDPIAcanrelatetoasingleproject.84

FeaturesofaDPIA

According to Article 27(2) of Directive 2016/680,85a DPIA should, at least, contain thefollowingelements:

a)ageneraldescriptionoftheprocessingoperations;b)ariskassessment(includingtheidentificationofindividuals’rightsandfreedomsthatmightbeaffected);c)themitigatingsolutions(‘measuresenvisagedtoaddresstherisks’),andd)safeguards,securitymeasuresandmechanismsfortheprotectionofpersonaldata.

Datacontrollershavealotofflexibilityconcerning‘theprecisestructureandformoftheDPIA.’86Severalnationaldataprotectionauthoritieshaveissuedtemplatesorexamplesofframeworkstoguidedatacontrollers.Forexample,theICOhaspublisheda‘sampleDPIAtemplate’ taking into account the GDPR provisions.87The process is composed of ninesteps: from the identification of the need for a DPIA to the revision of the DPIA. Inbetween,datacontrollersmustidentifytherisksandfindsolutionstomitigatetherisks.Thus,thepreliminaryassessmentoftheexistenceof‘highrisk'processingcanconstituteapartofaDPIA.TheCNILhas releasedaPrivacy ImpactAssessment template,88togetherwith a methodology and a ‘knowledge base’ document.89However, they have not beenspecificallydesignedforlawenforcementprocessing.

RiskMitigationThepurposeofaDPIAistoidentifysolutionstominimisetheriskstodatasubjects’rightsand freedoms. As interpretedby the ICO, amitigatingmeasure should be envisaged for82art35(1)GDPRandart27(1)Directive2016/680.83A29WP,GuidelinesonDPIAs(n3)14.84art35(1)GDPR.85Seealsoart35(2)GDPR.86A29WP,GuidelinesonDPIAs(n3)17.87ICO,‘SampleDPIATemplate’versionv0.4of22June2018,downloadablefromthesection‘DataProtectionImpactAssessments’intheGuidetotheGeneralDataProtectionRegulation(n56).88CNIL,‘PrivacyImpactAssessment(PIA):Templates’[2018]<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-2-en-templates.pdf> accessed 30 September2018.89CNIL,‘CNILpublishesanupdateofitsPIAGuides’(cnil.fr,26February2018)<https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides>accessed30September2018.

each risk identified.90There is no exhaustive list of solutions to address the risks. Themeasureshave tobe tailor-made to the risks identified, but theyneed to integratedataprotectionbydesignandbydefaultsolutions.Theycanvaryfrom‘decidingnottocollectcertaintypesofpersonaldata'91to‘anonymisingorpseudonymising’92thedataor‘makingchangestoprivacynotices.’93InitsDPIAtemplate,theICOadvisestomeasuretheeffectofthe solutions on the risk (risk eliminated, reduced or accepted) and the existence ofresidualrisk(low,medium,high).94Ifaresidual‘highrisk’hasbeenidentified,thenationaldataprotectionauthorityneedstobeconsultedbeforetheprocessingiscarriedout.95ThedatacontrollershouldprovidetheDPIAasconductedtothedataprotectionauthority.96Basedontheanalysisoftheprovisionsmadeinthissection,thenextsectionevaluatesthelevelofrisksassociatedwiththelawenforcementreprocessingofbiometricdatacollectedundertheGDPRandprovidessomerecommendations.

LawEnforcementReprocessingofGDPRBiometricDataIn the scenariounder review,personaldataofa specific type -biometricdata - initiallycollected under the GDPR are accessed and subsequently used for a law enforcementpurpose. Such a scenario lies at the intersection between the GDPR and the ‘police’Directive. The two instruments cover different fields, and some adjustments to theindividuals’ rights are necessary and justified in the context of law enforcementprocessing.97However,inthatcontextlikeintheGDPRcontext,98thepurposeofaDPIAistoassesstheimpactoftheprocessingonindividuals’rights.Itseems,therefore,legitimatetoinvestigateifandhowthefurtherprocessingofindividuals’biometricdataacrossfieldsimpact their rights (including their right to remedy). Should the mere reprocessing ofpersonaldataacrossinstrumentsnotjustify,onitsown,aDPIA?Orshouldotherelementsbe taken intoaccount toassess the levelof risk thatsuchprocessing is likely topose toindividuals?Buildingonthefindingsoftheprevioussections,thispartanalysesdifferentelements,whichcouldbeusedtoassessthenecessityofaDPIA.ItalsoofferssuggestionsonthecontentofsuchaDPIA.

90ICO(n56)91ICO(n56)see‘Step6:Howdoweidentifymitigatingmeasures?’92ibid.93ibid.94ibid.95art36(1)GDPRandart28(1)(a)Directive2016/680.96art36(3)(e)GDPRandart28(4)Directive2016/680.97Such as the need to not provide information about the data collected when a criminal investigation isongoing.98AsobservedbytheA29WPinA29WP,GuidelinesonDPIAs(n3)17,aDPIAis‘atoolformanagingriskstotherightsofdatasubjects,andthustakestheirperspective.’

148

Chapter 6

PreliminaryAssessmentThecriteriausedinthissectionarebasedonthosedevelopedbytheA29WPinthecontextof GDPRdata processing; on the analysismadeby theEuropeanData ProtectionBoard(EDPB) in its assessment of thedraft lists submittedbynationalDPAs in applicationofArticle 35(4) GDPR,99and on existing national data protection policies issued in thecontextoflawenforcement.100

ProcessingofBiometricData:High-RiskProcessing?Inbothinstruments,theprocessingofbiometricdataisnotclassified,perse,asprocessinglikely to result in a high risk to data subjects’ rights and freedoms. But under certainconditions, such processing could be considered as high risk. For instance, under theGDPR,theprocessingofbiometricdataconstitutesahighriskifthedataareclassifiedassensitive (i.e. if they are processed to uniquely identify an individual)101and if they areprocessedonalargescale.102InthecontextofGDPRprocessing,theEDPBconfirmedthisinterpretationinitsopinionsonthenationaldraftlistsofcasesrequiringaDPIA.103Ontheissue of biometric data processing, the Board clarified that the mere processing ofbiometric data is not sufficient to trigger a DPIA.104Instead, it considered that suchprocessing is subject to a DPIA under two conditions: being carried out to uniquelyidentifyan individual(i.e.beingsensitiveprocessing)andprocessedinconjunctionwithoneofthecriteriaidentifiedbytheA29WP.105Intheabsenceofspecificrulesapplicabletolawenforcementprocessing,MemberStatesandnationalDPAsarefreetodecidewhichprocessingoperationsfallwithinthecategoryof‘highrisk’processing.IntheUK,theICOhasforinstanceextendedthecasesidentifiedin the GDPR to law enforcement processing.106Concerning biometric data processing,someUKpolice authorities (e.g. theDyfed Powys Police for example) have issued their

99art35(4)GDPRprovidesthefollowing:‘Thesupervisoryauthorityshallestablishandmakepublicalistofthekindofprocessingoperationsforwhichare subject to the requirement for a data protection impact assessment pursuant to paragraph 1. ThesupervisoryauthorityshallcommunicatethoseliststotheBoardreferredtoinArticle68.’100Inparticular,DyfedPowysPolice(n65).101Accordingtoart9(1)GDPRandart10Directive2016/680,thepurposeofprocessing‘touniquelyidentifyanindividual.’102art35(3)(b)GDPRrequestingaDPIAfortheprocessingofsensitivedataonalargescale.103Under the consistency mechanism, the EDPB checks the consistent application of the GDPR rulesthroughouttheEU,seeart64(1)(a)GDPR.104ContrarytothepositionofnineDPAs(Croatia,France,Hungary, Ireland,Italy,Lithuania,Malta,Portugal,and the United Kingdom), see the Board’s Opinions on their respective draft lists<https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en>accessed30December2018.105See, for instance,EDPB, ‘Opinion22/2018onthedraft listof thecompetentsupervisoryauthorityof theUnitedKingdomregardingtheprocessingoperationssubjecttotherequirementofadataprotectionimpactassessment(Article35.4GDPR)’[2018],6<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_uk_dpia_list_en.pdf>accessed30December2018.106 eg ICO, ‘Data Protection Impact Assessments’ under the section ‘Law Enforcement Processing’<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcementprocessing/accountability-and-governance/data-protection-impact-assessments/> accessed 30 December2018.

DataProtectionImpactAssessmentPolicywheretheylisttheprocessingofbiometricdata-withoutfurthercondition-astriggeringaDPIA.107

TypesofLawEnforcementPurposesOne could argue that the level of risk in a law enforcement context should be assessedaccording to the type of law enforcement purposes. For instance, the reprocessing ofbiometric data originating from the private sector might constitute a ‘high risk' if it iscarried out for criminal surveillance purposes because the surveillance might beuntargetedorconductedintheabsenceofanyoffenceorsuspect.But,inthecontextofacriminalinvestigationthatwillidentifyaspecificoffenceandone(orseveral)suspect(s),suchaprocessingoperationmightnotbe‘highrisk'processinginitself.Thenotionof‘highrisk'needsthustobetiedtotheimpactthataspecificprocessingoperationwouldhaveonindividuals.Ifinthecontextofacriminalinvestigation,policeauthoritiesrequestaccesstoa privately–held biometric database, the requestwillmost likely be targeted to one (orseveral) individual(s). By contrast, if police authoritieswould like to constitute a facialrecognition database based on photographs held by socialmedia and plan to use it forcriminalsurveillancepurposes,108theimpactonindividualswillbehigher.

MatchingorCombiningDifferentDatasets109AccordingtotheA29WP,matchingorcombiningdatasetsisanothercriteriontotakeintoaccount to evaluate the levelof risk.110This criterion relates to theprincipleofpurposelimitation and to the expectation that individuals might have regarding the furtherprocessingof theirdata. Indeed,whenpersonaldatacollected foraspecificpurposearereprocessed foradifferentpurposeorbydifferentdata controllers, thenewprocessingoperation can entail risks to individuals' rights (in particular, individuals might not beinformedaboutthesecondaryuseoftheirpersonaldata).Nuancesshouldbeaddedas,inthecontextoflawenforcementprocessing, individualsdonothavethesamerightsasintheGDPR context.However, if their data havebeen extracted fromotherdatasets, theymightnotbeawareofthatprocessing.InthecaseofthereprocessingofGDPRdataforalawenforcementpurpose,thisfactorshouldalsobetiedtotheoriginorsourceofthedata.

DatanotObtainedDirectlyfromIndividualsThe source of the data is not a criterion identified by the A29WP. In its opinions onnationaldraftlists,theEDPBassessedthecriterionof ‘datacollectedviathirdparties’inthe context of Article 19 GDPR. The element is not sufficient on its own and should besupplemented by another criterion to trigger a DPIA. 111 In the scenario under

107DyfedPowysPolice(n65)8.108Assumingthatsuchadatabasewouldbelegal.109This criterion established by the A29WP in its Guidelines on DPIAs (n 3) can be found in the DataProtectionImpactAssessmentPolicyoftheDyfedPowysPolice(n65)8.110A29WP,GuidelinesonDPIAs(n3)10.111EDPB,‘Opinion5/2018onthedraftlistofthecompetentsupervisoryauthorityofGermanyregardingtheprocessingoperationssubjecttotherequirementofadataprotectionimpactassessment(Article35.4GDPR)[2018],7

149

6


PreliminaryAssessmentThecriteriausedinthissectionarebasedonthosedevelopedbytheA29WPinthecontextof GDPRdata processing; on the analysismadeby theEuropeanData ProtectionBoard(EDPB) in its assessment of thedraft lists submittedbynationalDPAs in applicationofArticle 35(4) GDPR,99and on existing national data protection policies issued in thecontextoflawenforcement.100

ProcessingofBiometricData:High-RiskProcessing?Inbothinstruments,theprocessingofbiometricdataisnotclassified,perse,asprocessinglikely to result in a high risk to data subjects’ rights and freedoms. But under certainconditions, such processing could be considered as high risk. For instance, under theGDPR,theprocessingofbiometricdataconstitutesahighriskifthedataareclassifiedassensitive (i.e. if they are processed to uniquely identify an individual)101and if they areprocessedonalargescale.102InthecontextofGDPRprocessing,theEDPBconfirmedthisinterpretationinitsopinionsonthenationaldraftlistsofcasesrequiringaDPIA.103Ontheissue of biometric data processing, the Board clarified that the mere processing ofbiometric data is not sufficient to trigger a DPIA.104Instead, it considered that suchprocessing is subject to a DPIA under two conditions: being carried out to uniquelyidentifyan individual(i.e.beingsensitiveprocessing)andprocessedinconjunctionwithoneofthecriteriaidentifiedbytheA29WP.105Intheabsenceofspecificrulesapplicabletolawenforcementprocessing,MemberStatesandnationalDPAsarefreetodecidewhichprocessingoperationsfallwithinthecategoryof‘highrisk’processing.IntheUK,theICOhasforinstanceextendedthecasesidentifiedin the GDPR to law enforcement processing.106Concerning biometric data processing,someUKpolice authorities (e.g. theDyfed Powys Police for example) have issued their

99art35(4)GDPRprovidesthefollowing:‘Thesupervisoryauthorityshallestablishandmakepublicalistofthekindofprocessingoperationsforwhichare subject to the requirement for a data protection impact assessment pursuant to paragraph 1. ThesupervisoryauthorityshallcommunicatethoseliststotheBoardreferredtoinArticle68.’100Inparticular,DyfedPowysPolice(n65).101Accordingtoart9(1)GDPRandart10Directive2016/680,thepurposeofprocessing‘touniquelyidentifyanindividual.’102art35(3)(b)GDPRrequestingaDPIAfortheprocessingofsensitivedataonalargescale.103Under the consistency mechanism, the EDPB checks the consistent application of the GDPR rulesthroughouttheEU,seeart64(1)(a)GDPR.104ContrarytothepositionofnineDPAs(Croatia,France,Hungary, Ireland,Italy,Lithuania,Malta,Portugal,and the United Kingdom), see the Board’s Opinions on their respective draft lists<https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en>accessed30December2018.105See, for instance,EDPB, ‘Opinion22/2018onthedraft listof thecompetentsupervisoryauthorityof theUnitedKingdomregardingtheprocessingoperationssubjecttotherequirementofadataprotectionimpactassessment(Article35.4GDPR)’[2018],6<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_uk_dpia_list_en.pdf>accessed30December2018.106 eg ICO, ‘Data Protection Impact Assessments’ under the section ‘Law Enforcement Processing’<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcementprocessing/accountability-and-governance/data-protection-impact-assessments/> accessed 30 December2018.

DataProtectionImpactAssessmentPolicywheretheylisttheprocessingofbiometricdata-withoutfurthercondition-astriggeringaDPIA.107

TypesofLawEnforcementPurposesOne could argue that the level of risk in a law enforcement context should be assessedaccording to the type of law enforcement purposes. For instance, the reprocessing ofbiometric data originating from the private sector might constitute a ‘high risk' if it iscarried out for criminal surveillance purposes because the surveillance might beuntargetedorconductedintheabsenceofanyoffenceorsuspect.But,inthecontextofacriminalinvestigationthatwillidentifyaspecificoffenceandone(orseveral)suspect(s),suchaprocessingoperationmightnotbe‘highrisk'processinginitself.Thenotionof‘highrisk'needsthustobetiedtotheimpactthataspecificprocessingoperationwouldhaveonindividuals.Ifinthecontextofacriminalinvestigation,policeauthoritiesrequestaccesstoa privately–held biometric database, the requestwillmost likely be targeted to one (orseveral) individual(s). By contrast, if police authoritieswould like to constitute a facialrecognition database based on photographs held by socialmedia and plan to use it forcriminalsurveillancepurposes,108theimpactonindividualswillbehigher.

MatchingorCombiningDifferentDatasets109AccordingtotheA29WP,matchingorcombiningdatasetsisanothercriteriontotakeintoaccount to evaluate the levelof risk.110This criterion relates to theprincipleofpurposelimitation and to the expectation that individuals might have regarding the furtherprocessingof theirdata. Indeed,whenpersonaldatacollected foraspecificpurposearereprocessed foradifferentpurposeorbydifferentdata controllers, thenewprocessingoperation can entail risks to individuals' rights (in particular, individuals might not beinformedaboutthesecondaryuseoftheirpersonaldata).Nuancesshouldbeaddedas,inthecontextoflawenforcementprocessing, individualsdonothavethesamerightsasintheGDPR context.However, if their data havebeen extracted fromotherdatasets, theymightnotbeawareofthatprocessing.InthecaseofthereprocessingofGDPRdataforalawenforcementpurpose,thisfactorshouldalsobetiedtotheoriginorsourceofthedata.

DatanotObtainedDirectlyfromIndividualsThe source of the data is not a criterion identified by the A29WP. In its opinions onnationaldraftlists,theEDPBassessedthecriterionof ‘datacollectedviathirdparties’inthe context of Article 19 GDPR. The element is not sufficient on its own and should besupplemented by another criterion to trigger a DPIA. 111 In the scenario under

107DyfedPowysPolice(n65)8.108Assumingthatsuchadatabasewouldbelegal.109This criterion established by the A29WP in its Guidelines on DPIAs (n 3) can be found in the DataProtectionImpactAssessmentPolicyoftheDyfedPowysPolice(n65)8.110A29WP,GuidelinesonDPIAs(n3)10.111EDPB,‘Opinion5/2018onthedraftlistofthecompetentsupervisoryauthorityofGermanyregardingtheprocessingoperationssubjecttotherequirementofadataprotectionimpactassessment(Article35.4GDPR)[2018],7

150

Chapter 6

considerationwhere personal data are reprocessed for a law enforcement purpose andaccessedthroughprivateparties,thiscriterionishighlyrelevant.

ExceptionstotheExerciseofIndividuals’RightsBesides,accordingtotheEDPB,exceptionstoindividuals’rights(inparticular,totherightto information) can constitute a factor to take into account together with anothercriterion.112Inthecontextoflawenforcementprocessing,datasubjects’rightsmightalsobesubjecttoexceptions.Theseexceptions,restrictingpartiallyorcompletelytheirrights,mightapplytotheinformationgiventothem,totheirrightofaccesstothedata,ortheirrightofrectificationorerasure.113ItissuggestedtoextendtheinterpretationgivenbytheEDPBtothecontextof lawenforcementprocessing.Asaconsequence,aDPIAshouldbeconducted and procedures put in place to deal with a situation where individuals aredeprived of their rightswhen their biometric data are reprocessed, for instance, in thecontextofacriminalinvestigation.

UseofNewTechnologiesFollowingArticle27(1)ofDirective2016/680,theuseofnewtechnologiesisalsoafactorto take into account to assesswhether a specificprocessingoperationmight result in ahigh risk. This criterion is further explained in the A29WP Guidelines on DPIAs, andspecificexamplesofsuchtechnologiesareprovidedintheICO’sGuideonDPIAs.Amongothers, techniques that involve machine learning or artificial intelligence to collect oranalyse personal data are considered as innovative technologies.114According to theEDPB, the use of new technologies is not sufficient in itself to constitute a high risk. Itneeds tobe inconjunctionwithanothercriterion tobeclassifiedas ‘likely toresult inahighrisk.’115Inthefieldoflawenforcement,onecouldthinkoftheuseofbigdataanalyticstoextractinformationabout(potential)suspects.116Theriskstoindividuals’rightscould

<https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-52018-germany-sas-dpia-list_en>accessed30December2018.112See for instanceEDPB, ‘Opinion16/2018on thedraft list of the competent supervisoryauthorityof theNetherlands regarding the processing operations subject to the requirement of a data protection impactassessment(Article35.4GDPR)’[2018],7wheretheEDPBstatesthat‘aprocessingactivityconductedbythecontrollerunderArticle14GDPRandwheretheinformationtobegiventothedatasubjectsissubjecttoanexemptionunderArticle14.5(b)-(d)couldrequireaDPIAtobecarriedoutonlyinconjunctionwithatleastoneothercriterion’<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_nl_sas_dpia_list_en.pdf>accessed30December2018.113Respectivelyart13(3),art15(1),andart16(4)Directive2016/680.114ICO,DataProtectionImpactAssessments(n56),‘Examplesofprocessinglikelytoresultinhighrisk’<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/>accessed30December2018.115egEDPB,‘Opinion13/2018onthedraftlistofthecompetentsupervisoryauthorityofLithuaniaregardingtheprocessingoperations subject to the requirementsof adataprotection impact assessment (Article35.4GDPR)[2018],8<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_lt_sas_dpia_list_en.pdf>accessed30December2018.116Ontheuseofbigdataanalyticsbylawenforcementauthorities,see,forinstance,SarahBrinkhoff,‘BigDataDataMiningbytheDutchPolice:CriteriaforaFutureMethodofInvestigation’(2017)2(1)EuropeanJournalforSecurityResearch57.

137

be heightened when the data are mined from social media for criminal surveillancepurposes.Followingtheanalysismadeinthissubsection,thereprocessingofGDPRpersonaldatafora law enforcement purpose is not listed as a type of processing operations requiring aDPIA.However, itmeetsenoughcriteria to triggeraDPIA.For instance, it relates to theprocessingofsensitivedata,whichwerenotobtainedfromthedatasubject.Itmightalsocombinedatafromothersourcesandinvolvenewtechnologies.

ElementsoftheDPIADirective 2016/680 does not impose any methodology or form to conduct a DPIA.FollowingRecital58oftheDirective,aDPIAshould,however,containcertainfeaturesandbelimitedto‘relevantsystemsandprocessesofprocessingoperations.’117ThusaDPIAinthe context of law enforcement does not cover a single processing operation. It istherefore recommended that law enforcement authorities adopt procedures (or a dataprotectionpolicy)addressingthefurtherprocessingofpersonaldata(includingsensitivedata)heldbyprivatepartiesandcollectedundertheGDPR.Suchapolicyshouldrefertotheelementsoutlinedbelow.

DescriptionoftheProcessingAccordingtoArticle27(2)ofDirective2016/680,thedatacontrollershoulddescribethenature,scope,contextandpurposesoftheintendedprocessingoperations.Concerningthenature, thedata controller shouldmention the sourceof thedata (privateparties),howthe datawill be further used (for surveillance purposes or in the context of a criminalinvestigation),whowillhaveaccesstothedata(includingalimitednumberofindividualsallowed toaccess thedata),howthedatawillbesecured, forhow long thedatawillbekeptandwhethertheywillbecombinedwithotherdataorusedforadifferentpurpose.Thescopeoftheprocessingshouldmentionthenatureandsensitivityofthedata,whichare two critical factors. In the scenario under review, biometric data fall within thecategoryofsensitivedataiftheyareprocessedtouniquelyidentifyanindividualoriftheyreveal sensitive data.118The status of individuals concerned by the processing is alsoessential:whethertheyaresuspects,witnesses,victimsorthirdparties.Concerning the contextof the processing, one of the relevant factors is the control thatindividualscanexerciseontheirdata.Thesourceofthedataisalsohighlyrelevant.Concerningthepurposeoftheprocessing,thefurtherprocessingofthedataforacriminalinvestigationpurposewillnothavethesameimpactonindividuals’rightsandfreedomsasthesameprocessinginthecontextofcriminalsurveillance.Inthefirstcase,itwouldbe

117Recital58Directive2016/680.118art10Directive2016/680.

151

6


considerationwhere personal data are reprocessed for a law enforcement purpose andaccessedthroughprivateparties,thiscriterionishighlyrelevant.

ExceptionstotheExerciseofIndividuals’RightsBesides,accordingtotheEDPB,exceptionstoindividuals’rights(inparticular,totherightto information) can constitute a factor to take into account together with anothercriterion.112Inthecontextoflawenforcementprocessing,datasubjects’rightsmightalsobesubjecttoexceptions.Theseexceptions,restrictingpartiallyorcompletelytheirrights,mightapplytotheinformationgiventothem,totheirrightofaccesstothedata,ortheirrightofrectificationorerasure.113ItissuggestedtoextendtheinterpretationgivenbytheEDPBtothecontextof lawenforcementprocessing.Asaconsequence,aDPIAshouldbeconducted and procedures put in place to deal with a situation where individuals aredeprived of their rightswhen their biometric data are reprocessed, for instance, in thecontextofacriminalinvestigation.

UseofNewTechnologiesFollowingArticle27(1)ofDirective2016/680,theuseofnewtechnologiesisalsoafactorto take into account to assesswhether a specificprocessingoperationmight result in ahigh risk. This criterion is further explained in the A29WP Guidelines on DPIAs, andspecificexamplesofsuchtechnologiesareprovidedintheICO’sGuideonDPIAs.Amongothers, techniques that involve machine learning or artificial intelligence to collect oranalyse personal data are considered as innovative technologies.114According to theEDPB, the use of new technologies is not sufficient in itself to constitute a high risk. Itneeds tobe inconjunctionwithanothercriterion tobeclassifiedas ‘likely toresult inahighrisk.’115Inthefieldoflawenforcement,onecouldthinkoftheuseofbigdataanalyticstoextractinformationabout(potential)suspects.116Theriskstoindividuals’rightscould

<https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-52018-germany-sas-dpia-list_en>accessed30December2018.112See for instanceEDPB, ‘Opinion16/2018on thedraft list of the competent supervisoryauthorityof theNetherlands regarding the processing operations subject to the requirement of a data protection impactassessment(Article35.4GDPR)’[2018],7wheretheEDPBstatesthat‘aprocessingactivityconductedbythecontrollerunderArticle14GDPRandwheretheinformationtobegiventothedatasubjectsissubjecttoanexemptionunderArticle14.5(b)-(d)couldrequireaDPIAtobecarriedoutonlyinconjunctionwithatleastoneothercriterion’<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_nl_sas_dpia_list_en.pdf>accessed30December2018.113Respectivelyart13(3),art15(1),andart16(4)Directive2016/680.114ICO,DataProtectionImpactAssessments(n56),‘Examplesofprocessinglikelytoresultinhighrisk’<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/>accessed30December2018.115egEDPB,‘Opinion13/2018onthedraftlistofthecompetentsupervisoryauthorityofLithuaniaregardingtheprocessingoperations subject to the requirementsof adataprotection impact assessment (Article35.4GDPR)[2018],8<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_lt_sas_dpia_list_en.pdf>accessed30December2018.116Ontheuseofbigdataanalyticsbylawenforcementauthorities,see,forinstance,SarahBrinkhoff,‘BigDataDataMiningbytheDutchPolice:CriteriaforaFutureMethodofInvestigation’(2017)2(1)EuropeanJournalforSecurityResearch57.

137

be heightened when the data are mined from social media for criminal surveillancepurposes.Followingtheanalysismadeinthissubsection,thereprocessingofGDPRpersonaldatafora law enforcement purpose is not listed as a type of processing operations requiring aDPIA.However, itmeetsenoughcriteria to triggeraDPIA.For instance, it relates to theprocessingofsensitivedata,whichwerenotobtainedfromthedatasubject.Itmightalsocombinedatafromothersourcesandinvolvenewtechnologies.

ElementsoftheDPIADirective 2016/680 does not impose any methodology or form to conduct a DPIA.FollowingRecital58oftheDirective,aDPIAshould,however,containcertainfeaturesandbelimitedto‘relevantsystemsandprocessesofprocessingoperations.’117ThusaDPIAinthe context of law enforcement does not cover a single processing operation. It istherefore recommended that law enforcement authorities adopt procedures (or a dataprotectionpolicy)addressingthefurtherprocessingofpersonaldata(includingsensitivedata)heldbyprivatepartiesandcollectedundertheGDPR.Suchapolicyshouldrefertotheelementsoutlinedbelow.

DescriptionoftheProcessingAccordingtoArticle27(2)ofDirective2016/680,thedatacontrollershoulddescribethenature,scope,contextandpurposesoftheintendedprocessingoperations.Concerningthenature, thedata controller shouldmention the sourceof thedata (privateparties),howthe datawill be further used (for surveillance purposes or in the context of a criminalinvestigation),whowillhaveaccesstothedata(includingalimitednumberofindividualsallowed toaccess thedata),howthedatawillbesecured, forhow long thedatawillbekeptandwhethertheywillbecombinedwithotherdataorusedforadifferentpurpose.Thescopeoftheprocessingshouldmentionthenatureandsensitivityofthedata,whichare two critical factors. In the scenario under review, biometric data fall within thecategoryofsensitivedataiftheyareprocessedtouniquelyidentifyanindividualoriftheyreveal sensitive data.118The status of individuals concerned by the processing is alsoessential:whethertheyaresuspects,witnesses,victimsorthirdparties.Concerning the contextof the processing, one of the relevant factors is the control thatindividualscanexerciseontheirdata.Thesourceofthedataisalsohighlyrelevant.Concerningthepurposeoftheprocessing,thefurtherprocessingofthedataforacriminalinvestigationpurposewillnothavethesameimpactonindividuals’rightsandfreedomsasthesameprocessinginthecontextofcriminalsurveillance.Inthefirstcase,itwouldbe

117Recital58Directive2016/680.118art10Directive2016/680.

152

Chapter 6

138

highly relevant to know the status of the individuals concerned by the processing(suspectsornot).Inthesecondcase,itwouldbeessentialtoknowwhetheranindividualis suspected or whether the surveillance is untargeted (with the risk of profilingindividuals).

RisksNo list of risks can be established as the assessment depends on the type of lawenforcement purpose as well as on the status of individuals involved (suspects, non-suspects,witnesses,victims).However,thefollowingriskscould,atleast,beidentified:therisksassociatedwiththecollectionanduseofthedata,aswellastherisksthatrelatetothesecurity,storageandretentionofthedata.Therisksrelatedtothereprocessingofpersonaldataoriginatingfromadifferentsourceare, for instance, the risks of unauthorised access, use or disclosure of the data (e.g. byunauthorisedstaff).Sincethedatawereinitiallycollectedforadifferentpurpose,thereisalsoariskofinaccuracyofthedata.Thereprocessingmightalsoentailriskslinkedtotheretention and storage of accessed data. Finally, if the data are reprocessed usinginnovative technologies (to mine social media for example), such reprocessing mightimpacttherighttoprivacy.

SafeguardsandSolutionsAn assessment of the necessity and proportionality of the processing should beperformed. For each risk identified, a solution should be proposed. In the case of thereprocessing of GDPR biometric data for a law enforcement purpose, the followingmeasurescouldbeconsidered:1)identifyingthelegalbasistorequestaccesstothedata(including the existence of a data-sharing agreement); 2) defining a clear scope ofprocessing (e.g. access to the data concerning a specific individual in the context of acriminalinvestigation);3)limitingtheprocessingtothedatastrictlynecessarytothelawenforcementpurpose identified;4)securingthedatacollected;5)definingtheperiodofretention(dependingaswellonthestatusoftheindividualsimpactedbytheprocessing);6)notlinkingthedatatoothercasesthatarenotcoveredbythepurposeofprocessing;7)describingcleardataprotectionprocedures to followbeforereprocessingsensitivedataoriginating from the private sector, and 8) drafting a procedure to inform individualsabouttheprocessingassoonassuchanotificationcannolongerprejudicethepurposeforwhichthedatawereprocessed.Onthis lastmeasure,oneshouldnotethediscussiononthe scope of the right to information as drafted in Directive 2016/680. It is uncertainwhetherArticle13oftheDirectiveobligesMemberStatestoimposeadutyofnotificationto data controllers who reprocess personal data collected for a different purpose(including a GDPR purpose). But nothing prevents law enforcement authorities fromadopting procedures to inform individuals about the (re)processing of their biometricdatainalawenforcementcontext.

AsrightlyobservedbytheICO,thelistofmitigatingmeasurescannotbeexhaustiveasitneeds to be adjusted to the specificities of the processing operations. However, datacontrollersshouldreviewtheirprocedures(tokeepthemuptodate)anddocumenttheprocessingoperations.119Last, but not least, the procedures put in place should also reflect data protection bydesignandbydefaultmeasures. Inparticular, thedescriptionofaDPIAshoulddescribethe technical solutions adopted regarding data retention, data minimisation and datastorage.Theproceduresadoptedtomanagetheriskstodatasubjects'rightsandfreedomsarealsopartofdataprotectionbydesign(andbydefault)measuresthatdatacontrollersmustimplement.

ConclusionsTheGDPR and the ‘police’ Directive have set out two essential accountability tools: theData Protection by Design and by Default obligations and the Data Protection ImpactAssessment measures. However, both instruments remain vague about theimplementationof these tools.Dataprotectionbydesignanddataprotectionbydefaultare overarching obligations encompassing procedural and technological solutions.FocusingontheproceduralaspectofDPbDandmorespecificallyontheimplementationoftheprincipleofpurposelimitation,thechaptersuggeststheadoptionofadataprotectionpolicytohandlethecaseofthereprocessingofpersonaldataacrossinstruments.As forDataProtection ImpactAssessment, it is conceivedas a complementary tool thatfollowsarisk-basedapproach.Itonlybecomesmandatorywheredataprocessingis‘likelyto result in a high risk’ to individuals’ rights and freedoms. ‘High risk’ is thus the keynotiontotriggeraDPIA.UndefinedinboththeGDPRandthe‘police’Directive,thenotionhasbeen clarifiedby theA29WPand severalnationalDPAs.However, their guidance isnotspecifictolawenforcementprocessinganddoesnottakeintoaccountthecaseofthereprocessing of personal data across fields. Building on the criteria established by theA29WP,whileacknowledgingthespecificitiesofthefieldoflawenforcement,thischaptersuggestsaninterpretationtoassesstherisksposedbythereprocessingofbiometricdatafor a law enforcement purpose. It argues that the further processing of sensitive datacollected under the GDPR meets enough criteria to conclude that a DPIA should beconducted.However,whatismissingistheacknowledgementthatsuchlawenforcementprocessingof sensitivedata collected foraGDPRpurpose triggerson itsownaDPIA.AclarificationonthisissuebytheEDPBwouldbewelcomeastheBoardhasthepowerto‘overseetheimplementationoftheDataProtectionLawEnforcement.’120

119SeeRecital56andart24Directive2016/680.120EDPB,‘Europe’snewdataprotectionrulesandtheEDPB:givingindividualsgreatercontrol’(pressrelease,25 May 2018) <https://edpb.europa.eu/news/news/2018/europes-new-data-protection-rules-and-edpb-giving-individuals-greater-control_en>accessed30December2018.

153

6


138

highly relevant to know the status of the individuals concerned by the processing(suspectsornot).Inthesecondcase,itwouldbeessentialtoknowwhetheranindividualis suspected or whether the surveillance is untargeted (with the risk of profilingindividuals).

RisksNo list of risks can be established as the assessment depends on the type of lawenforcement purpose as well as on the status of individuals involved (suspects, non-suspects,witnesses,victims).However,thefollowingriskscould,atleast,beidentified:therisksassociatedwiththecollectionanduseofthedata,aswellastherisksthatrelatetothesecurity,storageandretentionofthedata.Therisksrelatedtothereprocessingofpersonaldataoriginatingfromadifferentsourceare, for instance, the risks of unauthorised access, use or disclosure of the data (e.g. byunauthorisedstaff).Sincethedatawereinitiallycollectedforadifferentpurpose,thereisalsoariskofinaccuracyofthedata.Thereprocessingmightalsoentailriskslinkedtotheretention and storage of accessed data. Finally, if the data are reprocessed usinginnovative technologies (to mine social media for example), such reprocessing mightimpacttherighttoprivacy.

SafeguardsandSolutionsAn assessment of the necessity and proportionality of the processing should beperformed. For each risk identified, a solution should be proposed. In the case of thereprocessing of GDPR biometric data for a law enforcement purpose, the followingmeasurescouldbeconsidered:1)identifyingthelegalbasistorequestaccesstothedata(including the existence of a data-sharing agreement); 2) defining a clear scope ofprocessing (e.g. access to the data concerning a specific individual in the context of acriminalinvestigation);3)limitingtheprocessingtothedatastrictlynecessarytothelawenforcementpurpose identified;4)securingthedatacollected;5)definingtheperiodofretention(dependingaswellonthestatusoftheindividualsimpactedbytheprocessing);6)notlinkingthedatatoothercasesthatarenotcoveredbythepurposeofprocessing;7)describingcleardataprotectionprocedures to followbeforereprocessingsensitivedataoriginating from the private sector, and 8) drafting a procedure to inform individualsabouttheprocessingassoonassuchanotificationcannolongerprejudicethepurposeforwhichthedatawereprocessed.Onthis lastmeasure,oneshouldnotethediscussiononthe scope of the right to information as drafted in Directive 2016/680. It is uncertainwhetherArticle13oftheDirectiveobligesMemberStatestoimposeadutyofnotificationto data controllers who reprocess personal data collected for a different purpose(including a GDPR purpose). But nothing prevents law enforcement authorities fromadopting procedures to inform individuals about the (re)processing of their biometricdatainalawenforcementcontext.

AsrightlyobservedbytheICO,thelistofmitigatingmeasurescannotbeexhaustiveasitneeds to be adjusted to the specificities of the processing operations. However, datacontrollersshouldreviewtheirprocedures(tokeepthemuptodate)anddocumenttheprocessingoperations.119Last, but not least, the procedures put in place should also reflect data protection bydesignandbydefaultmeasures. Inparticular, thedescriptionofaDPIAshoulddescribethe technical solutions adopted regarding data retention, data minimisation and datastorage.Theproceduresadoptedtomanagetheriskstodatasubjects'rightsandfreedomsarealsopartofdataprotectionbydesign(andbydefault)measuresthatdatacontrollersmustimplement.

ConclusionsTheGDPR and the ‘police’ Directive have set out two essential accountability tools: theData Protection by Design and by Default obligations and the Data Protection ImpactAssessment measures. However, both instruments remain vague about theimplementationof these tools.Dataprotectionbydesignanddataprotectionbydefaultare overarching obligations encompassing procedural and technological solutions.FocusingontheproceduralaspectofDPbDandmorespecificallyontheimplementationoftheprincipleofpurposelimitation,thechaptersuggeststheadoptionofadataprotectionpolicytohandlethecaseofthereprocessingofpersonaldataacrossinstruments.As forDataProtection ImpactAssessment, it is conceivedas a complementary tool thatfollowsarisk-basedapproach.Itonlybecomesmandatorywheredataprocessingis‘likelyto result in a high risk’ to individuals’ rights and freedoms. ‘High risk’ is thus the keynotiontotriggeraDPIA.UndefinedinboththeGDPRandthe‘police’Directive,thenotionhasbeen clarifiedby theA29WPand severalnationalDPAs.However, their guidance isnotspecifictolawenforcementprocessinganddoesnottakeintoaccountthecaseofthereprocessing of personal data across fields. Building on the criteria established by theA29WP,whileacknowledgingthespecificitiesofthefieldoflawenforcement,thischaptersuggestsaninterpretationtoassesstherisksposedbythereprocessingofbiometricdatafor a law enforcement purpose. It argues that the further processing of sensitive datacollected under the GDPR meets enough criteria to conclude that a DPIA should beconducted.However,whatismissingistheacknowledgementthatsuchlawenforcementprocessingof sensitivedata collected foraGDPRpurpose triggerson itsownaDPIA.AclarificationonthisissuebytheEDPBwouldbewelcomeastheBoardhasthepowerto‘overseetheimplementationoftheDataProtectionLawEnforcement.’120

119SeeRecital56andart24Directive2016/680.120EDPB,‘Europe’snewdataprotectionrulesandtheEDPB:givingindividualsgreatercontrol’(pressrelease,25 May 2018) <https://edpb.europa.eu/news/news/2018/europes-new-data-protection-rules-and-edpb-giving-individuals-greater-control_en>accessed30December2018.

Chapter 7Conclusions and Suggestions for Future Research

156

Chapter7:ConclusionsandSuggestionsforFutureResearchTheresearchaimedtoestablishwhetherthenewEUdataprotectionframeworkprovidesadequate safeguards to individuals,whosebiometricdata collectedunder theGDPRarereprocessed foroneof the ‘police’Directivepurposes.Toanswer theresearchquestion,the study investigated three issues. It first analysed the legal regime applicable to thenotion of biometric data introduced as a category of personal data in the new legalframework. It also deconstructed the concept from a technological perspective tounderstandtheimpactofthestatutorydefinitiononthetechnicalprocessingofbiometricdata.TheresearchthenanalysedtheinterfacebetweentheGDPRandthe‘police’Directivetodeterminetheexistenceofsafeguards.Bydoingso,itdiscussedtheroleoftheprincipleofpurposelimitationandassessedthesafeguardsprovidedbythe‘police’Directive(suchas the right to information) based on the ECJ case law on data retention. Finally, in anattempttoproviderecommendations,theresearchanalysednewtoolsintroducedintheEU data protection framework, namely the Data Protection Impact Assessment and theData Protection by Design and Default principles. In the search for the individuals’safeguards, the study has uncovered important findings and reached significantconclusions.First, theunsettledmeaningofbiometricdata fromadataprotectionperspectivecreateslegaluncertainty.Whatseemedtobeaterminologicaldiscussiononthenotionof ‘biometricdata’ at the startof the studybecamea crucialdebateon the scopeof thenotion as the research progressed. As explained in Chapter2, ‘biometric data’ was notlegallydefinedintheEUdataprotectionlandscapeuntilitsintroductioninthenewlegalframework.However, asanalysed inChapter3, the statutorydefinition is impreciseanddisconnected from its scientific meaning. It is indeed difficult to grasp what the legalnotion encompasses. The definition does not accurately refer to the verification andidentification modalities for which biometric data are processed to perform biometricrecognition. It refers instead to the enigmatic phrases of ‘allowing the uniqueidentification’and‘confirmingtheuniqueidentification.’More confusion is brought by Recital 51 GDPR, which is supposed to clarify whenphotographs are covered by the definition of biometric data. The recital refers to theirtechnical processing that ‘allows unique identification’ or ‘authentication’. Used inopposition to ‘authentication’,1unique identification is understood as referring to theidentification modality. However, this reading is not consistent with the definition of1Authentication and verification are commonly used as synonyms, even if the biometric communityrecommends that the term ‘verification’ be used exclusively; see ISO/IEC Standard 2382-37 on theharmonisationofbiometricvocabulary,term37.01.03,note6.

biometricdatainArticle4(14)GDPRwherethemodalitiesaredescribedas‘allowingtheuniqueidentification’and‘confirmingtheuniqueidentification.’Todate,theliteratureonthisissueisscarcebutshowsthediscrepancyexistingbetweenthearticleandtherecital.2In the law enforcement context, there is not such a discussion since Recital 51 has noequivalentinthe‘police’Directive.ThenotionofbiometricdatadescribedinArticle3(14)oftheDirective iswordedinthesametermsasArticle4(14)GDPR.Thatbeingsaid, the‘police’Directivedoesnotofferanyclueonthemeaningofuniqueidentification.This dissertation takes the view that unique identification does not refer to a specificrecognitionmodality. It should, instead, be understood as a threshold of ‘identification’fromadataprotectionperspective.Identifyinganindividualinadataprotectioncontextdoesnotmeanestablishinghis orher civil identity. Itmeans singlingout an individual,distinguishing him or her from a group of people.3As for the meaning of uniqueidentification, this research has built on the interpretation used in the doctrine of thenotion of ‘personal data’ under the Data Protection Directive of 1995. In particular,Kostchyhasinterpreteduniqueidentificationasbeingthe‘highestdegreeofidentification’thatcouldbeachievedthroughuniquefeatures,suchasbiometricdata.4Inthatcase,theidentificationis‘unique’becausethecharacteristicsthatareusedtoidentifysomeone(i.e.to single out) are deemed unique to that individual.5Following this interpretation,identification based on biometric data is ‘unique’ whether the data are processed forbiometricidentificationorverificationpurposes.Inbothcases,theindividualissingledoutthankstohisorherbiometricdata.It iscrucial todetermine themeaningofuniqueidentification since it isalsousedas thecriterion for classifying biometric data into the category of sensitive data. FollowingArticle9(1)GDPRandArticle10ofthe‘police’Directive,onlythebiometricdatathatareprocessedto‘uniquelyidentify’anindividualaresensitivedata.6Itisthereforenecessaryto know whether biometric data processed for both identification and verificationpurposesfallwithinthatcategory.Therulesapplicabletotheprocessingofsensitivedataareindeedmorestringentthantherulesapplicabletotheprocessingofordinarypersonaldata.Thebiometriccommunityandthemanycompaniesthatofferbiometricsolutionsforverificationpurposesneedtoknowwhethertheseoperationsaresensitiveornot.Inthisdissertation,ithasbeenarguedthatbiometricdataprocessedforbothtypesofpurposes

2See Catherine Jasserand, ‘Legal Nature of Biometric Data: from ‘Generic’ Personal Data to Sensitive Data’(2016)2(3)EDPL (seeChapter3 of thedissertation) andElsKindt, ‘HavingYes,UsingNo?About theNewLegalRegimeforBiometricData’(2018)3(2)ComputerLaw&SecurityReview433.3AsdefinedinA29WP,‘Opinion4/2007ontheconceptofpersonaldata’WP136[2007]13.4WaltrautKotschy,‘Article2,Directive95/46/EC’inAlfredBüllesbach,SergeGijrath,YvesPoulletandCorienPrins(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010),35;seealsoanalysisbytheA29WPinA29WP,Opinion4/2007(n3)8-9.5One could dispute the alleged ‘uniqueness’ of biometric characteristics and refer instead to theirdistinctiveness,asdiscussedinChapter2.6Biometric data that reveal sensitive information (such as political opinions, religious beliefs, or healthconditions)couldstillbeconsideredsensitivedatabutnotbecausetheyarebiometricdata.

157

7

Conclusions and Suggestions for Future Research

Chapter7:ConclusionsandSuggestionsforFutureResearchTheresearchaimedtoestablishwhetherthenewEUdataprotectionframeworkprovidesadequate safeguards to individuals,whosebiometricdata collectedunder theGDPRarereprocessed foroneof the ‘police’Directivepurposes.Toanswer theresearchquestion,the study investigated three issues. It first analysed the legal regime applicable to thenotion of biometric data introduced as a category of personal data in the new legalframework. It also deconstructed the concept from a technological perspective tounderstandtheimpactofthestatutorydefinitiononthetechnicalprocessingofbiometricdata.TheresearchthenanalysedtheinterfacebetweentheGDPRandthe‘police’Directivetodeterminetheexistenceofsafeguards.Bydoingso,itdiscussedtheroleoftheprincipleofpurposelimitationandassessedthesafeguardsprovidedbythe‘police’Directive(suchas the right to information) based on the ECJ case law on data retention. Finally, in anattempttoproviderecommendations,theresearchanalysednewtoolsintroducedintheEU data protection framework, namely the Data Protection Impact Assessment and theData Protection by Design and Default principles. In the search for the individuals’safeguards, the study has uncovered important findings and reached significantconclusions.First, theunsettledmeaningofbiometricdata fromadataprotectionperspectivecreateslegaluncertainty.Whatseemedtobeaterminologicaldiscussiononthenotionof ‘biometricdata’ at the startof the studybecamea crucialdebateon the scopeof thenotion as the research progressed. As explained in Chapter2, ‘biometric data’ was notlegallydefinedintheEUdataprotectionlandscapeuntilitsintroductioninthenewlegalframework.However, asanalysed inChapter3, the statutorydefinition is impreciseanddisconnected from its scientific meaning. It is indeed difficult to grasp what the legalnotion encompasses. The definition does not accurately refer to the verification andidentification modalities for which biometric data are processed to perform biometricrecognition. It refers instead to the enigmatic phrases of ‘allowing the uniqueidentification’and‘confirmingtheuniqueidentification.’More confusion is brought by Recital 51 GDPR, which is supposed to clarify whenphotographs are covered by the definition of biometric data. The recital refers to theirtechnical processing that ‘allows unique identification’ or ‘authentication’. Used inopposition to ‘authentication’,1unique identification is understood as referring to theidentification modality. However, this reading is not consistent with the definition of1Authentication and verification are commonly used as synonyms, even if the biometric communityrecommends that the term ‘verification’ be used exclusively; see ISO/IEC Standard 2382-37 on theharmonisationofbiometricvocabulary,term37.01.03,note6.

biometricdatainArticle4(14)GDPRwherethemodalitiesaredescribedas‘allowingtheuniqueidentification’and‘confirmingtheuniqueidentification.’Todate,theliteratureonthisissueisscarcebutshowsthediscrepancyexistingbetweenthearticleandtherecital.2In the law enforcement context, there is not such a discussion since Recital 51 has noequivalentinthe‘police’Directive.ThenotionofbiometricdatadescribedinArticle3(14)oftheDirective iswordedinthesametermsasArticle4(14)GDPR.Thatbeingsaid, the‘police’Directivedoesnotofferanyclueonthemeaningofuniqueidentification.This dissertation takes the view that unique identification does not refer to a specificrecognitionmodality. It should, instead, be understood as a threshold of ‘identification’fromadataprotectionperspective.Identifyinganindividualinadataprotectioncontextdoesnotmeanestablishinghis orher civil identity. Itmeans singlingout an individual,distinguishing him or her from a group of people.3As for the meaning of uniqueidentification, this research has built on the interpretation used in the doctrine of thenotion of ‘personal data’ under the Data Protection Directive of 1995. In particular,Kostchyhasinterpreteduniqueidentificationasbeingthe‘highestdegreeofidentification’thatcouldbeachievedthroughuniquefeatures,suchasbiometricdata.4Inthatcase,theidentificationis‘unique’becausethecharacteristicsthatareusedtoidentifysomeone(i.e.to single out) are deemed unique to that individual.5Following this interpretation,identification based on biometric data is ‘unique’ whether the data are processed forbiometricidentificationorverificationpurposes.Inbothcases,theindividualissingledoutthankstohisorherbiometricdata.It iscrucial todetermine themeaningofuniqueidentification since it isalsousedas thecriterion for classifying biometric data into the category of sensitive data. FollowingArticle9(1)GDPRandArticle10ofthe‘police’Directive,onlythebiometricdatathatareprocessedto‘uniquelyidentify’anindividualaresensitivedata.6Itisthereforenecessaryto know whether biometric data processed for both identification and verificationpurposesfallwithinthatcategory.Therulesapplicabletotheprocessingofsensitivedataareindeedmorestringentthantherulesapplicabletotheprocessingofordinarypersonaldata.Thebiometriccommunityandthemanycompaniesthatofferbiometricsolutionsforverificationpurposesneedtoknowwhethertheseoperationsaresensitiveornot.Inthisdissertation,ithasbeenarguedthatbiometricdataprocessedforbothtypesofpurposes

2See Catherine Jasserand, ‘Legal Nature of Biometric Data: from ‘Generic’ Personal Data to Sensitive Data’(2016)2(3)EDPL (seeChapter3 of thedissertation) andElsKindt, ‘HavingYes,UsingNo?About theNewLegalRegimeforBiometricData’(2018)3(2)ComputerLaw&SecurityReview433.3AsdefinedinA29WP,‘Opinion4/2007ontheconceptofpersonaldata’WP136[2007]13.4WaltrautKotschy,‘Article2,Directive95/46/EC’inAlfredBüllesbach,SergeGijrath,YvesPoulletandCorienPrins(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010),35;seealsoanalysisbytheA29WPinA29WP,Opinion4/2007(n3)8-9.5One could dispute the alleged ‘uniqueness’ of biometric characteristics and refer instead to theirdistinctiveness,asdiscussedinChapter2.6Biometric data that reveal sensitive information (such as political opinions, religious beliefs, or healthconditions)couldstillbeconsideredsensitivedatabutnotbecausetheyarebiometricdata.

158

Chapter 7

aresensitivedata.However,intheabsenceofabindingdecisionorinterpretationonthatdefinition,theuncertaintyforusers,datacontrollersanddatasubjectsremains.Finally,onecouldregretthatthestatutorydefinitionwasnotcraftedincollaborationwiththebiometriccommunity.Thedefinitioncouldhavereferredto thewordingused in thetechnical definitions instead of using ambiguous terms.7In other countries, such asAustralia,thenationallawondataprivacymakesanexplicitreferencetotheidentificationandverificationpurposesforwhichbiometricdataareused.Forinstance,thedefinitionofsensitive information includes ‘biometric information that is used for the purpose ofautomated verification or biometric identification.’8Such a clarification would haveavoidedspeculationonthetypesofbiometricdatathatfallintothecategoryofsensitivedata.Intheend,ifitistruethatthelegislationshouldremaintechnology-neutral,itshouldhowevernotregulatetechnologicalfieldswithoutunderstandingtheimpactthattheruleswillhaveonthesefields.Second, the analysis of the interface between the GDPR and the ‘police’ Directiveshowsno specific roleplayedby theprincipleofpurpose limitation in a scenariowherepersonaldataare first collectedunder theGDPRand furtherprocessedbylawenforcementauthoritiesforoneofthepurposesofthe‘police’Directive.Beforethe adoption of the ‘police’ Directive, the framework applicable to the processing ofpersonaldataforlawenforcementpurposeswasfragmented.Thecross-borderprocessingof personal data was regulated by the Council Framework Decision 2008/977/JHA,whereas the processing of personal data at domestic levelwas left to the discretion ofMember States who could follow the non-binding Recommendation R(87)15 of theCouncilofEuropeontheuseofpersonaldatainthepolicesector.9Withtheadoptionofthe‘police’Directive,thesamerulesapplytothedomesticandcross-border data processing operations for law enforcement purposes. However, theprocessing operations of personal data for law enforcement and non-law enforcementpurposes remain split between the ‘police’ Directive and the GDPR. This split of rulesjustifiedassessingtheimpactthatapossiblediscrepancybetweentheinstrumentscouldhave on the protection granted to individuals. It was also assumed that theimplementationofthe‘police’Directiveintonationallawcouldfurtherincreasetheriskofdiscrepancy among Member States. The interface between the GDPR and the ‘police’Directive became thus an essential issue of the study, raising the question of the role

7Using for instance, the definition provided in the ISO/IEC Standard 2382-37 on the Harmonisation ofBiometricVocabulary,assuggestedinChapter2ofthedissertation.8AustralianGovernment-FederalRegisterofLegislation,PrivacyAct1998,Section6(1)<https://www.legislation.gov.au/Details/C2014C00076>accessed30November2018.9Despite its non-binding nature, the Recommendation has been used as a ‘data protection standard’ indifferent instruments including the Europol Regulation (Regulation 2016/674); on this issue see MireilleCaruana, ‘The Reform of the EU Data Protection Framework in the Context of Police and Criminal JusticeSector:Harmonisation,Scope,OversightandEnforcement’(2017)InternationalReviewofLaw,Computers&Technology1,3.

playedby the principle of purpose limitation in the scenario of law enforcement use ofbiometricdatacollectedbyprivateparties.As established in Chapter 4 and Chapter 5, both instruments delimit their applicationthroughthereferencetoeachother’sscopeanddefinetherulesapplicabletothefurtherprocessing. The GDPR establishes the rules for the further processing of personal datacollectedforaGDPRpurpose,whilethe‘police’Directiveprovidestherulesapplicabletopersonaldatacollectedand furtherprocessed fora lawenforcementpurpose.However,uncertaintyremainsconcerning therulesapplicable toprocessingoperationsacross thetwoinstruments.Moreover, thequestioniswhetherthesubsequentuseofGDPRdata isan initial processing operation or a further processing operation under the ‘police’Directive. In this specific scenario introduced in Chapter4and thoroughly analysed inChapter5,theprincipleofpurposelimitationseemstohavebeenforgotten.The absence of a clear role for the principle of purpose limitation is problematic for atleast tworeasons.First, theprinciple ispartof the fundamentalright todataprotectionenshrined in Article 8 of the Charter. As such, it should constitute a guarantee for theprotectionofindividuals’personaldata.Second,itspurposeistoframetheconditionsforsubsequentprocessingofpersonaldata.Derogationsandexceptions to theprinciplearepossible; however, the processing needs to comply with specific conditions (eitherindividual’s consent or a legal obligation to safeguard compelling interests under theGDPR,oralegalbasiscombinedwiththeprinciplesofproportionalityandnecessityunderthe ‘police’Directive).10AsresultingfromthedetailedanalysisofChapter5, thescenariohasnotbeenclearlyestablished,nor clarified inany recital. It evenseems that thecasewaspurposelyavoided,11leavingMemberStatesfreetodecidehowtheywouldconsiderthereprocessingofGDPRpersonaldataunder the ‘police’Directiverules.Thissituationrevealsagapbetweenthetwoinstrumentsandhighlightsthedifficultyraisedbythesplitofrulesbetweentwodistinctinstruments.Asamatterofcomparison,thepracticalguideonthepoliceuseofpersonaldata,issuedbytheCouncilofEuropeConsultativeCommitteeofConvention108,providesguidanceonasimilar scenario.12Theguidecontainsaspecific sectionon theaccess toanduseofdataheldbyprivateparties. It identifies two caseswherepolice authoritiesmayaccessdatacollected foradifferentpurpose: in relation to ‘anon-going investigation’or ‘to identifythematic trends in relation toa certain typeof crime.’Theguidealsomakesanexpressreferencetotheprincipleofpurposelimitationwhenitclarifiesthatsuchaccessanduse

10art6(4)GDPRandart4(2)Directive2016/680,respectively.11SeethediscussionsinChapter5ofthedissertation,underSectionIIIentitled‘RegimeofPurposeLimitationunderDirective2016/680’.12CouncilofEurope,ConsultativeCommitteeofConvention108,‘PracticalGuideontheuseofpersonaldatainthepolicesector’,T-PD(2018)01[2018].

159

7


aresensitivedata.However,intheabsenceofabindingdecisionorinterpretationonthatdefinition,theuncertaintyforusers,datacontrollersanddatasubjectsremains.Finally,onecouldregretthatthestatutorydefinitionwasnotcraftedincollaborationwiththebiometriccommunity.Thedefinitioncouldhavereferredto thewordingused in thetechnical definitions instead of using ambiguous terms.7In other countries, such asAustralia,thenationallawondataprivacymakesanexplicitreferencetotheidentificationandverificationpurposesforwhichbiometricdataareused.Forinstance,thedefinitionofsensitive information includes ‘biometric information that is used for the purpose ofautomated verification or biometric identification.’8Such a clarification would haveavoidedspeculationonthetypesofbiometricdatathatfallintothecategoryofsensitivedata.Intheend,ifitistruethatthelegislationshouldremaintechnology-neutral,itshouldhowevernotregulatetechnologicalfieldswithoutunderstandingtheimpactthattheruleswillhaveonthesefields.Second, the analysis of the interface between the GDPR and the ‘police’ Directiveshowsno specific roleplayedby theprincipleofpurpose limitation in a scenariowherepersonaldataare first collectedunder theGDPRand furtherprocessedbylawenforcementauthoritiesforoneofthepurposesofthe‘police’Directive.Beforethe adoption of the ‘police’ Directive, the framework applicable to the processing ofpersonaldataforlawenforcementpurposeswasfragmented.Thecross-borderprocessingof personal data was regulated by the Council Framework Decision 2008/977/JHA,whereas the processing of personal data at domestic levelwas left to the discretion ofMember States who could follow the non-binding Recommendation R(87)15 of theCouncilofEuropeontheuseofpersonaldatainthepolicesector.9Withtheadoptionofthe‘police’Directive,thesamerulesapplytothedomesticandcross-border data processing operations for law enforcement purposes. However, theprocessing operations of personal data for law enforcement and non-law enforcementpurposes remain split between the ‘police’ Directive and the GDPR. This split of rulesjustifiedassessingtheimpactthatapossiblediscrepancybetweentheinstrumentscouldhave on the protection granted to individuals. It was also assumed that theimplementationofthe‘police’Directiveintonationallawcouldfurtherincreasetheriskofdiscrepancy among Member States. The interface between the GDPR and the ‘police’Directive became thus an essential issue of the study, raising the question of the role

7Using for instance, the definition provided in the ISO/IEC Standard 2382-37 on the Harmonisation ofBiometricVocabulary,assuggestedinChapter2ofthedissertation.8AustralianGovernment-FederalRegisterofLegislation,PrivacyAct1998,Section6(1)<https://www.legislation.gov.au/Details/C2014C00076>accessed30November2018.9Despite its non-binding nature, the Recommendation has been used as a ‘data protection standard’ indifferent instruments including the Europol Regulation (Regulation 2016/674); on this issue see MireilleCaruana, ‘The Reform of the EU Data Protection Framework in the Context of Police and Criminal JusticeSector:Harmonisation,Scope,OversightandEnforcement’(2017)InternationalReviewofLaw,Computers&Technology1,3.

playedby the principle of purpose limitation in the scenario of law enforcement use ofbiometricdatacollectedbyprivateparties.As established in Chapter 4 and Chapter 5, both instruments delimit their applicationthroughthereferencetoeachother’sscopeanddefinetherulesapplicabletothefurtherprocessing. The GDPR establishes the rules for the further processing of personal datacollectedforaGDPRpurpose,whilethe‘police’Directiveprovidestherulesapplicabletopersonaldatacollectedand furtherprocessed fora lawenforcementpurpose.However,uncertaintyremainsconcerning therulesapplicable toprocessingoperationsacross thetwoinstruments.Moreover, thequestioniswhetherthesubsequentuseofGDPRdata isan initial processing operation or a further processing operation under the ‘police’Directive. In this specific scenario introduced in Chapter4and thoroughly analysed inChapter5,theprincipleofpurposelimitationseemstohavebeenforgotten.The absence of a clear role for the principle of purpose limitation is problematic for atleast tworeasons.First, theprinciple ispartof the fundamentalright todataprotectionenshrined in Article 8 of the Charter. As such, it should constitute a guarantee for theprotectionofindividuals’personaldata.Second,itspurposeistoframetheconditionsforsubsequentprocessingofpersonaldata.Derogationsandexceptions to theprinciplearepossible; however, the processing needs to comply with specific conditions (eitherindividual’s consent or a legal obligation to safeguard compelling interests under theGDPR,oralegalbasiscombinedwiththeprinciplesofproportionalityandnecessityunderthe ‘police’Directive).10AsresultingfromthedetailedanalysisofChapter5, thescenariohasnotbeenclearlyestablished,nor clarified inany recital. It evenseems that thecasewaspurposelyavoided,11leavingMemberStatesfreetodecidehowtheywouldconsiderthereprocessingofGDPRpersonaldataunder the ‘police’Directiverules.Thissituationrevealsagapbetweenthetwoinstrumentsandhighlightsthedifficultyraisedbythesplitofrulesbetweentwodistinctinstruments.Asamatterofcomparison,thepracticalguideonthepoliceuseofpersonaldata,issuedbytheCouncilofEuropeConsultativeCommitteeofConvention108,providesguidanceonasimilar scenario.12Theguidecontainsaspecific sectionon theaccess toanduseofdataheldbyprivateparties. It identifies two caseswherepolice authoritiesmayaccessdatacollected foradifferentpurpose: in relation to ‘anon-going investigation’or ‘to identifythematic trends in relation toa certain typeof crime.’Theguidealsomakesanexpressreferencetotheprincipleofpurposelimitationwhenitclarifiesthatsuchaccessanduse

10art6(4)GDPRandart4(2)Directive2016/680,respectively.11SeethediscussionsinChapter5ofthedissertation,underSectionIIIentitled‘RegimeofPurposeLimitationunderDirective2016/680’.12CouncilofEurope,ConsultativeCommitteeofConvention108,‘PracticalGuideontheuseofpersonaldatainthepolicesector’,T-PD(2018)01[2018].

160

Chapter 7

needtobe‘authorisedorbeunderpinnedbyalegalobligationtocomplywiththepurposelimitationprinciple.’13AsconcludedinChapter5,theabsenceofclearrulesonfurtherprocessingacrossthetwoinstrumentsdoesnotavoid‘creatingproblems.’14ItonlyoffloadstheissueontoMemberStates,leadingpotentiallytoagreaterdiscrepancy.Third,thetestingofthe‘police’DirectiveprovisionsagainsttheECJ’sbenchmarkondata retention has revealed shortcomings of the Directive (in particular, in theformulation of the right to information). To assess whether the provisions of the‘police’ Directive provide adequate safeguards to individuals whose personal data areaccessedforre-usebylawenforcementauthorities,thestudysearchedforabenchmarktotest these provisions. The Court of Justice has not yet delivered any judgment on anidenticalscenariobutithasontheclosescenarioofdataretention,wherepersonaldatacollectedbyprivatepartiesarekeptfollowingalegalobligationtoallowlawenforcementauthoritiestoaccessandre-usethedata.15Thedifferencebetweenthetwoscenariosthuslies in the obligation to retain the data. As the ECJ clearly distinguished the issue ofretentionfromthatofaccessandre-useinitscaselaw,theresearchanalysedtheCourt’sfindingsonthissecondaspect.Keepinginmindthesedifferences,Chapter4testedtheprovisionsofthe‘police’DirectiveagainstthestandardsofDigitalRightsIrelandandTele2Sverige.Buildingontheopinionsof the European Parliament and the European Commission,16it was argued that thefindingsofthecaselawshouldapplybeyondthefieldofdataretention,andinparticularto cases where personal data held by private parties are accessed and used by lawenforcementauthorities.Theanalysisfurtherrevealedthatthe‘police’Directivemightfallshortonseveralaccounts.Inparticular,theDirectivedoesnotprovideobjectivecriteriatodefinetheconditionsunderwhich lawenforcementauthoritiescouldaccessandfurtherusepersonaldatageneratedbyprivatepartiesforadifferentpurpose.Besides,itlacksaspecific procedural rule on the prior review of a request for access,17and the right toinformation in Article 13 of the Directive is not expressly formulated as a right ofnotification.Onthis last issue, theCourtheld in itscase lawthat individualswhosedata

13ibid14.14InreferencetotheEuropeanCommission’spositionduringthenegotiationsofthedraftpoliceDirectiveattheCouncillevel,wheretheCommissionjustifiedtheabsenceofspecificrulesinthedraftDirectivebasedonthefactthat“thefurtherprocessingacrossthetwolegalinstrumentswouldcreateproblems”,seeChapter5,footnote49.15See Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others [2014]ECLI:EU:C:2014:238, and JoinedCasesC-203/15andC-698/15,Tele2SverigeABvPost-ochtelestyrelsen andSecretaryofStatefortheHomeDepartmentvTomWatsonandothers[2016]ECLI:EU:C:2016:970.16See Chapter 4, Section III entitled ‘Existence of Substantive and Procedural’ Safeguards in Directive2016/680?’17Onthislatteritcouldbearguedthatnoteveryreprocessingoperationforalawenforcementpurposewouldrequire prior review, but only the ones that have serious consequences on individuals, such as situationswherethereisnooffenceorsuspect(egincasesofcriminalsurveillance).

145

havebeenaccessedbylawenforcementauthoritiesshouldbenotifiedatagivenpointintime, i.e. at least at a time when the investigation can no longer be prejudiced.18Thenotification triggers their right to remedy as well as other rights (such as the right ofaccess,andrectification).YettheDirectivedoesnotobligeMemberStatestointroduceintheir national law an obligation to notify the processing, and a fortiori, the furtherprocessingofthedata.TherighttoinformationisformulatedinArticle13(1)oftheDirectiveasarightto‘makeavailable information’ to individuals, which raises the question of whether individualsneed to have prior knowledge about the processing operation to exercise their right toinformationandtheotherrightsderivingfromit.ThisobligationiscompletedbyArticle13(2)thatstipulatesthatMemberStatesshouldimposeondatacontrollersanobligationto ‘provide…inspecificcases…furtherinformation’toenableindividualstoexercisetheirrights. These cases –which do not seem to be entirely defined – include the situationwheredatahavebeencollectedwithouttheknowledgeofindividuals.19Forsomeauthors,this provision is the evidence that the obligation of notification is included in theDirective.20However,nowhereinthe‘police’Directiveisthereanyexpressmentionoftheobligationtonotifyindividuals,norofatimewhenthenotificationshouldbemade.Intheend, basedon this ill-definedprovision,Member States arenot compelled to impose anobligationofnotificationtothelawenforcementauthorities.The obligation of notification derives from the judgment in Tele2 Sverige, which washandeddownafter the adoptionof the ‘police’Directive.Hence, theDirective couldnothave reflected this finding in its provisions. However, the ECtHR set up earlier theobligationofnotificationinitscaselawontheinterpretationofArticle8ECHRincriminalsurveillance cases.21As such, theobligation shouldhavebeen reflected– and in specificterms–inthe‘police’Directive.TheresearchsuggeststhattherighttoinformationshouldbeinterpretedinlightoftheECJandECtHRcaselawtoallowindividualstobeinformedandexercisetheirrights.Last, a distinction should be made between the obligation of transparency and theobligationofnotification.Beingtransparentaboutthewaypersonaldataareprocessedingeneral is different from informing an individual about a specific processing operation.The ‘police’Directivementionsinarecitalthatprocessingshouldbetransparentbuthas18Tele2Sverige(n15)para121.19art13(2)(d)Directive2016/680readsasfollows:‘[…MemberStatesshallprovidebylawforthecontrollertogivetothedatasubject,inspecificcases,thefollowingfurtherinformation…](d)whennecessary,furtherinformation,inparticularwherethepersonaldataarecollectedwithouttheknowledgeofthedatasubject.’20See Paul de Hert and Juraj Sajfert, ‘Police, Privacy and Data Protection from a Comparative LegalPerspective’inMonicadenBoer(ed)ComparingPolicingfromaLegalPerspective(EdwardEdgar2018),321;however,theauthorsonlystatethat13(2)(d)Directive2016/680encompassestheobligationofnotificationwithoutexplainingtheirreasoning.21SeeKlassandothersvGermanyApp no 5029/71 (ECHR, 6 September 1978), para 57 et seq;WeberandSaravia v GermanyApp no 54934/00 (ECHR, 29 June 2006), para 135; Roman Zakharov v RussiaApp no47143/06 (ECHR, 4December 2015), para 287 et seq; see also the analysis in Paul deHert and FranziskaBoehm,‘TheRightsofNotificationafterSurveillanceisover’(2012)DigitalEnlightenmentYearbook19.

161

7


needtobe‘authorisedorbeunderpinnedbyalegalobligationtocomplywiththepurposelimitationprinciple.’13AsconcludedinChapter5,theabsenceofclearrulesonfurtherprocessingacrossthetwoinstrumentsdoesnotavoid‘creatingproblems.’14ItonlyoffloadstheissueontoMemberStates,leadingpotentiallytoagreaterdiscrepancy.Third,thetestingofthe‘police’DirectiveprovisionsagainsttheECJ’sbenchmarkondata retention has revealed shortcomings of the Directive (in particular, in theformulation of the right to information). To assess whether the provisions of the‘police’ Directive provide adequate safeguards to individuals whose personal data areaccessedforre-usebylawenforcementauthorities,thestudysearchedforabenchmarktotest these provisions. The Court of Justice has not yet delivered any judgment on anidenticalscenariobutithasontheclosescenarioofdataretention,wherepersonaldatacollectedbyprivatepartiesarekeptfollowingalegalobligationtoallowlawenforcementauthoritiestoaccessandre-usethedata.15Thedifferencebetweenthetwoscenariosthuslies in the obligation to retain the data. As the ECJ clearly distinguished the issue ofretentionfromthatofaccessandre-useinitscaselaw,theresearchanalysedtheCourt’sfindingsonthissecondaspect.Keepinginmindthesedifferences,Chapter4testedtheprovisionsofthe‘police’DirectiveagainstthestandardsofDigitalRightsIrelandandTele2Sverige.Buildingontheopinionsof the European Parliament and the European Commission,16it was argued that thefindingsofthecaselawshouldapplybeyondthefieldofdataretention,andinparticularto cases where personal data held by private parties are accessed and used by lawenforcementauthorities.Theanalysisfurtherrevealedthatthe‘police’Directivemightfallshortonseveralaccounts.Inparticular,theDirectivedoesnotprovideobjectivecriteriatodefinetheconditionsunderwhich lawenforcementauthoritiescouldaccessandfurtherusepersonaldatageneratedbyprivatepartiesforadifferentpurpose.Besides,itlacksaspecific procedural rule on the prior review of a request for access,17and the right toinformation in Article 13 of the Directive is not expressly formulated as a right ofnotification.Onthis last issue, theCourtheld in itscase lawthat individualswhosedata

13ibid14.14InreferencetotheEuropeanCommission’spositionduringthenegotiationsofthedraftpoliceDirectiveattheCouncillevel,wheretheCommissionjustifiedtheabsenceofspecificrulesinthedraftDirectivebasedonthefactthat“thefurtherprocessingacrossthetwolegalinstrumentswouldcreateproblems”,seeChapter5,footnote49.15See Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others [2014]ECLI:EU:C:2014:238, and JoinedCasesC-203/15andC-698/15,Tele2SverigeABvPost-ochtelestyrelsen andSecretaryofStatefortheHomeDepartmentvTomWatsonandothers[2016]ECLI:EU:C:2016:970.16See Chapter 4, Section III entitled ‘Existence of Substantive and Procedural’ Safeguards in Directive2016/680?’17Onthislatteritcouldbearguedthatnoteveryreprocessingoperationforalawenforcementpurposewouldrequire prior review, but only the ones that have serious consequences on individuals, such as situationswherethereisnooffenceorsuspect(egincasesofcriminalsurveillance).

145

havebeenaccessedbylawenforcementauthoritiesshouldbenotifiedatagivenpointintime, i.e. at least at a time when the investigation can no longer be prejudiced.18Thenotification triggers their right to remedy as well as other rights (such as the right ofaccess,andrectification).YettheDirectivedoesnotobligeMemberStatestointroduceintheir national law an obligation to notify the processing, and a fortiori, the furtherprocessingofthedata.TherighttoinformationisformulatedinArticle13(1)oftheDirectiveasarightto‘makeavailable information’ to individuals, which raises the question of whether individualsneed to have prior knowledge about the processing operation to exercise their right toinformationandtheotherrightsderivingfromit.ThisobligationiscompletedbyArticle13(2)thatstipulatesthatMemberStatesshouldimposeondatacontrollersanobligationto ‘provide…inspecificcases…furtherinformation’toenableindividualstoexercisetheirrights. These cases –which do not seem to be entirely defined – include the situationwheredatahavebeencollectedwithouttheknowledgeofindividuals.19Forsomeauthors,this provision is the evidence that the obligation of notification is included in theDirective.20However,nowhereinthe‘police’Directiveisthereanyexpressmentionoftheobligationtonotifyindividuals,norofatimewhenthenotificationshouldbemade.Intheend, basedon this ill-definedprovision,Member States arenot compelled to impose anobligationofnotificationtothelawenforcementauthorities.The obligation of notification derives from the judgment in Tele2 Sverige, which washandeddownafter the adoptionof the ‘police’Directive.Hence, theDirective couldnothave reflected this finding in its provisions. However, the ECtHR set up earlier theobligationofnotificationinitscaselawontheinterpretationofArticle8ECHRincriminalsurveillance cases.21As such, theobligation shouldhavebeen reflected– and in specificterms–inthe‘police’Directive.TheresearchsuggeststhattherighttoinformationshouldbeinterpretedinlightoftheECJandECtHRcaselawtoallowindividualstobeinformedandexercisetheirrights.Last, a distinction should be made between the obligation of transparency and theobligationofnotification.Beingtransparentaboutthewaypersonaldataareprocessedingeneral is different from informing an individual about a specific processing operation.The ‘police’Directivementionsinarecitalthatprocessingshouldbetransparentbuthas18Tele2Sverige(n15)para121.19art13(2)(d)Directive2016/680readsasfollows:‘[…MemberStatesshallprovidebylawforthecontrollertogivetothedatasubject,inspecificcases,thefollowingfurtherinformation…](d)whennecessary,furtherinformation,inparticularwherethepersonaldataarecollectedwithouttheknowledgeofthedatasubject.’20See Paul de Hert and Juraj Sajfert, ‘Police, Privacy and Data Protection from a Comparative LegalPerspective’inMonicadenBoer(ed)ComparingPolicingfromaLegalPerspective(EdwardEdgar2018),321;however,theauthorsonlystatethat13(2)(d)Directive2016/680encompassestheobligationofnotificationwithoutexplainingtheirreasoning.21SeeKlassandothersvGermanyApp no 5029/71 (ECHR, 6 September 1978), para 57 et seq;WeberandSaravia v GermanyApp no 54934/00 (ECHR, 29 June 2006), para 135; Roman Zakharov v RussiaApp no47143/06 (ECHR, 4December 2015), para 287 et seq; see also the analysis in Paul deHert and FranziskaBoehm,‘TheRightsofNotificationafterSurveillanceisover’(2012)DigitalEnlightenmentYearbook19.

162

Chapter 7

notconveyedthisobligationinanyofitsprovisions.22Asaconsequence,lawenforcementauthorities are not required to explain how personal data personal data can be (re-)processed.23Onthisissue,oneshouldobservethatthepracticalguideonthepoliceuseofpersonaldata,illustratingtheapplicationofRecommendationR(87)15,ismorespecific.Itdistinguishesgeneralinformationfromspecificinformation,whichmustbebothprovidedto individuals. General information corresponds to the obligation of transparency,whereas specific information is the information given to an individual about specificprocessingoperations.Concerningspecificinformation,theguidestipulatesthatincasearestrictionorderogationapplies,theinformationshouldbeprovidedtoanindividual‘assoon as it no longer jeopardises the purpose for which the data were used.’24Thisconditionechoes the findingsof theECJ inTele2Sverige.25Alternatively, it couldbe thatTele2SverigeimplicitlyreferstotheECtHRjurisprudenceoncriminalsurveillance.26Fourth,theaccountabilitytoolsofDataProtectionbyDesignandDefaultaswellasData Protection Impact Assessment might help to mitigate the risks to theindividuals. Both measures have been introduced in the new EU data protectionframeworktosupporttheaccountabilityofdatacontrollers.AssuggestedintheanalysisofChapter6,theycanalsobeusedasextrasafeguardsforindividualswhosepersonaldataare reprocessed for a law enforcement purpose. But neither the GDPR nor the ‘police’Directive offers specific guidance on their application. Data Protection by Design andDefault is an overarching principle that can cover both data protection policies andprivacy-preservingsolutions(suchasencryptionofthedata,anonymisationofthedata).Astechnicalsolutionsareleft inthehandsoftechnicalexperts,thedissertationhasonlyidentifiedelements tobe included indataprotectionpolicies toenable lawenforcementauthoritiestoreprocessbiometricdataoriginatingfromprivateparties.DataProtectionImpactAssessmentisacomplementarytooltoDataProtectionbyDesignand Default. It is not systematically carried out as not every processing operation issubjecttoaDPIA.Onlytheonesthatare‘likelytoresultinahighrisk’toindividuals’rightsand freedoms require a DPIA. Onwhat constitutes such a high risk, the GDPR ismoredetailedthanthe‘police’Directive.Thus,theDPIAframeworksetundertheGDPRisused22Recital 26 ofDirective2016/680provides that ‘anyprocessingof personal datamust be lawful, fair andtransparent…’23Compareart4(1)(a)Directive2016/680(personaldatashouldbe‘processedlawfullyandfairly’)withart5(1)(a)GDPR(personaldatashouldbe‘processedlawfully,fairlyandinatransparentmannerinrelationtothedatasubjects’);alsocompareart12GDPRondatasubjects’rightwithart12Directive2016/680wheretheadjective‘transparent’doesnotappearinthecommunicationformoftheinformation.Ontheabsenceofthe principle of transparency, see also analysis by the European Union Agency for Fundamental Rights,‘HandbookonEuropeanDataProtectionLaw’(2018)283.24ibid.25Tele2Sverige(n15)para121:‘…thecompetentnationalauthoritiestowhomaccesstotheretaineddatahasbeen granted must notify the persons affected, under the applicable national procedures, as soon as thatnotificationisnolongerabletojeopardisetheinvestigationsbeingundertakenbythoseauthorities.’26Para121ofTele2Sverige(n15)describestheobligationofnotificationwithoutreferringtotheECtHRcaselawbutthewordingusedtodescribetheobligationisclosetothatoftheECtHRincriminalsurveillancecases(n21).

asguidance for theregimeapplicable in the lawenforcementcontext. Inparticular, ‘anytype of biometric data processing’ on its own is not sufficient to represent a high risk.Additional criterianeed tobeadded to requireaDPIA.According to theEuropeanDataProtectionBoard in chargeof the consistent applicationof theGDPRacross theEU, theprocessingofbiometricdataneeds toreach the thresholdofsensitivedata(i.e. thedataare processed to uniquely identify an individual) and be accompanied with one of thecriteria defined by theA29WP (for instance, the processing operation is carried out onlarge-scale or involves a systematicmonitoring).27Chapter6 surveyed the provisions ofboththeGDPRandthe‘police’Directiveandmaderecommendationsinthecontextoflawenforcement reprocessingof biometricdata collectedbyprivateparties. In the end, if aDPIAisagoodtooltocompensatefortheabsenceoftheobligationoftransparency(asaDPIAdescribeshowthedatawillbemanaged),itcannotreplacetherighttoinformation.Itcan,nonetheless,recommendtheadoptionofprocedurestoinformindividualsthatlawenforcementauthoritieshaveaccessedtheirpersonaldata.In a nutshell, the research has established that the EU data protection rules do notprovideadequatesafeguardstoindividualswhentheirbiometricdatacollectedundertheGDPRarereprocessedunderthe‘police’Directiverules.Inparticular,throughananalogybasedontheECJ’s interpretationofdataretentionlegislation, itappearsthatthe ‘police’Directive lacks clarity, in particular, on the scope of the right to information. The roleplayed by the principle of purpose limitation in the scenario of processing operationsacross the two instruments is also uncertain. Beyond the safeguards, the research hasuncovereda significant terminological issueon the conceptofbiometricdata.The issuehasanimpactontheprocessingofbiometricdatanotonlybylawenforcementauthoritiesbutalsobyprivateorpublicpartiesprocessingbiometricdataforvariouspurposes.So, what are the solutions? As suggested along the different chapters of the research,severalpathscouldbe followed,even ifnoneof themseemstobetheultimatesolution.First, the European Data Protection Board, replacing the Article 29 Data ProtectionWorking Party, could issue recommendations and guidelines to clarify the scope of therules. This would be very beneficial to clarify the notion of ‘biometric data' and theconditionsunderwhichbiometricdataareconsideredsensitivedata,inparticularforthebiometricindustry.Thereisalsoguidanceneededontherulesapplicabletopersonaldataprocessing across the two instruments.However, as a downside, theBoard's guidelinesand recommendations are non-binding. Second, since Directive 2016/680 has beenimplemented inMemberStates,national courtscouldsendpreliminaryquestions to theECJbasedonnationalprovisions.Ifthispathisthebesttoensurelegalcertainty,itmight

27EDPB,Opinionsondataprotectionauthorities’DPIAdraftlists[2018]<https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en>accessed30December2018.

163

7


notconveyedthisobligationinanyofitsprovisions.22Asaconsequence,lawenforcementauthorities are not required to explain how personal data personal data can be (re-)processed.23Onthisissue,oneshouldobservethatthepracticalguideonthepoliceuseofpersonaldata,illustratingtheapplicationofRecommendationR(87)15,ismorespecific.Itdistinguishesgeneralinformationfromspecificinformation,whichmustbebothprovidedto individuals. General information corresponds to the obligation of transparency,whereas specific information is the information given to an individual about specificprocessingoperations.Concerningspecificinformation,theguidestipulatesthatincasearestrictionorderogationapplies,theinformationshouldbeprovidedtoanindividual‘assoon as it no longer jeopardises the purpose for which the data were used.’24Thisconditionechoes the findingsof theECJ inTele2Sverige.25Alternatively, it couldbe thatTele2SverigeimplicitlyreferstotheECtHRjurisprudenceoncriminalsurveillance.26Fourth,theaccountabilitytoolsofDataProtectionbyDesignandDefaultaswellasData Protection Impact Assessment might help to mitigate the risks to theindividuals. Both measures have been introduced in the new EU data protectionframeworktosupporttheaccountabilityofdatacontrollers.AssuggestedintheanalysisofChapter6,theycanalsobeusedasextrasafeguardsforindividualswhosepersonaldataare reprocessed for a law enforcement purpose. But neither the GDPR nor the ‘police’Directive offers specific guidance on their application. Data Protection by Design andDefault is an overarching principle that can cover both data protection policies andprivacy-preservingsolutions(suchasencryptionofthedata,anonymisationofthedata).Astechnicalsolutionsareleft inthehandsoftechnicalexperts,thedissertationhasonlyidentifiedelements tobe included indataprotectionpolicies toenable lawenforcementauthoritiestoreprocessbiometricdataoriginatingfromprivateparties.DataProtectionImpactAssessmentisacomplementarytooltoDataProtectionbyDesignand Default. It is not systematically carried out as not every processing operation issubjecttoaDPIA.Onlytheonesthatare‘likelytoresultinahighrisk’toindividuals’rightsand freedoms require a DPIA. Onwhat constitutes such a high risk, the GDPR ismoredetailedthanthe‘police’Directive.Thus,theDPIAframeworksetundertheGDPRisused22Recital 26 ofDirective2016/680provides that ‘anyprocessingof personal datamust be lawful, fair andtransparent…’23Compareart4(1)(a)Directive2016/680(personaldatashouldbe‘processedlawfullyandfairly’)withart5(1)(a)GDPR(personaldatashouldbe‘processedlawfully,fairlyandinatransparentmannerinrelationtothedatasubjects’);alsocompareart12GDPRondatasubjects’rightwithart12Directive2016/680wheretheadjective‘transparent’doesnotappearinthecommunicationformoftheinformation.Ontheabsenceofthe principle of transparency, see also analysis by the European Union Agency for Fundamental Rights,‘HandbookonEuropeanDataProtectionLaw’(2018)283.24ibid.25Tele2Sverige(n15)para121:‘…thecompetentnationalauthoritiestowhomaccesstotheretaineddatahasbeen granted must notify the persons affected, under the applicable national procedures, as soon as thatnotificationisnolongerabletojeopardisetheinvestigationsbeingundertakenbythoseauthorities.’26Para121ofTele2Sverige(n15)describestheobligationofnotificationwithoutreferringtotheECtHRcaselawbutthewordingusedtodescribetheobligationisclosetothatoftheECtHRincriminalsurveillancecases(n21).

asguidance for theregimeapplicable in the lawenforcementcontext. Inparticular, ‘anytype of biometric data processing’ on its own is not sufficient to represent a high risk.Additional criterianeed tobeadded to requireaDPIA.According to theEuropeanDataProtectionBoard in chargeof the consistent applicationof theGDPRacross theEU, theprocessingofbiometricdataneeds toreach the thresholdofsensitivedata(i.e. thedataare processed to uniquely identify an individual) and be accompanied with one of thecriteria defined by theA29WP (for instance, the processing operation is carried out onlarge-scale or involves a systematicmonitoring).27Chapter6 surveyed the provisions ofboththeGDPRandthe‘police’Directiveandmaderecommendationsinthecontextoflawenforcement reprocessingof biometricdata collectedbyprivateparties. In the end, if aDPIAisagoodtooltocompensatefortheabsenceoftheobligationoftransparency(asaDPIAdescribeshowthedatawillbemanaged),itcannotreplacetherighttoinformation.Itcan,nonetheless,recommendtheadoptionofprocedurestoinformindividualsthatlawenforcementauthoritieshaveaccessedtheirpersonaldata.In a nutshell, the research has established that the EU data protection rules do notprovideadequatesafeguardstoindividualswhentheirbiometricdatacollectedundertheGDPRarereprocessedunderthe‘police’Directiverules.Inparticular,throughananalogybasedontheECJ’s interpretationofdataretentionlegislation, itappearsthatthe ‘police’Directive lacks clarity, in particular, on the scope of the right to information. The roleplayed by the principle of purpose limitation in the scenario of processing operationsacross the two instruments is also uncertain. Beyond the safeguards, the research hasuncovereda significant terminological issueon the conceptofbiometricdata.The issuehasanimpactontheprocessingofbiometricdatanotonlybylawenforcementauthoritiesbutalsobyprivateorpublicpartiesprocessingbiometricdataforvariouspurposes.So, what are the solutions? As suggested along the different chapters of the research,severalpathscouldbe followed,even ifnoneof themseemstobetheultimatesolution.First, the European Data Protection Board, replacing the Article 29 Data ProtectionWorking Party, could issue recommendations and guidelines to clarify the scope of therules. This would be very beneficial to clarify the notion of ‘biometric data' and theconditionsunderwhichbiometricdataareconsideredsensitivedata,inparticularforthebiometricindustry.Thereisalsoguidanceneededontherulesapplicabletopersonaldataprocessing across the two instruments.However, as a downside, theBoard's guidelinesand recommendations are non-binding. Second, since Directive 2016/680 has beenimplemented inMemberStates,national courtscouldsendpreliminaryquestions to theECJbasedonnationalprovisions.Ifthispathisthebesttoensurelegalcertainty,itmight

27EDPB,Opinionsondataprotectionauthorities’DPIAdraftlists[2018]<https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en>accessed30December2018.

164

Chapter 7

148

belongandmightalsorequirethezealofanactivistcitizentostartlegalproceedingsatnationallevel.What’snext?Thestudymadeforthisdissertationconstitutesgroundworkforfutureresearch.Severaloftheprovisionsthattheresearchhasinterpretedarenewandstilluntested,inparticulartheprovisionsofthe‘police’Directive.28Thescenarioattheoriginoftheresearchhasalsoevolved during the research: it started with the volume of biometric data collected byprivate parties for biometric solutions and moved to the trove of ‘personal data’(photographs,voicesamples)heldbysocialmediathatcouldbereprocessedforbiometricrecognitionpurposes.29Insomerespects,thestudyremainsexploratory.Nevertheless,theresearchwouldbenefit fromfollow-upstudiesonseveralaspects.For instance, itwouldbeveryinterestingtoanalysehowMemberStateshaveimplementedtheprovisionsofthe‘police’Directive, and inparticular theprincipleofpurpose limitation, andwhetheranyMemberStatehassolvedtheissueofthereprocessingofpersonaldataacrossinstruments(or across fields). Likewise, itwould be interesting to survey howMember States havetransposedArticle13oftheDirective(therighttoinformation)intheirnationallaw.Throughthepublicationofarticles,theresearchhasmadeaselectionofissues.However,there is room to explore the differences between the various types of law enforcementpurposesbasedontheimpactthatthesepurposesmighthaveontherightstoindividuals.Thestudyhasbrieflysketchedthedifferencesbetweencrimeinvestigation–linkedtoanoffence–andcrimesurveillance–intheabsenceofoffenceandsuspect.Lastbutnotleast,thestudycouldbecompletedwithcasestudies,suchasacasestudyonsocialmediaminingbylawenforcementauthorities.Theresearchdidnotclaimthatlawenforcementauthoritiescouldsearchdirectlythroughsocialmedia’sdatatroves.But,theissue of the source of data used by the police needs to be explored. Concerning facialimages (orvoice samples)heldby socialmedia, lawenforcementauthorities canaccessthem through different means: a request to the social media, feeds, or the usersthemselvesmakingthe informationpubliclyavailable.Suchacasestudycouldcoverthetechnicalaspects(facialrecognition),analysetheimpactofthedifferentwaysofaccessonindividuals’rights,comparelawenforcementpurposes(criminalsurveillanceandcriminalinvestigation), research privacy-preserving solutions, and elaborate a model of dataprotection impact assessment applicable to social mediamining. This dissertation thuspavesthewayforfutureinterdisciplinaryresearch.

28Suchastheprincipleofpurposelimitation,theconditionsapplicabletothefurtherprocessingofpersonaldatacollectedforadifferentpurpose,andthescopeoftherighttoinformation.29SeeinparticulartheexamplesgivenintheintroductionsectiontoChapter5,whichfocusesontheamountofpersonaldata(includingbiometricdata)heldbysocialmedia.

148

belongandmightalsorequirethezealofanactivistcitizentostartlegalproceedingsatnationallevel.What’snext?Thestudymadeforthisdissertationconstitutesgroundworkforfutureresearch.Severaloftheprovisionsthattheresearchhasinterpretedarenewandstilluntested,inparticulartheprovisionsofthe‘police’Directive.28Thescenarioattheoriginoftheresearchhasalsoevolved during the research: it started with the volume of biometric data collected byprivate parties for biometric solutions and moved to the trove of ‘personal data’(photographs,voicesamples)heldbysocialmediathatcouldbereprocessedforbiometricrecognitionpurposes.29Insomerespects,thestudyremainsexploratory.Nevertheless,theresearchwouldbenefit fromfollow-upstudiesonseveralaspects.For instance, itwouldbeveryinterestingtoanalysehowMemberStateshaveimplementedtheprovisionsofthe‘police’Directive, and inparticular theprincipleofpurpose limitation, andwhetheranyMemberStatehassolvedtheissueofthereprocessingofpersonaldataacrossinstruments(or across fields). Likewise, itwould be interesting to survey howMember States havetransposedArticle13oftheDirective(therighttoinformation)intheirnationallaw.Throughthepublicationofarticles,theresearchhasmadeaselectionofissues.However,there is room to explore the differences between the various types of law enforcementpurposesbasedontheimpactthatthesepurposesmighthaveontherightstoindividuals.Thestudyhasbrieflysketchedthedifferencesbetweencrimeinvestigation–linkedtoanoffence–andcrimesurveillance–intheabsenceofoffenceandsuspect.Lastbutnotleast,thestudycouldbecompletedwithcasestudies,suchasacasestudyonsocialmediaminingbylawenforcementauthorities.Theresearchdidnotclaimthatlawenforcementauthoritiescouldsearchdirectlythroughsocialmedia’sdatatroves.But,theissue of the source of data used by the police needs to be explored. Concerning facialimages (orvoice samples)heldby socialmedia, lawenforcementauthorities canaccessthem through different means: a request to the social media, feeds, or the usersthemselvesmakingthe informationpubliclyavailable.Suchacasestudycouldcoverthetechnicalaspects(facialrecognition),analysetheimpactofthedifferentwaysofaccessonindividuals’rights,comparelawenforcementpurposes(criminalsurveillanceandcriminalinvestigation), research privacy-preserving solutions, and elaborate a model of dataprotection impact assessment applicable to social mediamining. This dissertation thuspavesthewayforfutureinterdisciplinaryresearch.

28Suchastheprincipleofpurposelimitation,theconditionsapplicabletothefurtherprocessingofpersonaldatacollectedforadifferentpurpose,andthescopeoftherighttoinformation.29SeeinparticulartheexamplesgivenintheintroductionsectiontoChapter5,whichfocusesontheamountofpersonaldata(includingbiometricdata)heldbysocialmedia.

Bibliography

168

Decisionof13July2010ontheconclusionoftheAgreementbetweentheEuropeanUnionand theUnitedStatesofAmericaon theprocessingand transferofFinancialMessagingData from the European Union to the United States for the purposes of the TerroristFinanceTrackingProgram(2010/412/EU)[2010]OJL195/3(ii)EuropeanParliamentandCouncilDirective95/46/ECof24October1995ontheprotectionofindividualswithregardtotheprocessingofsuchdata(Directive95/46/EC)[1995]OJL281/31Directive2006/24/ECof15March2006ontheretentionofdatageneratedorprocessedinconnectionwiththeprovisionofpubliclyavailableelectroniccommunicationsservicesor of public communications networks and amending Directive 2002/58/EC [2006] OJL105/54Regulation(EU)No603/2013of26June2013ontheestablishmentof 'Eurodac' forthecomparisonof fingerprints for theeffectiveapplicationofRegulation(EU)No604/2013establishing the criteriaandmechanisms fordetermining theMemberState responsiblefor examining an application for international protection lodged in one of theMemberStates by a third-country national or a stateless person and on requests for thecomparison with Eurodac data by Member States' law enforcement authorities andEuropol for law enforcement purposes, and amending Regulation (EU) No 1077/2011establishingaEuropeanAgencyfortheoperationalmanagementoflarge-scaleITsystemsintheareaoffreedom,securityandjustice(recast)[2013]OJL180/1Regulation(EU)2016/679of27April2016ontheprotectionofindividualswithregardtothe processing of personal data and of the free movement of such data and repealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons withregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminal penalties, and on the free movement of such data, and repealing CouncilFrameworkDecision2008/977/JHA[2016]OJL119/89Directive(EU)2016/681oftheEuropeanParliamentandoftheCouncilof27April2016on the use of passenger name record (PNR) data for the prevention, detection,investigationandprosecutionofterroristoffencesandseriouscrimes[2016]OJL119/32Regulation (EU) 2016/794 of 11 May 2016 on the European Union Agency for lawenforcement cooperation (Europol) and replacing and repealing Council Decisions2009/371/JHA,2009/935/JHA,2009/936/JHAand2009/968/JHA[2016]OJL135/53EULegislativeProposalsandResolutions(i)CouncilPoliticalagreementonthe‘ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardstotheprocessingofpersonaldatabycompetent authorities for the purposes of prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties, and the freemovementofsuchdata’LIMITEdoc.no7740/15[2015]

BibliographyI.LEGISLATION

A. EULEVEL

TreatiesandChartersTreatyofLisbonAmendingtheTreatyonEuropeanUnionandtheTreatyestablishingtheEuropeanCommunity[2007]OJC306/01TreatyontheFunctioningoftheEuropeanUnion(TFEU),consolidatedversion[2016]OJC202/47TreatyonEuropeanUnion(TEU),consolidatedversion[2016]OJC202/13CharterofFundamentalRightsoftheEuropeanUnion[2016]OJC202/389ExplanationsrelatingtotheCharterofFundamentalRights[2007]OJC303/17Regulations,Directives,andDecisions(i)CouncilRegulation (EC) No 2725/2000 of 11 December 2000 concerning the establishment of‘Eurodac’ for the comparison of fingerprints for the effective application of the DublinConvention[2000]OJL316/1Regulation(EC)No2252/2004of13December2004onstandards forsecurity featuresand biometrics in passports and travel documents issued by Member States [2004] OJL385/1Decision of 8 June 2004 establishing theVisa Information System (VIS) (2004/512/EC)[2004]OJL213/5FrameworkDecision2006/960/JHAof18December2006onsimplifyingtheexchangeofinformationand intelligencebetween lawenforcementauthoritiesof theMemberStatesoftheEuropeanUnion[2006]OJL386/89Decision2007/533/JHAof12 June2007on theestablishment,operationanduseof thesecondgenerationSchengenInformationSystem(SISII)[2007]OJL205/63Decision2008/615/JHAof23June2008onthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/1Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision2008/615/JHAonthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/12FrameworkDecision2008/977/JHAof27November2008ontheprotectionofpersonaldata processed in the framework of police and judicial cooperation in criminalmatters(CouncilFrameworkDecision2008/977/JHA)[2008]OJL350/60

169

Decisionof13July2010ontheconclusionoftheAgreementbetweentheEuropeanUnionand theUnitedStatesofAmericaon theprocessingand transferofFinancialMessagingData from the European Union to the United States for the purposes of the TerroristFinanceTrackingProgram(2010/412/EU)[2010]OJL195/3(ii)EuropeanParliamentandCouncilDirective95/46/ECof24October1995ontheprotectionofindividualswithregardtotheprocessingofsuchdata(Directive95/46/EC)[1995]OJL281/31Directive2006/24/ECof15March2006ontheretentionofdatageneratedorprocessedinconnectionwiththeprovisionofpubliclyavailableelectroniccommunicationsservicesor of public communications networks and amending Directive 2002/58/EC [2006] OJL105/54Regulation(EU)No603/2013of26June2013ontheestablishmentof 'Eurodac' forthecomparisonof fingerprints for theeffectiveapplicationofRegulation(EU)No604/2013establishing the criteriaandmechanisms fordetermining theMemberState responsiblefor examining an application for international protection lodged in one of theMemberStates by a third-country national or a stateless person and on requests for thecomparison with Eurodac data by Member States' law enforcement authorities andEuropol for law enforcement purposes, and amending Regulation (EU) No 1077/2011establishingaEuropeanAgencyfortheoperationalmanagementoflarge-scaleITsystemsintheareaoffreedom,securityandjustice(recast)[2013]OJL180/1Regulation(EU)2016/679of27April2016ontheprotectionofindividualswithregardtothe processing of personal data and of the free movement of such data and repealingDirective95/46/EC(GeneralDataProtectionRegulation)[2016]OJL119/1Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons withregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminal penalties, and on the free movement of such data, and repealing CouncilFrameworkDecision2008/977/JHA[2016]OJL119/89Directive(EU)2016/681oftheEuropeanParliamentandoftheCouncilof27April2016on the use of passenger name record (PNR) data for the prevention, detection,investigationandprosecutionofterroristoffencesandseriouscrimes[2016]OJL119/32Regulation (EU) 2016/794 of 11 May 2016 on the European Union Agency for lawenforcement cooperation (Europol) and replacing and repealing Council Decisions2009/371/JHA,2009/935/JHA,2009/936/JHAand2009/968/JHA[2016]OJL135/53EULegislativeProposalsandResolutions(i)CouncilPoliticalagreementonthe‘ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardstotheprocessingofpersonaldatabycompetent authorities for the purposes of prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties, and the freemovementofsuchdata’LIMITEdoc.no7740/15[2015]

BibliographyI.LEGISLATION

A. EULEVEL

TreatiesandChartersTreatyofLisbonAmendingtheTreatyonEuropeanUnionandtheTreatyestablishingtheEuropeanCommunity[2007]OJC306/01TreatyontheFunctioningoftheEuropeanUnion(TFEU),consolidatedversion[2016]OJC202/47TreatyonEuropeanUnion(TEU),consolidatedversion[2016]OJC202/13CharterofFundamentalRightsoftheEuropeanUnion[2016]OJC202/389ExplanationsrelatingtotheCharterofFundamentalRights[2007]OJC303/17Regulations,Directives,andDecisions(i)CouncilRegulation (EC) No 2725/2000 of 11 December 2000 concerning the establishment of‘Eurodac’ for the comparison of fingerprints for the effective application of the DublinConvention[2000]OJL316/1Regulation(EC)No2252/2004of13December2004onstandards forsecurity featuresand biometrics in passports and travel documents issued by Member States [2004] OJL385/1Decision of 8 June 2004 establishing theVisa Information System (VIS) (2004/512/EC)[2004]OJL213/5FrameworkDecision2006/960/JHAof18December2006onsimplifyingtheexchangeofinformationand intelligencebetween lawenforcementauthoritiesof theMemberStatesoftheEuropeanUnion[2006]OJL386/89Decision2007/533/JHAof12 June2007on theestablishment,operationanduseof thesecondgenerationSchengenInformationSystem(SISII)[2007]OJL205/63Decision2008/615/JHAof23June2008onthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/1Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision2008/615/JHAonthesteppingupofcross-bordercooperation,particularlyincombatingterrorismandcross-bordercrime[2008]OJL210/12FrameworkDecision2008/977/JHAof27November2008ontheprotectionofpersonaldata processed in the framework of police and judicial cooperation in criminalmatters(CouncilFrameworkDecision2008/977/JHA)[2008]OJL350/60

170

<http://data.consilium.europa.eu/doc/document/ST-7740-2015-INIT/en/pdf>accessed30September2018(ii)EuropeanCommissionDraft ‘Proposal for a Directive of the European Parliament and of the Council on theprotection of individuals with regard to the processing of personal data by competentauthorities for the purposes of prevention, investigation, detection or prosecution ofcriminal offencesor the executionof criminalpenalties, and the freemovementof suchdata(‘PoliceandCriminalJusticeDataProtectionDirective’)’,version34[2011]<http://www.statewatch.org/news/2011/dec/ep-dp-leas-draft-directive.pdf>accessed30September2018(iii)EuropeanParliamentResolutionof11February2015onanti-terrorismmeasures’(2015/2530(RSP))[2015]<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2015-0032+0+DOC+XML+V0//EN>accessed1August2017(iv)EuropeanUnionandtheUnitedStatesofAmericaAgreementontheprocessingandtransferoffinancialmessagingdatafromtheEuropeanUnion to theUnited States for the purposes of the Terrorist Finance Tracking Program[2010]OJL8/11

B. COUNCILOFEUROPE

ConventionfortheProtectionofHumanRightsandFundamentalFreedoms[1950]<https://www.echr.coe.int/Documents/Convention_ENG.pdf>accessed30September2018Convention for the Protection of Individuals with regard to Automatic Processing ofPersonalData[1981](ETSNo.108)<http://conventions.coe.int/Treaty/EN/Reports/HTML/108.htm>accessed30September2018

C. NATIONALLEVEL(i)AustraliaAustralianGovernment,FederalRegisterofLegislation,PrivacyAct1998<https://www.legislation.gov.au/Details/C2014C00076>accessed30November2018(ii)BelgiumBelgiumParliament,Lawof30July2018ontheProtectionofIndividualswithregardtotheProcessingofPersonalData(Loidu30juillet2018relativeàlaprotectiondespersonnesphysiquesàl’égarddestraitementsdedonnéesàcaractèrepersonnel)<http://www.ejustice.just.fgov.be/cgi/article.pl?language=nl&caller=summary&pub_date=2018-09-05&numac=2018040581>accessed30November2018(iii)FranceFrenchParliament,LawNo.2018-493of20June2018ontheProtectionofPersonalData(Loin°2018-493du20juin2018relativeàlaprotectiondesdonnéespersonnelles)<https://www.legifrance.gouv.fr/eli/loi/2018/6/20/JUSC1732261L/jo/texte>accessed30November2018

(iv)NetherlandsDutchParliament,Lawof17October2018amendingthePoliceDataActandtheJudicialandCriminalProceduralActimplementingEUrulesontheprocessingofpersonaldataforthe purpose of the prevention, investigation, detection and prosecution of criminaloffencesortheexecutionofcriminalpenalties(Wetvan17oktober2018totwijzigingvandeWetpolitiegegevensendeWet justitiëleenstrafvorderlijke gegevens ter implementatie van Europese regelgeving over de verwerkingvan persoonsgegevens met het oog op de voorkoming, het onderzoek, de opsporing envervolgingvanstrafbarefeitenofdetenuitvoerleggingvanstraffen)<https://zoek.officielebekendmakingen.nl/stb-2018-401.html>accessed30November2018(v)UnitedKingdomUKParliament,DataProtectionAct2018<http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted>accessed30November2018II.CASELAW

A. EUROPEANCOURTOFJUSTICE

Case C-292/89 R v Immigration Appeal Tribunal ex parte Gustaff Desiderius Antonissen[1991]ECR-I-745CaseC-275/06,ProductoresdeMúsicadeEspaña(Promusicae)vTelefónicadeEspañaSAU[2008]ECLI:EU:C:2008:54Case C-524/06 Heinz Huber v Bundesrepublik Deutschland [2008] ECLI:EU:C:2008:194,OpinionofAGMaduroCaseC-301/06,IrelandvEuropeanParliamentandCouncil[2009]ECLI:EU:C:2009:68JoinedCasesC-92/09andC-93/09VolkerundMarkusScheckeandHartmutEifertvLandHessen[2010]ECLI:EU:C:2010:662Case C-291/12Michael Schwarz v Stadt Bochum [2013] EU:C:2013:401, Opinion of AGMengozziCaseC-291/12MichaelSchwarzvStadtBochum[2013]ECLI:EU:C:2013:670Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others[2014]ECLI:EU:C:2014:238CaseC-362/14MaximilianSchremsvDataProtectionCommissioner[2015]ECLI:EU:C:2015:650JoinedCasesC-446/12toV-449/12WPWillemsandothers[2015]ECLI:EU:C:2015:238Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen andSecretaryofState for theHomeDepartmentvTomWatsonandothers [2016] ECLI:EU:C:2016:572,OpinionofAGSaudmandsgaardØE

171

<http://data.consilium.europa.eu/doc/document/ST-7740-2015-INIT/en/pdf>accessed30September2018(ii)EuropeanCommissionDraft ‘Proposal for a Directive of the European Parliament and of the Council on theprotection of individuals with regard to the processing of personal data by competentauthorities for the purposes of prevention, investigation, detection or prosecution ofcriminal offencesor the executionof criminalpenalties, and the freemovementof suchdata(‘PoliceandCriminalJusticeDataProtectionDirective’)’,version34[2011]<http://www.statewatch.org/news/2011/dec/ep-dp-leas-draft-directive.pdf>accessed30September2018(iii)EuropeanParliamentResolutionof11February2015onanti-terrorismmeasures’(2015/2530(RSP))[2015]<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2015-0032+0+DOC+XML+V0//EN>accessed1August2017(iv)EuropeanUnionandtheUnitedStatesofAmericaAgreementontheprocessingandtransferoffinancialmessagingdatafromtheEuropeanUnion to theUnited States for the purposes of the Terrorist Finance Tracking Program[2010]OJL8/11

B. COUNCILOFEUROPE

ConventionfortheProtectionofHumanRightsandFundamentalFreedoms[1950]<https://www.echr.coe.int/Documents/Convention_ENG.pdf>accessed30September2018Convention for the Protection of Individuals with regard to Automatic Processing ofPersonalData[1981](ETSNo.108)<http://conventions.coe.int/Treaty/EN/Reports/HTML/108.htm>accessed30September2018

C. NATIONALLEVEL(i)AustraliaAustralianGovernment,FederalRegisterofLegislation,PrivacyAct1998<https://www.legislation.gov.au/Details/C2014C00076>accessed30November2018(ii)BelgiumBelgiumParliament,Lawof30July2018ontheProtectionofIndividualswithregardtotheProcessingofPersonalData(Loidu30juillet2018relativeàlaprotectiondespersonnesphysiquesàl’égarddestraitementsdedonnéesàcaractèrepersonnel)<http://www.ejustice.just.fgov.be/cgi/article.pl?language=nl&caller=summary&pub_date=2018-09-05&numac=2018040581>accessed30November2018(iii)FranceFrenchParliament,LawNo.2018-493of20June2018ontheProtectionofPersonalData(Loin°2018-493du20juin2018relativeàlaprotectiondesdonnéespersonnelles)<https://www.legifrance.gouv.fr/eli/loi/2018/6/20/JUSC1732261L/jo/texte>accessed30November2018

(iv)NetherlandsDutchParliament,Lawof17October2018amendingthePoliceDataActandtheJudicialandCriminalProceduralActimplementingEUrulesontheprocessingofpersonaldataforthe purpose of the prevention, investigation, detection and prosecution of criminaloffencesortheexecutionofcriminalpenalties(Wetvan17oktober2018totwijzigingvandeWetpolitiegegevensendeWet justitiëleenstrafvorderlijke gegevens ter implementatie van Europese regelgeving over de verwerkingvan persoonsgegevens met het oog op de voorkoming, het onderzoek, de opsporing envervolgingvanstrafbarefeitenofdetenuitvoerleggingvanstraffen)<https://zoek.officielebekendmakingen.nl/stb-2018-401.html>accessed30November2018(v)UnitedKingdomUKParliament,DataProtectionAct2018<http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted>accessed30November2018II.CASELAW

A. EUROPEANCOURTOFJUSTICE

Case C-292/89 R v Immigration Appeal Tribunal ex parte Gustaff Desiderius Antonissen[1991]ECR-I-745CaseC-275/06,ProductoresdeMúsicadeEspaña(Promusicae)vTelefónicadeEspañaSAU[2008]ECLI:EU:C:2008:54Case C-524/06 Heinz Huber v Bundesrepublik Deutschland [2008] ECLI:EU:C:2008:194,OpinionofAGMaduroCaseC-301/06,IrelandvEuropeanParliamentandCouncil[2009]ECLI:EU:C:2009:68JoinedCasesC-92/09andC-93/09VolkerundMarkusScheckeandHartmutEifertvLandHessen[2010]ECLI:EU:C:2010:662Case C-291/12Michael Schwarz v Stadt Bochum [2013] EU:C:2013:401, Opinion of AGMengozziCaseC-291/12MichaelSchwarzvStadtBochum[2013]ECLI:EU:C:2013:670Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others[2014]ECLI:EU:C:2014:238CaseC-362/14MaximilianSchremsvDataProtectionCommissioner[2015]ECLI:EU:C:2015:650JoinedCasesC-446/12toV-449/12WPWillemsandothers[2015]ECLI:EU:C:2015:238Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen andSecretaryofState for theHomeDepartmentvTomWatsonandothers [2016] ECLI:EU:C:2016:572,OpinionofAGSaudmandsgaardØE

172

Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen andSecretary of State for the Home Department v Tom Watson and others [2016] ECLI:EU:C:2016:970Opinion1/15of theCourt (GrandChamber)on theDraftAgreementbetweenCanadaandtheEuropeanUnion[2017],ECLI:EU:C:2016:656

B. EUROPEANCOURTOFHUMANRIGHTSHandysidevUKAppno5493/73(ECHR,7December1976)KlassandothersvGermanyAppno5029/71(ECHR,6September1978)MalonevtheUnitedKingdomAppno8691/79(ECHR,2August1984)LeandervSwedenAppno9248/81(ECHR,26March1987)AmannvSwitzerlandAppno27798/95(ECHR,16February2000)RotaruvRomaniaAppno28341/95(ECHR,4May2000)KhanvUKAppno35394/97(ECHR,12May2000)ConnorsvtheUnitedKingdomAppno66746/01(ECHR,27May2004)WeberandSaraviavGermanyAppno54934/00(ECHR,29June2006)AssociationforEuropeanIntegrationandHumanRightsandEkimdzhievvBulgariaAppno62540/00(ECHR,28June2007)SandMarpervtheUnitedKingdomAppnos30562/04and30566/04(ECHR,4December2008)MKvFranceAppno19522/09(ECHR,18April2013)RomanZakharovvRussiaAppno47143/06(ECHR,4December2015)SzabóandVissyvHungaryAppno37138/14(ECHR,12January2016)

154

III.GUIDELINES,OPINIONS,ANDRECOMMENDATIONS

A. EULEVEL

(i)Article29DataProtectionWorkingPartyWorkingDocumentonbiometrics[2003]WP80OpinionNo.7/2004ontheinclusionofbiometricelementsintheresidencepermitsandvisa taking account of the establishment of the European information system on visas(VIS)[2004]WP96Opinion 3/2005 on implementing the Council Regulation (EC) No. 2252/2004 of 13December 2004 on standards for security features and biometrics in passports andtravelleddocumentsissuedbyMemberStates[2005]WP112Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of theCouncilontheretentionofdatageneratedorprocessedinconnectionwiththeprovisionof publicly available electronic communications services or of public communicationsnetworksandamendingDirective2002/58/EC[2006]WP119Opinion4/2007ontheconceptofpersonaldata[2007]WP136‘TheFutureofPrivacy’,JointcontributionwiththeWorkingPartyonPoliceandJusticetotheConsultationoftheEuropeanCommissiononthelegalframeworktothefundamentalrighttoprotectionofpersonaldata,WP168[2009] Opinion3/2010ontheprincipleofaccountability[2010]WP173AdvicePaperonSpecialCategoriesofData(‘SensitiveData’)[2011]Ref.Ares(2011)444105Opinion02/2012onfacialrecognitioninonlineandmobileservices[2012]WP192Opinion3/2012ondevelopmentinbiometrictechnologies[2012]WP193Opinion03/2013onpurposelimitation[2013]WP203Opinion05/2013onSmartBorders[2013]WP206Opinion01/2014on the application of necessity andproportionality concepts anddataprotectionwithinthelawenforcementsector(2014)WP211Opinion 04/2014 on surveillance of electronic communications for intelligence andnationalsecuritypurposes’[2014]WP215Statementontheroleofarisk-basedapproachindataprotectionlegalframeworks[2014]WP218Opinion03/2015onthedraftdirectiveontheprotectionofindividualswithregardtotheprocessing of personal data by competent authorities for the purposes of prevention,

173

Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen andSecretary of State for the Home Department v Tom Watson and others [2016] ECLI:EU:C:2016:970Opinion1/15of theCourt (GrandChamber)on theDraftAgreementbetweenCanadaandtheEuropeanUnion[2017],ECLI:EU:C:2016:656

B. EUROPEANCOURTOFHUMANRIGHTSHandysidevUKAppno5493/73(ECHR,7December1976)KlassandothersvGermanyAppno5029/71(ECHR,6September1978)MalonevtheUnitedKingdomAppno8691/79(ECHR,2August1984)LeandervSwedenAppno9248/81(ECHR,26March1987)AmannvSwitzerlandAppno27798/95(ECHR,16February2000)RotaruvRomaniaAppno28341/95(ECHR,4May2000)KhanvUKAppno35394/97(ECHR,12May2000)ConnorsvtheUnitedKingdomAppno66746/01(ECHR,27May2004)WeberandSaraviavGermanyAppno54934/00(ECHR,29June2006)AssociationforEuropeanIntegrationandHumanRightsandEkimdzhievvBulgariaAppno62540/00(ECHR,28June2007)SandMarpervtheUnitedKingdomAppnos30562/04and30566/04(ECHR,4December2008)MKvFranceAppno19522/09(ECHR,18April2013)RomanZakharovvRussiaAppno47143/06(ECHR,4December2015)SzabóandVissyvHungaryAppno37138/14(ECHR,12January2016)

154

III.GUIDELINES,OPINIONS,ANDRECOMMENDATIONS

A. EULEVEL

(i)Article29DataProtectionWorkingPartyWorkingDocumentonbiometrics[2003]WP80OpinionNo.7/2004ontheinclusionofbiometricelementsintheresidencepermitsandvisa taking account of the establishment of the European information system on visas(VIS)[2004]WP96Opinion 3/2005 on implementing the Council Regulation (EC) No. 2252/2004 of 13December 2004 on standards for security features and biometrics in passports andtravelleddocumentsissuedbyMemberStates[2005]WP112Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of theCouncilontheretentionofdatageneratedorprocessedinconnectionwiththeprovisionof publicly available electronic communications services or of public communicationsnetworksandamendingDirective2002/58/EC[2006]WP119Opinion4/2007ontheconceptofpersonaldata[2007]WP136‘TheFutureofPrivacy’,JointcontributionwiththeWorkingPartyonPoliceandJusticetotheConsultationoftheEuropeanCommissiononthelegalframeworktothefundamentalrighttoprotectionofpersonaldata,WP168[2009] Opinion3/2010ontheprincipleofaccountability[2010]WP173AdvicePaperonSpecialCategoriesofData(‘SensitiveData’)[2011]Ref.Ares(2011)444105Opinion02/2012onfacialrecognitioninonlineandmobileservices[2012]WP192Opinion3/2012ondevelopmentinbiometrictechnologies[2012]WP193Opinion03/2013onpurposelimitation[2013]WP203Opinion05/2013onSmartBorders[2013]WP206Opinion01/2014on the application of necessity andproportionality concepts anddataprotectionwithinthelawenforcementsector(2014)WP211Opinion 04/2014 on surveillance of electronic communications for intelligence andnationalsecuritypurposes’[2014]WP215Statementontheroleofarisk-basedapproachindataprotectionlegalframeworks[2014]WP218Opinion03/2015onthedraftdirectiveontheprotectionofindividualswithregardtotheprocessing of personal data by competent authorities for the purposes of prevention,

174

investigation, detection or prosecution of criminal offences or the execution of criminalpenalties,andthefreemovementofsuchdata[2015]WP233Guidelines on Data Protection Impact Assessment (DPIA) and determining whetherprocessing is ' likely to result in a high risk ' for the purposes of Regulation 2016/679[2018]WP248rev.01Guidelines on Automated individual decision-making and Profiling for the purposes ofRegulation2016/679[2018]WP251rev.01(ii)CouncilProposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuch data (General Data Protection Regulation), Preparation for a general approach9565/15(11June2015)[2015]<https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf>accessed20July2015(iii)EuropeanCommissionCommunication from the Commission to the European Parliament and the Council onPromotingDataProtectionbyPrivacyEnhancingTechnologies (PETs),COM(2007)228final[2007] <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52007DC0228&from=EN>accessed30September2018Communication from the Commission to the European Parliament, the Council, theEconomicandSocialCommitteeof theRegions:AComprehensiveApproach toPersonalDataProtectionintheEuropeanUnion’COM(2010)609final<https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2010:0609:FIN>accessed30September2018ProposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata (GeneralDataProtectionRegulation),COM(2012)11 final,2012/0011(COD)[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN>accessed30September2018ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswith regard to theprocessingof personal databy competent authorities forthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,COM(2012)10final,2012/0010(COD)[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0010&from=en>accessed30September2018ImpactAssessmentaccompanying thedocumentRegulationof theEuropeanParliamentand of the Council on the protection of individuals with regard to the processing ofpersonal data and on the free movement of such data (General Data ProtectionRegulation)andDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldatabycompetentauthoritiesfor

thepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionof criminalpenalties, and the freemovementof suchdata,SEC (2012)72final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012SC0072&from=en>accessed20July2015‘AnswertotheResolutionoftheEuropeanParliamentof11February2015concerningtheconsequencesofthejudgmentoftheCourtofJusticeontheDataRetentionDirectiveandits possible impact on the proposed EU Directive on Passenger Name Records (PNR)’(leakeddocument)[2015]<http://statewatch.org/news/2015/mar/eu-com-eu-pnr-letter.pdf>accessed30September2018(iv)EuropeanDataProtectionBoardEndorsement1/2108[2018]<https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents.pdf>accessed30September2018‘Europe’snewdataprotectionrulesandtheEDPB:givingindividualsgreatercontrol’(pressrelease,25May2018)<https://edpb.europa.eu/news/news/2018/europes-new-data-protection-rules-and-edpb-giving-individuals-greater-control_en>accessed30December2018Opinion 5/2018 on the draft list of the competent supervisory authority of Germanyregarding the processing operations subject to the requirement of a data protectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-52018-germany-sas-dpia-list_en>accessed30December2018Opinion 13/2018 on the draft list of the competent supervisory authority of Lithuaniaregarding the processing operations subject to the requirements of a data protectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_lt_sas_dpia_list_en.pdf>accessed30December2018Opinion 16/2018 on the draft list of the competent supervisory authority of theNetherlands regarding the processing operations subject to the requirement of a dataprotectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_nl_sas_dpia_list_en.pdf>accessed30December2018Opinion22/2018on thedraft list of the competent supervisory authority of theUnitedKingdomregardingtheprocessingoperationssubjecttherequirementofadataprotectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_uk_dpia_list_en.pdf>accessed30December2018(v)EuropeanDataProtectionSupervisorOpinionontheProposal foraRegulationof theEuropeanParliamentandof theCouncilconcerningtheVisaInformationSystem(VIS)andtheexchangeofdatabetweenMemberStatesonshortstay-visas(COM(2004)835final)[2005]OJC181/13OpinionontheProposalforaCouncilDecisionontheestablishment,operationanduseofthesecondgenerationSchengen informationsystem(SIS II) (COM(2005)230 final); theProposal for a Regulation of the European Parliament and of the Council on theestablishment,operationanduseofthesecondgenerationSchengeninformationsystem

175

investigation, detection or prosecution of criminal offences or the execution of criminalpenalties,andthefreemovementofsuchdata[2015]WP233Guidelines on Data Protection Impact Assessment (DPIA) and determining whetherprocessing is ' likely to result in a high risk ' for the purposes of Regulation 2016/679[2018]WP248rev.01Guidelines on Automated individual decision-making and Profiling for the purposes ofRegulation2016/679[2018]WP251rev.01(ii)CouncilProposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuch data (General Data Protection Regulation), Preparation for a general approach9565/15(11June2015)[2015]<https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf>accessed20July2015(iii)EuropeanCommissionCommunication from the Commission to the European Parliament and the Council onPromotingDataProtectionbyPrivacyEnhancingTechnologies (PETs),COM(2007)228final[2007] <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52007DC0228&from=EN>accessed30September2018Communication from the Commission to the European Parliament, the Council, theEconomicandSocialCommitteeof theRegions:AComprehensiveApproach toPersonalDataProtectionintheEuropeanUnion’COM(2010)609final<https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2010:0609:FIN>accessed30September2018ProposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata (GeneralDataProtectionRegulation),COM(2012)11 final,2012/0011(COD)[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN>accessed30September2018ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswith regard to theprocessingof personal databy competent authorities forthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,COM(2012)10final,2012/0010(COD)[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0010&from=en>accessed30September2018ImpactAssessmentaccompanying thedocumentRegulationof theEuropeanParliamentand of the Council on the protection of individuals with regard to the processing ofpersonal data and on the free movement of such data (General Data ProtectionRegulation)andDirectiveoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldatabycompetentauthoritiesfor

thepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionof criminalpenalties, and the freemovementof suchdata,SEC (2012)72final[2012]<https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012SC0072&from=en>accessed20July2015‘AnswertotheResolutionoftheEuropeanParliamentof11February2015concerningtheconsequencesofthejudgmentoftheCourtofJusticeontheDataRetentionDirectiveandits possible impact on the proposed EU Directive on Passenger Name Records (PNR)’(leakeddocument)[2015]<http://statewatch.org/news/2015/mar/eu-com-eu-pnr-letter.pdf>accessed30September2018(iv)EuropeanDataProtectionBoardEndorsement1/2108[2018]<https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents.pdf>accessed30September2018‘Europe’snewdataprotectionrulesandtheEDPB:givingindividualsgreatercontrol’(pressrelease,25May2018)<https://edpb.europa.eu/news/news/2018/europes-new-data-protection-rules-and-edpb-giving-individuals-greater-control_en>accessed30December2018Opinion 5/2018 on the draft list of the competent supervisory authority of Germanyregarding the processing operations subject to the requirement of a data protectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-52018-germany-sas-dpia-list_en>accessed30December2018Opinion 13/2018 on the draft list of the competent supervisory authority of Lithuaniaregarding the processing operations subject to the requirements of a data protectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_lt_sas_dpia_list_en.pdf>accessed30December2018Opinion 16/2018 on the draft list of the competent supervisory authority of theNetherlands regarding the processing operations subject to the requirement of a dataprotectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_nl_sas_dpia_list_en.pdf>accessed30December2018Opinion22/2018on thedraft list of the competent supervisory authority of theUnitedKingdomregardingtheprocessingoperationssubjecttherequirementofadataprotectionimpactassessment(Article35.4GDPR)[2018]<https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_uk_dpia_list_en.pdf>accessed30December2018(v)EuropeanDataProtectionSupervisorOpinionontheProposal foraRegulationof theEuropeanParliamentandof theCouncilconcerningtheVisaInformationSystem(VIS)andtheexchangeofdatabetweenMemberStatesonshortstay-visas(COM(2004)835final)[2005]OJC181/13OpinionontheProposalforaCouncilDecisionontheestablishment,operationanduseofthesecondgenerationSchengen informationsystem(SIS II) (COM(2005)230 final); theProposal for a Regulation of the European Parliament and of the Council on theestablishment,operationanduseofthesecondgenerationSchengeninformationsystem

176

(SIS II) (COM(2005) 236 final), and the Proposal for a Regulation of the EuropeanParliament and of the Council regarding access to the second generation SchengenInformationSystem(SISII)bytheservices intheMemberStatesresponsible for issuingvehicleregistrationcertificates(COM(2005)237final)[2005]OJC91/38OpinionontheProposal foraCouncilDecisionconcerningaccess forconsultationof theVisaInformationSystem(VIS)bytheauthoritiesofMemberStatesresponsibleforinternalsecurityandbyEuropolforthepurposesoftheprevention,detectionandinvestigationofterroristoffencesandofotherseriouscriminaloffences(COM(2005)600final)[2006]OJC97/6OpiniononthedraftCouncilRegulation(EC)layingdowntheformofthelaissez-passertobeissuedtomembersandservantsoftheinstitutions[2006]OJC313/36Opinion of the European Data Protection Supervisor on the modified proposal for aCouncilRegulationamendingRegulation(EC)1030/2002 layingdownauniformformatforresidencepermitsforthird-countrynationals[2006]OJC320/21Comments on the Communication of the Commission on interoperability of Europeandatabases[2006]<https://edps.europa.eu/sites/edp/files/publication/06-03-10_interoperability_en.pdf>accessed30May2016Opinionon the Initiativeof theFederalRepublicofGermany,withaview toadoptingaCouncilDecision on the implementation ofDecision2007/…/JHAon the stepping up ofcross-border cooperation, particularly in combating terrorism and cross-border crime[2008]OJC89/1Opinionontheproposal foraRegulationof theEuropeanParliamentandof theCouncilamendingCouncilRegulation(EC)No2252/2004onstandardsforsecurityfeaturesandbiometricsinpassportsandtraveldocumentsissuedbyMemberStates[2008]OJC200/1OpinionontheCommunicationfromtheCommissiontotheEuropeanParliamentandtheCouncilonanareaoffreedom,securityandjusticeservingthecitizen[2009]OJC276/09VideoSurveillanceGuidelines[2010]<https://edps.europa.eu/sites/edp/files/publication/10-03-17_video-surveillance_guidelines_en.pdf>accessed30September2018OpinionontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncilconcerningtheestablishmentof ‘Eurodac’ for thecomparisonof fingerprints forthe effective application of Regulation (EC) No (.../...) (establishing the criteria andmechanismsfordeterminingtheMemberStateresponsibleforexamininganapplicationfor international protection lodged in one of the Member States by a third-countrynationalorastatelessperson),andontheproposalforaCouncilDecisiononrequestingcomparisons with Eurodac data by Member States’ law enforcement authorities andEuropolforlawenforcementpurposes[2010]OJC92/1Opinion on a research project funded by the European Union under the SeventhFramework Programme (FP7) for Research and Technology Development - Turbine(TrUstedRevocableBiometricIdeNtitiEs)[2011]<https://edps.europa.eu/sites/edp/files/publication/11-02-01_fp7_en.pdf>accessed20July2015

Opiniononthedataprotectionreformpackage[2012]<https://edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf>accessed30September2018Opinion on the Communication from the Commission to the European Parliament, theCouncil, the Economic and Social Committee and the Committee of the Regions onmigration[2012]OJC34/18OpinionontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncil on the establishment of 'EURODAC' for the comparison of fingerprints for theeffectiveapplicationofRegulation(EU)No[.../...][...](Recastversion)[2012]<https://edps.europa.eu/sites/edp/files/publication/12-09-05_eurodac_en.pdf>accessed30September2018Opinion 5/2015, Second Opinion on the Proposal for a Directive of the EuropeanParliament and of the Council on the use of Passenger Name Record data for theprevention, detection, investigation and prosecution of terrorist offences and seriouscrime[2015]<https://edps.europa.eu/sites/edp/files/publication/15-09-24_pnr_en.pdf>accessed10April2018Developing a “Toolkit” for Assessing the Necessity of the Measures that Interfere withFundamentalRights(BackgroundPaperforconsultation)[2016]<https://edps.europa.eu/sites/edp/files/publication/16-06-16_necessity_paper_for_consultation_en.pdf>accessed10April2018‘EDPSlaunchesAccountabilityInitiative'[2016],factsheet<https://edps.europa.eu/sites/edp/files/publication/16-06-07_accountability_factsheet_en.pdf>accessed30September2018Opinion 06/2016, EDPS Opinion on the Second EU Smart Borders Package,RecommendationsontherevisedProposaltoestablishanEntry/ExitSystem[2016]<https://edps.europa.eu/sites/edp/files/publication/16-09-21_smart_borders_en.pdf> accessed30September2018Opinion07/2016,EDPSOpinionon theFirst reformpackageon theCommonEuropeanAsylumSystem(Eurodac,EASOandDublinregulations)[2016]<https://edps.europa.eu/sites/edp/files/publication/16-09-21_ceas_opinion_en.pdf> accessed 30September2018Assessingthenecessityofmeasuresthatlimitthefundamentalrighttodataprotection:Atoolkit[2017]<https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf>accessed10April2018Opinion 4/2018 on the Proposals for two Regulations establishing a framework forinteroperabilitybetweenEUlarge-scaleinformationsystems[2018]<https://edps.europa.eu/sites/edp/files/publication/2018-04-16_interoperability_opinion_en.pdf>accessed30September2018Opinion05/2018,PreliminaryOpiniononPrivacybyDesign[2018]<https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf>accessed30September2018

177

(SIS II) (COM(2005) 236 final), and the Proposal for a Regulation of the EuropeanParliament and of the Council regarding access to the second generation SchengenInformationSystem(SISII)bytheservices intheMemberStatesresponsible for issuingvehicleregistrationcertificates(COM(2005)237final)[2005]OJC91/38OpinionontheProposal foraCouncilDecisionconcerningaccess forconsultationof theVisaInformationSystem(VIS)bytheauthoritiesofMemberStatesresponsibleforinternalsecurityandbyEuropolforthepurposesoftheprevention,detectionandinvestigationofterroristoffencesandofotherseriouscriminaloffences(COM(2005)600final)[2006]OJC97/6OpiniononthedraftCouncilRegulation(EC)layingdowntheformofthelaissez-passertobeissuedtomembersandservantsoftheinstitutions[2006]OJC313/36Opinion of the European Data Protection Supervisor on the modified proposal for aCouncilRegulationamendingRegulation(EC)1030/2002 layingdownauniformformatforresidencepermitsforthird-countrynationals[2006]OJC320/21Comments on the Communication of the Commission on interoperability of Europeandatabases[2006]<https://edps.europa.eu/sites/edp/files/publication/06-03-10_interoperability_en.pdf>accessed30May2016Opinionon the Initiativeof theFederalRepublicofGermany,withaview toadoptingaCouncilDecision on the implementation ofDecision2007/…/JHAon the stepping up ofcross-border cooperation, particularly in combating terrorism and cross-border crime[2008]OJC89/1Opinionontheproposal foraRegulationof theEuropeanParliamentandof theCouncilamendingCouncilRegulation(EC)No2252/2004onstandardsforsecurityfeaturesandbiometricsinpassportsandtraveldocumentsissuedbyMemberStates[2008]OJC200/1OpinionontheCommunicationfromtheCommissiontotheEuropeanParliamentandtheCouncilonanareaoffreedom,securityandjusticeservingthecitizen[2009]OJC276/09VideoSurveillanceGuidelines[2010]<https://edps.europa.eu/sites/edp/files/publication/10-03-17_video-surveillance_guidelines_en.pdf>accessed30September2018OpinionontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncilconcerningtheestablishmentof ‘Eurodac’ for thecomparisonof fingerprints forthe effective application of Regulation (EC) No (.../...) (establishing the criteria andmechanismsfordeterminingtheMemberStateresponsibleforexamininganapplicationfor international protection lodged in one of the Member States by a third-countrynationalorastatelessperson),andontheproposalforaCouncilDecisiononrequestingcomparisons with Eurodac data by Member States’ law enforcement authorities andEuropolforlawenforcementpurposes[2010]OJC92/1Opinion on a research project funded by the European Union under the SeventhFramework Programme (FP7) for Research and Technology Development - Turbine(TrUstedRevocableBiometricIdeNtitiEs)[2011]<https://edps.europa.eu/sites/edp/files/publication/11-02-01_fp7_en.pdf>accessed20July2015

Opiniononthedataprotectionreformpackage[2012]<https://edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf>accessed30September2018Opinion on the Communication from the Commission to the European Parliament, theCouncil, the Economic and Social Committee and the Committee of the Regions onmigration[2012]OJC34/18OpinionontheamendedproposalforaRegulationoftheEuropeanParliamentandoftheCouncil on the establishment of 'EURODAC' for the comparison of fingerprints for theeffectiveapplicationofRegulation(EU)No[.../...][...](Recastversion)[2012]<https://edps.europa.eu/sites/edp/files/publication/12-09-05_eurodac_en.pdf>accessed30September2018Opinion 5/2015, Second Opinion on the Proposal for a Directive of the EuropeanParliament and of the Council on the use of Passenger Name Record data for theprevention, detection, investigation and prosecution of terrorist offences and seriouscrime[2015]<https://edps.europa.eu/sites/edp/files/publication/15-09-24_pnr_en.pdf>accessed10April2018Developing a “Toolkit” for Assessing the Necessity of the Measures that Interfere withFundamentalRights(BackgroundPaperforconsultation)[2016]<https://edps.europa.eu/sites/edp/files/publication/16-06-16_necessity_paper_for_consultation_en.pdf>accessed10April2018‘EDPSlaunchesAccountabilityInitiative'[2016],factsheet<https://edps.europa.eu/sites/edp/files/publication/16-06-07_accountability_factsheet_en.pdf>accessed30September2018Opinion 06/2016, EDPS Opinion on the Second EU Smart Borders Package,RecommendationsontherevisedProposaltoestablishanEntry/ExitSystem[2016]<https://edps.europa.eu/sites/edp/files/publication/16-09-21_smart_borders_en.pdf> accessed30September2018Opinion07/2016,EDPSOpinionon theFirst reformpackageon theCommonEuropeanAsylumSystem(Eurodac,EASOandDublinregulations)[2016]<https://edps.europa.eu/sites/edp/files/publication/16-09-21_ceas_opinion_en.pdf> accessed 30September2018Assessingthenecessityofmeasuresthatlimitthefundamentalrighttodataprotection:Atoolkit[2017]<https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf>accessed10April2018Opinion 4/2018 on the Proposals for two Regulations establishing a framework forinteroperabilitybetweenEUlarge-scaleinformationsystems[2018]<https://edps.europa.eu/sites/edp/files/publication/2018-04-16_interoperability_opinion_en.pdf>accessed30September2018Opinion05/2018,PreliminaryOpiniononPrivacybyDesign[2018]<https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf>accessed30September2018

178

(vi)EuropeanNetworkandInformationSocietyAgencyPrivacyandDataProtectionbyDesign-fromPrivacytoEngineering(Report2014)<https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design>accessedon30September2018(vii)EuropeanParliamentDraft report on ‘the proposal for a regulation of the European Parliament and of theCouncilontheprotectionofindividualwithregardtotheprocessingofpersonaldataandon the free movement of such data (General Data Protection Regulation)’ (Albrecht JP(rapporteur))[2013]PE506.145v01-00<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-506.145+01+DOC+PDF+V0//EN&language=EN>accessed20July2015LegislativeResolutionontheproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)(COM(2012)0011-C7-0025/2012–2012/0011(COD)PT7_TA(2014)01[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402>accessed20July2015LegislativeResolutionontheproposal foradirectiveof theEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataby competent authorities for the purposes of prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties, and the freemovement of such data (COM (2012) 0010 – C7-0024/2012 -2012/0010 (COD)),P7_TA(2014)0219[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219>accessed20July2015Legal Opinion of the Legal Service, leaked document, ‘LIBE- Questions relating to thejudgmentoftheCourtofJusticeof8April2014injoinedcasesC-293/12andC-594/12,DigitalRightsIrelandandSeitlingerandothers-Directive2006/24/ECondata retention-Consequencesofthejudgment’<http://www.statewatch.org/news/2015/apr/ep-ls-opinion-digital-rights-judgment.pdf>accessed30September2018(viii)EuropeanUnionAgencyforFundamentalRightsHandbookonEuropeanDataProtectionLaw[2014]<http://fra.europa.eu/en/publication/2014/handbook-european-data-protection-law-2014-edition>accessed30September2018HandbookonEuropeanDataProtectionLaw[2018]<http://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law>accessed30September2018

B. COUNCILOFEUROPELEVEL

(i)CouncilofEuropeRecommendationNo.R(87)15oftheCommitteeofMinisterstoMemberStatesregulatingtheuseofpersonaldatainthepolicesector[1987]<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016804e7a3c>accessed30September2018

(ii)ConsultativeCommitteeofConvention108ProgressReportontheApplicationof thePrinciplesofConvention108totheCollectionandProcessingofBiometricData[2005]<https://rm.coe.int/16806840ba>accessed30September2015DraftPracticalGuideontheUseofPersonalDatainthePoliceSector,T-PD(2016)02rev5[2017]PracticalGuideontheUseofPersonalDatainthePoliceSectorT-PD(2018)01[2018]Draft Explanatory Report of theModernised Version of Convention 108’ (based on theproposalsadoptedbythe29thPlenarymeetingoftheT-PD),TP-PD-BUR(2013)3ENrev5[2013](iii)DirectorateoftheJurisconsult‘Guide on Article 8 of the European Convention onHuman Rights, Right to Respect forPrivateandFamilyLife,HomeandCorrespondence’[2018]<https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf>accessed30September2018(iv)ParliamentaryAssemblyoftheCouncilofEuropeCommitteeonLegalAffairsandHumanRights,‘TheNeedforaGlobalConsiderationoftheHumanRightsImplicationsofBiometrics’(2011)RapporteurHHaibach,Doc12522<https://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=13103&lang=en>accessed20July2015Recommendation1960(2011),‘TheNeedforaGlobalConsiderationoftheHumanRightsImplicationsofBiometrics’<https://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17964&lang=en>accessed20July2015Resolution 1797 (2011), ‘The Need for a Global Consideration of the Human RightsImplicationsofBiometrics’<https://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17968&lang=en>accessed20July2015

C. INTERNATIONALLEVEL

(i)InternationalCivilAviationOrganizationGuidelinesonPassengerNameRecord(PNR)Data,firstedition2010,Doc9944<https://www.iata.org/iata/passenger-data-toolkit/assets/doc_library/04-pnr/New%20Doc%209944%201st%20Edition%20PNR.pdf>accessedon30September2018(ii)InternationalConferenceofDataProtectionandPrivacyCommissionersResolutionon theUseofBiometrics inPassports, IdentityCardsandTravelDocuments,27thConference,Montreux,16September2005[2005]<https://icdppc.org/wp-content/uploads/2015/02/Resolution-on-Use-of-Biometrics-in-passports-identity-cards-and-travel-documents.pdf>accessed20July2015ResolutiononPrivacybyDesign,Jerusalem,Israel,32ndConference[2010]

179

(vi)EuropeanNetworkandInformationSocietyAgencyPrivacyandDataProtectionbyDesign-fromPrivacytoEngineering(Report2014)<https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design>accessedon30September2018(vii)EuropeanParliamentDraft report on ‘the proposal for a regulation of the European Parliament and of theCouncilontheprotectionofindividualwithregardtotheprocessingofpersonaldataandon the free movement of such data (General Data Protection Regulation)’ (Albrecht JP(rapporteur))[2013]PE506.145v01-00<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-506.145+01+DOC+PDF+V0//EN&language=EN>accessed20July2015LegislativeResolutionontheproposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)(COM(2012)0011-C7-0025/2012–2012/0011(COD)PT7_TA(2014)01[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402>accessed20July2015LegislativeResolutionontheproposal foradirectiveof theEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataby competent authorities for the purposes of prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties, and the freemovement of such data (COM (2012) 0010 – C7-0024/2012 -2012/0010 (COD)),P7_TA(2014)0219[2014]<http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219>accessed20July2015Legal Opinion of the Legal Service, leaked document, ‘LIBE- Questions relating to thejudgmentoftheCourtofJusticeof8April2014injoinedcasesC-293/12andC-594/12,DigitalRightsIrelandandSeitlingerandothers-Directive2006/24/ECondata retention-Consequencesofthejudgment’<http://www.statewatch.org/news/2015/apr/ep-ls-opinion-digital-rights-judgment.pdf>accessed30September2018(viii)EuropeanUnionAgencyforFundamentalRightsHandbookonEuropeanDataProtectionLaw[2014]<http://fra.europa.eu/en/publication/2014/handbook-european-data-protection-law-2014-edition>accessed30September2018HandbookonEuropeanDataProtectionLaw[2018]<http://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law>accessed30September2018

B. COUNCILOFEUROPELEVEL

(i)CouncilofEuropeRecommendationNo.R(87)15oftheCommitteeofMinisterstoMemberStatesregulatingtheuseofpersonaldatainthepolicesector[1987]<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016804e7a3c>accessed30September2018

(ii)ConsultativeCommitteeofConvention108ProgressReportontheApplicationof thePrinciplesofConvention108totheCollectionandProcessingofBiometricData[2005]<https://rm.coe.int/16806840ba>accessed30September2015DraftPracticalGuideontheUseofPersonalDatainthePoliceSector,T-PD(2016)02rev5[2017]PracticalGuideontheUseofPersonalDatainthePoliceSectorT-PD(2018)01[2018]Draft Explanatory Report of theModernised Version of Convention 108’ (based on theproposalsadoptedbythe29thPlenarymeetingoftheT-PD),TP-PD-BUR(2013)3ENrev5[2013](iii)DirectorateoftheJurisconsult‘Guide on Article 8 of the European Convention onHuman Rights, Right to Respect forPrivateandFamilyLife,HomeandCorrespondence’[2018]<https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf>accessed30September2018(iv)ParliamentaryAssemblyoftheCouncilofEuropeCommitteeonLegalAffairsandHumanRights,‘TheNeedforaGlobalConsiderationoftheHumanRightsImplicationsofBiometrics’(2011)RapporteurHHaibach,Doc12522<https://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=13103&lang=en>accessed20July2015Recommendation1960(2011),‘TheNeedforaGlobalConsiderationoftheHumanRightsImplicationsofBiometrics’<https://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17964&lang=en>accessed20July2015Resolution 1797 (2011), ‘The Need for a Global Consideration of the Human RightsImplicationsofBiometrics’<https://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=17968&lang=en>accessed20July2015

C. INTERNATIONALLEVEL

(i)InternationalCivilAviationOrganizationGuidelinesonPassengerNameRecord(PNR)Data,firstedition2010,Doc9944<https://www.iata.org/iata/passenger-data-toolkit/assets/doc_library/04-pnr/New%20Doc%209944%201st%20Edition%20PNR.pdf>accessedon30September2018(ii)InternationalConferenceofDataProtectionandPrivacyCommissionersResolutionon theUseofBiometrics inPassports, IdentityCardsandTravelDocuments,27thConference,Montreux,16September2005[2005]<https://icdppc.org/wp-content/uploads/2015/02/Resolution-on-Use-of-Biometrics-in-passports-identity-cards-and-travel-documents.pdf>accessed20July2015ResolutiononPrivacybyDesign,Jerusalem,Israel,32ndConference[2010]

180

<https://icdppc.org/wp-content/uploads/2015/02/32-Conference-Israel-resolution-on-Privacy-by-Design.pdf>accessed30September2018(iii)OrganisationforEconomicCooperationandDevelopmentGuidelineson theProtectionofPrivacyandTransborderFlowsofPersonalData [1980](updatedin2013)<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>accessed30September2018

D. NATIONALLEVEL

(i)BelgiumAutoritédeProtectiondesDonnéesRecommendationn°01/2018du28février2018,[2018]43<https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/recommandation_01_2018.pdf>accessedon30September2018(ii)FranceCommissionNationaleInformatiqueetLibertésPrivacyImpactAssessment(PIA):KnowledgeBases[2018]<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-enknowledgebases.pdf>accessed30September2018PrivacyImpactAssessment(PIA):Templates[2018]<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-2-en-templates.pdf>accessed30September2018‘CNILpublishesanupdateofitsPIAGuides’(cnil.fr,26February2018)<https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides>accessed30September2018(iii)ItalyIlGaranteGuidelines on Biometric Recognition and Graphometric Signature, Annex A to theGarante’sOrderof12November2014[2014]<http://194.242.234.211/documents/10160/0/GUIDELINES+ON+BIOMETRIC+RECOGNITION>accessed20July2015(iv)UnitedKingdomDyfedPowysPoliceDataProtectionImpactAssessmentPolicy<https://www.dyfed-powys.police.uk/media/5874/data-protection-impact-assessment-policy.pdf>accessed30December2018InformationCommissioner’sOfficeGuidetotheGeneralDataProtectionRegulation(GDPR)[2018]<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf>accessedon30September2018Guideon ‘Accountability andGovernance:DataProtection ImpactAssessments (DPIAs)'[2018]

<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias-1-0.pdf>accessed30September2018SampleDPIATemplate[2018]<https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-template-v04-post-comms-review-20180308.pdf>accessed30September2018ParliamentData Protection Bill, Bill 190 2017-19, as amended in Public Bill Committee (23March2018)<https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/18190.pdf>accessed10April2018(v)IrelandDataProtectionCommissionerGuidanceonBiometricsintheWorkplace<https://www.dataprotection.ie/docs/Biometrics-in-the-workplace/m/244.htm>accessed30September2018(vi)NetherlandsTweedeKamer(Secondchamber,Parliament)Dutchdraft lawtoimplementDirective2016/680(16February2018)(VoorstelvanWetn°34889-2-Wijziging van deWet politiegegevens en deWet justitiële en strafvorderlijkegegevens ter implementatie van Europese regelgeving over de verwerking vanpersoonsgegevensmethetoogopdevoorkoming,hetonderzoek,deopsporingenvervolgingvanstrafbarefeitenofdetenuitvoerleggingvanstraffen)<https://www.tweedekamer.nl/kamerstukken/wetsvoorstellen/detail?cfg=wetsvoorsteldetails&qry=wetsvoorstel:34889>accessed10April2018IV.STANDARDSANDGLOSSARIES(i)AssociationforBiometricsandInternationalComputerSecurityAssociation‘1999GlossaryofBiometricTerms’<biometrics3.tripod.com/pubs/glossary.pdf>accessed20July2015(ii)InternationalOrganizationforStandardizationISO/IEC2382-37:2012(E)-InformationTechnology-Vocabulary-Part37:Biometrics,<http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=55194>accessed20July2015(iii)USNationalScienceandTechnologyCouncil’sSubcommitteeonBiometricsBiometricsGlossary[2006]<http://www.biometrics.gov/documents/glossary.pdf>accessed20July2015

181

<https://icdppc.org/wp-content/uploads/2015/02/32-Conference-Israel-resolution-on-Privacy-by-Design.pdf>accessed30September2018(iii)OrganisationforEconomicCooperationandDevelopmentGuidelineson theProtectionofPrivacyandTransborderFlowsofPersonalData [1980](updatedin2013)<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>accessed30September2018

D. NATIONALLEVEL

(i)BelgiumAutoritédeProtectiondesDonnéesRecommendationn°01/2018du28février2018,[2018]43<https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/recommandation_01_2018.pdf>accessedon30September2018(ii)FranceCommissionNationaleInformatiqueetLibertésPrivacyImpactAssessment(PIA):KnowledgeBases[2018]<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-enknowledgebases.pdf>accessed30September2018PrivacyImpactAssessment(PIA):Templates[2018]<https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-2-en-templates.pdf>accessed30September2018‘CNILpublishesanupdateofitsPIAGuides’(cnil.fr,26February2018)<https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides>accessed30September2018(iii)ItalyIlGaranteGuidelines on Biometric Recognition and Graphometric Signature, Annex A to theGarante’sOrderof12November2014[2014]<http://194.242.234.211/documents/10160/0/GUIDELINES+ON+BIOMETRIC+RECOGNITION>accessed20July2015(iv)UnitedKingdomDyfedPowysPoliceDataProtectionImpactAssessmentPolicy<https://www.dyfed-powys.police.uk/media/5874/data-protection-impact-assessment-policy.pdf>accessed30December2018InformationCommissioner’sOfficeGuidetotheGeneralDataProtectionRegulation(GDPR)[2018]<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf>accessedon30September2018Guideon ‘Accountability andGovernance:DataProtection ImpactAssessments (DPIAs)'[2018]

<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias-1-0.pdf>accessed30September2018SampleDPIATemplate[2018]<https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-template-v04-post-comms-review-20180308.pdf>accessed30September2018ParliamentData Protection Bill, Bill 190 2017-19, as amended in Public Bill Committee (23March2018)<https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/18190.pdf>accessed10April2018(v)IrelandDataProtectionCommissionerGuidanceonBiometricsintheWorkplace<https://www.dataprotection.ie/docs/Biometrics-in-the-workplace/m/244.htm>accessed30September2018(vi)NetherlandsTweedeKamer(Secondchamber,Parliament)Dutchdraft lawtoimplementDirective2016/680(16February2018)(VoorstelvanWetn°34889-2-Wijziging van deWet politiegegevens en deWet justitiële en strafvorderlijkegegevens ter implementatie van Europese regelgeving over de verwerking vanpersoonsgegevensmethetoogopdevoorkoming,hetonderzoek,deopsporingenvervolgingvanstrafbarefeitenofdetenuitvoerleggingvanstraffen)<https://www.tweedekamer.nl/kamerstukken/wetsvoorstellen/detail?cfg=wetsvoorsteldetails&qry=wetsvoorstel:34889>accessed10April2018IV.STANDARDSANDGLOSSARIES(i)AssociationforBiometricsandInternationalComputerSecurityAssociation‘1999GlossaryofBiometricTerms’<biometrics3.tripod.com/pubs/glossary.pdf>accessed20July2015(ii)InternationalOrganizationforStandardizationISO/IEC2382-37:2012(E)-InformationTechnology-Vocabulary-Part37:Biometrics,<http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=55194>accessed20July2015(iii)USNationalScienceandTechnologyCouncil’sSubcommitteeonBiometricsBiometricsGlossary[2006]<http://www.biometrics.gov/documents/glossary.pdf>accessed20July2015

182

V.LITERATURE

(i)BooksandBookChaptersAdler A and Schuckers S, ‘Biometric Vulnerabilities, Overview’ in Li S and Jain A (eds),EncyclopediaofBiometrics(Springer2015)Alexander L and Sherwin E,DemystifyingLegalReasoning (Cambridge University Press2008)BarnardCandPeersS,EuropeanUnionLaw(1stedn,OUP2014)BremsEandGerardsJ(eds),ShapingRightsintheECHR:TheRoleoftheEuropeanCourtofHuman Rights in Determining the Scope of Human Rights (Cambridge University Press2014)Boehm F, Information Sharing andData Protection in theArea of Freedom, Security andJustice: Towards Harmonised Data Protection Principles for Information Exchange at EU-level(Springer2012)CampisiP(ed),SecurityandPrivacyinBiometrics(Springer2013)Cannataci J, CaruanaM, andMifsudBonnici J, ‘R (87)15:A SlowDeath?’ inKleveP,DeMulderRandvanNoortwijkC(eds),Monitoring,SupervisionandInformationTechnology,Proceedings of the First International Seminar of the Legal Framework Society (LEFIS)(ErasmusUniversityPress2007)Cate F and Dempsey J (eds), Bulk Collection, Systematic Government’s Access to PrivateSectorData(OUP2017)Cavoukian A, ‘Privacy by Design: Take the Challenge’ (Information and PrivacyCommissionerofOntario,2009)Chen Y and Fondeur JC, ‘Biometric Algorithms’ in Li S and Jain A (eds),EncyclopediaofBiometrics(Springer,2015)Cole S,SuspectIdentities:AHistoryofFingerprintingandCriminalIdentification (HarvardUniversityPress2001)ColonnaL, ‘DataMininganditsParadoxicalRelationshiptothePurposeofLimitation’ inGutwirthG,LeenesRandDeHertP(eds),ReloadingDataProtection(Kluwer2014)De Busser E, Data Protection in EU and US criminal cooperation: A Substantive LawApproach to the EU Internal and Transatlantic Cooperation in Criminal Matters betweenJudicialandLawEnforcementAuthorities(Maklu2009)DeBusserEandVermeulenG,‘TowardsaCoherentEUPolicyonOutgoingDataTransfersforUseinCriminalMatters?TheAdequacyRequirementandtheFrameworkDecisiononDataProtectioninCriminalMatters.ATransatlanticExerciseinAdequacy’inCoolsMetal(eds), EU and International Crime Control, Topical Issues, Governance and SecurityResearchPaperSeriesvol.4(Maklu2010)

DeHertP,‘DivisionofCompetenciesbetweenNationalandEuropeanLevelswithRegardtoJusticeandHomeAffairs’ inApapJ(ed),JusticeandHomeAffairsintheEU:LibertyandSecurityIssuesafterEnlargement(Elgar,2004)DeHertPandBoehmF, ‘TheRightsofNotificationAfterSurveillance isOver:Ready forRecognition?’(2012)DigitalEnlightenmentYearbook19DeHertPandGutwirthS, ‘Privacy,DataProtectionandLawEnforcement.OpacityoftheIndividual andTransparencyofPower’ inClaesE,DuffA, andGutwirthS (eds), PrivacyandtheCriminalLaw(Intersentia2006)DeHertandMalgieriG, ‘EuropeanHumanRights,CriminalSurveillance,andIntelligenceSurveillance:Towards“GoodEnough”Oversight,PreferablybutnotNecessarilybyJudges’in Gray D and Henderson S (eds),CambridgeHandbookofSurveillanceLaw (CambridgeUniversityPress2017)Dempsey J, Cate H, and Abrams M, ‘Organizational Accountability, Government Use ofPrivate-Sector Data, National Security, and Individual Privacy’ in Cate F andDempsey J(eds),BulkCollection:SystematicGovernmentAccesstoPrivate-SectorData(OUP2017)González Fuster G,TheEmergenceofPersonalDataProtectionasaFundamentalRightoftheEU(Springer2014)Gutwirth S, Poullet Y,DeHert P, deTerwangneC, andNouwt S (eds),ReinventingDataProtection?(Springer2009)GutwirthS,LeenesL,andDeHertP(eds),ReloadingDataProtection(Springer2014)HansenM,‘DataProtectionbyDefaultinIdentity-RelatedApplications’inSimoneFischer-Hübner, Elisabeth de Leeuw, and Chris Mitchell (eds), Policies andResearch in IdentityManagement(Springer2013) HijmansH,TheEuropeanUnionasGuardian ofInternetPrivacyandDataProtection:TheStoryofArt16TFEU(Springer2016)HustinxP,‘EuropeanLeadershipinPrivacyandDataProtection’inRalloLombarteAandGarcía Mahamut R (eds), Hacia un Nuevo Derecho European de Protección de Datos,TowardsaNewEuropeanDataProtectionRegime(TirantloBlanch2015) JainA,RossA,andNandakumarK(eds),IntroductiontoBiometrics(Springer2011)JainA,FlynnP,andRossA(eds),HandbookofBiometrics(Springer2008)KindtE,PrivacyandDataProtectionIssuesofBiometricApplications:AComparativeLegalAnalysis(Springer2013)KlipA(ed),SubstantiveCriminalLawoftheEuropeanUnion(Maklu2011)KlipA,EuropeanCriminalLaw:AnIntegrativeApproach(3rdedn,Intersentia2016)

183

V.LITERATURE

(i)BooksandBookChaptersAdler A and Schuckers S, ‘Biometric Vulnerabilities, Overview’ in Li S and Jain A (eds),EncyclopediaofBiometrics(Springer2015)Alexander L and Sherwin E,DemystifyingLegalReasoning (Cambridge University Press2008)BarnardCandPeersS,EuropeanUnionLaw(1stedn,OUP2014)BremsEandGerardsJ(eds),ShapingRightsintheECHR:TheRoleoftheEuropeanCourtofHuman Rights in Determining the Scope of Human Rights (Cambridge University Press2014)Boehm F, Information Sharing andData Protection in theArea of Freedom, Security andJustice: Towards Harmonised Data Protection Principles for Information Exchange at EU-level(Springer2012)CampisiP(ed),SecurityandPrivacyinBiometrics(Springer2013)Cannataci J, CaruanaM, andMifsudBonnici J, ‘R (87)15:A SlowDeath?’ inKleveP,DeMulderRandvanNoortwijkC(eds),Monitoring,SupervisionandInformationTechnology,Proceedings of the First International Seminar of the Legal Framework Society (LEFIS)(ErasmusUniversityPress2007)Cate F and Dempsey J (eds), Bulk Collection, Systematic Government’s Access to PrivateSectorData(OUP2017)Cavoukian A, ‘Privacy by Design: Take the Challenge’ (Information and PrivacyCommissionerofOntario,2009)Chen Y and Fondeur JC, ‘Biometric Algorithms’ in Li S and Jain A (eds),EncyclopediaofBiometrics(Springer,2015)Cole S,SuspectIdentities:AHistoryofFingerprintingandCriminalIdentification (HarvardUniversityPress2001)ColonnaL, ‘DataMininganditsParadoxicalRelationshiptothePurposeofLimitation’ inGutwirthG,LeenesRandDeHertP(eds),ReloadingDataProtection(Kluwer2014)De Busser E, Data Protection in EU and US criminal cooperation: A Substantive LawApproach to the EU Internal and Transatlantic Cooperation in Criminal Matters betweenJudicialandLawEnforcementAuthorities(Maklu2009)DeBusserEandVermeulenG,‘TowardsaCoherentEUPolicyonOutgoingDataTransfersforUseinCriminalMatters?TheAdequacyRequirementandtheFrameworkDecisiononDataProtectioninCriminalMatters.ATransatlanticExerciseinAdequacy’inCoolsMetal(eds), EU and International Crime Control, Topical Issues, Governance and SecurityResearchPaperSeriesvol.4(Maklu2010)

DeHertP,‘DivisionofCompetenciesbetweenNationalandEuropeanLevelswithRegardtoJusticeandHomeAffairs’ inApapJ(ed),JusticeandHomeAffairsintheEU:LibertyandSecurityIssuesafterEnlargement(Elgar,2004)DeHertPandBoehmF, ‘TheRightsofNotificationAfterSurveillance isOver:Ready forRecognition?’(2012)DigitalEnlightenmentYearbook19DeHertPandGutwirthS, ‘Privacy,DataProtectionandLawEnforcement.OpacityoftheIndividual andTransparencyofPower’ inClaesE,DuffA, andGutwirthS (eds), PrivacyandtheCriminalLaw(Intersentia2006)DeHertandMalgieriG, ‘EuropeanHumanRights,CriminalSurveillance,andIntelligenceSurveillance:Towards“GoodEnough”Oversight,PreferablybutnotNecessarilybyJudges’in Gray D and Henderson S (eds),CambridgeHandbookofSurveillanceLaw (CambridgeUniversityPress2017)Dempsey J, Cate H, and Abrams M, ‘Organizational Accountability, Government Use ofPrivate-Sector Data, National Security, and Individual Privacy’ in Cate F andDempsey J(eds),BulkCollection:SystematicGovernmentAccesstoPrivate-SectorData(OUP2017)González Fuster G,TheEmergenceofPersonalDataProtectionasaFundamentalRightoftheEU(Springer2014)Gutwirth S, Poullet Y,DeHert P, deTerwangneC, andNouwt S (eds),ReinventingDataProtection?(Springer2009)GutwirthS,LeenesL,andDeHertP(eds),ReloadingDataProtection(Springer2014)HansenM,‘DataProtectionbyDefaultinIdentity-RelatedApplications’inSimoneFischer-Hübner, Elisabeth de Leeuw, and Chris Mitchell (eds), Policies andResearch in IdentityManagement(Springer2013) HijmansH,TheEuropeanUnionasGuardian ofInternetPrivacyandDataProtection:TheStoryofArt16TFEU(Springer2016)HustinxP,‘EuropeanLeadershipinPrivacyandDataProtection’inRalloLombarteAandGarcía Mahamut R (eds), Hacia un Nuevo Derecho European de Protección de Datos,TowardsaNewEuropeanDataProtectionRegime(TirantloBlanch2015) JainA,RossA,andNandakumarK(eds),IntroductiontoBiometrics(Springer2011)JainA,FlynnP,andRossA(eds),HandbookofBiometrics(Springer2008)KindtE,PrivacyandDataProtectionIssuesofBiometricApplications:AComparativeLegalAnalysis(Springer2013)KlipA(ed),SubstantiveCriminalLawoftheEuropeanUnion(Maklu2011)KlipA,EuropeanCriminalLaw:AnIntegrativeApproach(3rdedn,Intersentia2016)

184 165

Klitou D, Privacy-Invading and Privacy by Design: Safeguarding Privacy, Liberty andSecurityinthe21stCentury(Springer2014)KotschyW,‘Article2,Directive95/46/EC’inBüllesbachA,GijrathS,PoulletY,andPrinsC(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010)KranenborgH, ‘Article 8’ in Peers S et al (eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014)Kumar A and Zhang D (eds), Ethics and Policy of Biometrics, Third InternationalConference on Ethics and Policy of Biometrics and International Data Sharing, IECB(Springer2010)Kuner C, Bygrave L, andDocksey C (eds), ‘Draft commentaries on 10 GDPR articles,’ inCommentaryontheEUGeneralDataProtectionRegulation(OUP2019)Kung A, ‘PEARS: Privacy Enhancing Architectures’ in Preneel B and Ikonomou D (eds),PrivacyTechnologiesandPolicies(Springer2014)LessigL,‘Code,Version2.0’(BasicBooks2006)LiSandJainA(eds),HandbookofFaceRecognition(2ndedn,Springer2011)LiSandJainA(eds),EncyclopediaofBiometrics(Springer2015)LiuNY,Bio-Privacy,PrivacyRegulationsandtheChallengesofBiometrics(Routledge2012)LowranceW, ‘Privacy, Confidentiality, Safeguards’ in Privacy,Confidentiality,andHealthResearch(CambridgeUniversityPress2012)LynskeyO,TheFoundationsofEUDataProtectionLaw(OUP2015)Lynskey O, ‘The Role of Collective Actors in the Enforcement of the Right to DataProtectionunderEULaw’ inMuirE,KilpatrickC,Miller J,anddeWitteB(eds),HowEUShapes Opportunities for Preliminary References on Fundamental Rights: Discrimination,DataProtectionandAsylum(2017)EUIWorkingPaperLaw2017/17Maltoni D, ‘Fingerprint Recognition, Overview’ in Li S and Jain K (eds),EncyclopediaofBiometrics(Springer2015)MaltoniD,MaioD,JainA,andPrabhakarS(eds),HandbookofFingerprintRecognition(2ndedn,Springer2009)MannT(ed),AustralianLawDictionary(OUP2010)McBride J,HumanRightsandCriminalProcedure:TheCaseLawoftheEuropeanCourtofHumanRights(2ndedn,CouncilofEurope2018)McIverR,‘BiometricVocabularyStandardization’inLiSandJainA(eds),EncyclopediaofBiometrics(Springer2015)

166

Mifsud Bonnici J, ‘Redefining the Relationship Between Security, Data Retention andHuman Rights’ in Holzhacker R and Luif P (eds), Freedom, Security and Justice in theEuropeanUnion(Springer2014)MitsilegasV,EUCriminalLawafterLisbon:Rights,TrustandtheTransformationofJusticeinEurope(HartStudies2018)Pato JNandMillettLI(eds),BiometricRecognition:ChallengesandOpportunities,WhitherBiometrics Committee and National Research Council (The National Academies Press2010)PeersS,EUJusticeandHomeAffairsLaw:VolumeII:EUCriminalLaw,Policing,andCivilLaw(Oxford2016)Peers S,HerveyT,Kenner J, andWardA (eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014)Peers S andPrechal S, ‘Article 52’ in S Peers et al (eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014)RouvroyAandPoulletY,‘TheRighttoInformationalSelf-DeterminationandtheValueofSelf-Development:ReassessingtheImportanceofPrivacyforDemocracy’inGutwirthSetal(eds),ReinventingDataProtection?(Springer2009)RubinsteinI,NojeimG,andLeeL,‘SystematicGovernmentAccesstoPrivate-SectorData,AComparative Analysis’ in Cate C and Dempsey J (eds), Bulk Collection, SystematicGovernment’sAccesstoPrivateSectorData(OUP2017)van der Schyff G, ‘Interpreting the Protection Guaranteed by Two-Stage Rights in theEuropeanConventiononHumanRights,theCaseforWideInterpretation’inBremsEandGerards J (eds), Shaping Rights in the ECHR: The Role of the European Court of HumanRightsinDeterminingtheScopeofHumanRights(CambridgeUniversityPress2014)TersteggeJ,‘Article3,Directive95/46/EC,’inBüllesbachA,GijrathS,PoulletY,andPrinsC(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010)Tzanou M, TheFundamentalRight toDataProtection:NormativeValue in theContextofCounter-TerrorismSurveillance(HartPublishing2017)Vervaele J, ‘Surveillance and Criminal Investigation: Blurring of Thresholds andBoundaries in theCriminal JusticeSystem' inGutwirthS,LeenesL,andDeHertP(eds),ReloadingDataProtection(Springer2014)WaymanJ,‘BiometricVerification/Identification/Authentication/Recognition:TheTerminology’inSLiandAJain(eds),EncyclopediaofBiometrics(Springer2015)(ii)ArticlesAndoulsiI,‘PersonalDataProtectionandtheFirstImplementationSemesteroftheLisbonTreaty:AchievementsandProspects’(2010)1NewJournalofEuropeanCriminalLaw362

185 165

Klitou D, Privacy-Invading and Privacy by Design: Safeguarding Privacy, Liberty andSecurityinthe21stCentury(Springer2014)KotschyW,‘Article2,Directive95/46/EC’inBüllesbachA,GijrathS,PoulletY,andPrinsC(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010)KranenborgH, ‘Article 8’ in Peers S et al (eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014)Kumar A and Zhang D (eds), Ethics and Policy of Biometrics, Third InternationalConference on Ethics and Policy of Biometrics and International Data Sharing, IECB(Springer2010)Kuner C, Bygrave L, andDocksey C (eds), ‘Draft commentaries on 10 GDPR articles,’ inCommentaryontheEUGeneralDataProtectionRegulation(OUP2019)Kung A, ‘PEARS: Privacy Enhancing Architectures’ in Preneel B and Ikonomou D (eds),PrivacyTechnologiesandPolicies(Springer2014)LessigL,‘Code,Version2.0’(BasicBooks2006)LiSandJainA(eds),HandbookofFaceRecognition(2ndedn,Springer2011)LiSandJainA(eds),EncyclopediaofBiometrics(Springer2015)LiuNY,Bio-Privacy,PrivacyRegulationsandtheChallengesofBiometrics(Routledge2012)LowranceW, ‘Privacy, Confidentiality, Safeguards’ in Privacy,Confidentiality,andHealthResearch(CambridgeUniversityPress2012)LynskeyO,TheFoundationsofEUDataProtectionLaw(OUP2015)Lynskey O, ‘The Role of Collective Actors in the Enforcement of the Right to DataProtectionunderEULaw’ inMuirE,KilpatrickC,Miller J,anddeWitteB(eds),HowEUShapes Opportunities for Preliminary References on Fundamental Rights: Discrimination,DataProtectionandAsylum(2017)EUIWorkingPaperLaw2017/17Maltoni D, ‘Fingerprint Recognition, Overview’ in Li S and Jain K (eds),EncyclopediaofBiometrics(Springer2015)MaltoniD,MaioD,JainA,andPrabhakarS(eds),HandbookofFingerprintRecognition(2ndedn,Springer2009)MannT(ed),AustralianLawDictionary(OUP2010)McBride J,HumanRightsandCriminalProcedure:TheCaseLawoftheEuropeanCourtofHumanRights(2ndedn,CouncilofEurope2018)McIverR,‘BiometricVocabularyStandardization’inLiSandJainA(eds),EncyclopediaofBiometrics(Springer2015)

166

Mifsud Bonnici J, ‘Redefining the Relationship Between Security, Data Retention andHuman Rights’ in Holzhacker R and Luif P (eds), Freedom, Security and Justice in theEuropeanUnion(Springer2014)MitsilegasV,EUCriminalLawafterLisbon:Rights,TrustandtheTransformationofJusticeinEurope(HartStudies2018)Pato JNandMillettLI(eds),BiometricRecognition:ChallengesandOpportunities,WhitherBiometrics Committee and National Research Council (The National Academies Press2010)PeersS,EUJusticeandHomeAffairsLaw:VolumeII:EUCriminalLaw,Policing,andCivilLaw(Oxford2016)Peers S,HerveyT,Kenner J, andWardA (eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014)Peers S andPrechal S, ‘Article 52’ in S Peers et al (eds),TheEUCharterofFundamentalRights,ACommentary(HartPublishing2014)RouvroyAandPoulletY,‘TheRighttoInformationalSelf-DeterminationandtheValueofSelf-Development:ReassessingtheImportanceofPrivacyforDemocracy’inGutwirthSetal(eds),ReinventingDataProtection?(Springer2009)RubinsteinI,NojeimG,andLeeL,‘SystematicGovernmentAccesstoPrivate-SectorData,AComparative Analysis’ in Cate C and Dempsey J (eds), Bulk Collection, SystematicGovernment’sAccesstoPrivateSectorData(OUP2017)van der Schyff G, ‘Interpreting the Protection Guaranteed by Two-Stage Rights in theEuropeanConventiononHumanRights,theCaseforWideInterpretation’inBremsEandGerards J (eds), Shaping Rights in the ECHR: The Role of the European Court of HumanRightsinDeterminingtheScopeofHumanRights(CambridgeUniversityPress2014)TersteggeJ,‘Article3,Directive95/46/EC,’inBüllesbachA,GijrathS,PoulletY,andPrinsC(eds),ConciseofEuropeanITlaw(2ndedn,KluwerLawInternational2010)Tzanou M, TheFundamentalRight toDataProtection:NormativeValue in theContextofCounter-TerrorismSurveillance(HartPublishing2017)Vervaele J, ‘Surveillance and Criminal Investigation: Blurring of Thresholds andBoundaries in theCriminal JusticeSystem' inGutwirthS,LeenesL,andDeHertP(eds),ReloadingDataProtection(Springer2014)WaymanJ,‘BiometricVerification/Identification/Authentication/Recognition:TheTerminology’inSLiandAJain(eds),EncyclopediaofBiometrics(Springer2015)(ii)ArticlesAndoulsiI,‘PersonalDataProtectionandtheFirstImplementationSemesteroftheLisbonTreaty:AchievementsandProspects’(2010)1NewJournalofEuropeanCriminalLaw362

186 167

Arestis G, ‘Fundamental Rights in the EU: Three Years after Lisbon, the LuxembourgPerspective’(2013)<http://aei.pitt.edu/43293/1/researchpaper_2_2013_arestis_lawpol_final.pdf>accessed30September2018Boehm F, ‘Data Processing and Law Enforcement Access to Information Systems at EULevel’(2012)36(5)DatenschutzundDatensicherheit339BrkanM,‘InSearchoftheConceptofEssenceofEUFundamentalRightsthroughthePrismofDataPrivacy’(2017)2017-01MaastrichtFacultyofLawWorkingPaper1<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2900281>accessed30September2018BordalloLopezMetal,‘KinshipVerificationfromFacialImagesandVideos:HumanversusMachine’(2018)29(5)MachineVisionandApplications873Buitelaar,JC,‘Privacy:BacktotheRoots’(2012)13(3)GermanLawJournal171Bygrave L, ‘Data Protection by Design and by Default: Deciphering the EU’s LegislativeRequirements’(2017)4(2)OsloLawReview105CaoKand JainA, ‘LearningFingerprintReconstruction: fromMinutiae to Image’ (2015)10(1)IEEETransactionsonInformationForensicsandSecurity104CannataciJ,‘LexPersonalitis&Technology-drivenLaw'(2008)5(1)SCRIPT-ed1<https://script-ed.org/wp-content/uploads/2016/07/5-1-Cannataci.pdf>accessed30September2018Cannataci J and Mifsud Bonnici J, ‘The End of Purpose-Specification Principle in DataProtection?’(2010)24(1)InternationalReviewofLaw110CaruanaM,‘TheReformoftheEUDataProtectionFrameworkintheContextofPoliceandCriminal Justice Sector: Harmonisation, Scope, Oversight and Enforcement’ (2017)InternationalLawReview,ComputersandTechnology<https://www.tandfonline.com/doi/abs/10.1080/13600869.2017.1370224>accessed30September2018ChiangCLandZelenM,‘WhatisBiostatistics?’(1985)14(3)Biometrics771Cocq C, ‘Informationand Intelligence: The Current Divergences between National LegalSystems and the Need for Common (European) Notions’ (2017) 8(3) New Journal ofEuropeanCriminalLaw352Cocq C and Galli F, ‘The Catalysing Effect of Serious Crime on the Use of SurveillanceTechnologies for Prevention and Investigation Purposes’ (2013) 4(3) New Journal ofEuropeanCriminalLaw256CostaLandPoulletY, ‘Privacyand theRegulationof2012’ (2012)28(3)ComputerLawandSecurityReview254Coudert F, ‘The Europol Regulation and Purpose Limitation: From the ‘Silo-BasedApproach’to…WhatExactly?’(2017)3(3)EDPL313

168

CustersBandUrsicH,‘BigDataandDataReuse:ATaxonomyofDataReuseforBalancingBig Data Benefits and Personal Data Protection’ (2016) 6(1) International Data PrivacyLaw4DeHertP,‘BalancingSecurityandLibertywithintheEuropeanHumanRightsFramework.ACriticalReadingof theCourt’sCaseLawin theLightofSurveillanceandCriminalLawEnforcementStrategiesafter9/11’(2005)1(1)UtrechtLawReview68De Hert P and Papakonstantinou V, ‘The Data Protection Framework Decision of 27November2008RegardingPoliceandJudicialCooperationinCriminalMatters–AModestAchievement However Not the Improvement Some Have Hoped For’ (2009) 25(5)ComputerLawandSecurityReview403DeHertPandPapakonstantinouV,‘TheNewPoliceandCriminalJusticeDataProtectionDirective:AFirstAnalysis’(2016)7(1)NewJournalofEuropeanCriminalLaw7DeHertPandRiehleC, ‘DataProtection in theAreaofFreedom,Securityand Justice.AShortIntroductionandManyQuestionsLeftUnanswered’(2010)11(2)ERAForum159Fournier NA and Ross AH, ‘Sex, Ancestral, and Pattern Type Variation of FingerprintMinutiae: A Forensic Perspective on Anthropological Dermatoglyphics’ (2016) 160(4)AmericanJournalofPhysicalAnthropology625FriedmanB,‘ValueSensitiveDesign’(1996)Interactions,November-December17GalliF, ‘DigitalRights IrelandasanOpportunity toFosteraDesirableApproximationofDataRetentionProvisions’(2016)23(3)MaastrichtJournal460Gellert R, ‘Understanding the Notion of Risk in the General Data Protection Regulation’(2018)34(2)ComputerLawandSecurityReview279GrangerMPandIrionK, ‘TheCourtofJusticeandtheDataRetentionDirectiveinDigitalRights Ireland:TellingOff theEULegislator andTeaching a Lesson inPrivacy andDataProtection’(2014)39(6)EuropeanLawReview835GrijpinkJ,‘PrivacyLaw:BiometricsandPrivacy’(2001)17(3)ComputerLawandSecurityReview154HijmansHandSciroccoA, ‘Shortcomings inEUDataProtection in the thirdand secondpillars.Can theLisbonTreatybeexpected tohelp?’46(5)CommonMarketLawReview1485HildebrandtMandTielemansL,‘DataProtectionbyDesignandTechnologyNeutralLaw’(2013)29(5)ComputerLawandSecurityReview509HornungGandSchnabelC,‘DataProtectioninGermanyI:ThePopulationCensusDecisionand the Right to Informational Self-Determination' (2009) 25(1) Computer Law andReview84

187 167

Arestis G, ‘Fundamental Rights in the EU: Three Years after Lisbon, the LuxembourgPerspective’(2013)<http://aei.pitt.edu/43293/1/researchpaper_2_2013_arestis_lawpol_final.pdf>accessed30September2018Boehm F, ‘Data Processing and Law Enforcement Access to Information Systems at EULevel’(2012)36(5)DatenschutzundDatensicherheit339BrkanM,‘InSearchoftheConceptofEssenceofEUFundamentalRightsthroughthePrismofDataPrivacy’(2017)2017-01MaastrichtFacultyofLawWorkingPaper1<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2900281>accessed30September2018BordalloLopezMetal,‘KinshipVerificationfromFacialImagesandVideos:HumanversusMachine’(2018)29(5)MachineVisionandApplications873Buitelaar,JC,‘Privacy:BacktotheRoots’(2012)13(3)GermanLawJournal171Bygrave L, ‘Data Protection by Design and by Default: Deciphering the EU’s LegislativeRequirements’(2017)4(2)OsloLawReview105CaoKand JainA, ‘LearningFingerprintReconstruction: fromMinutiae to Image’ (2015)10(1)IEEETransactionsonInformationForensicsandSecurity104CannataciJ,‘LexPersonalitis&Technology-drivenLaw'(2008)5(1)SCRIPT-ed1<https://script-ed.org/wp-content/uploads/2016/07/5-1-Cannataci.pdf>accessed30September2018Cannataci J and Mifsud Bonnici J, ‘The End of Purpose-Specification Principle in DataProtection?’(2010)24(1)InternationalReviewofLaw110CaruanaM,‘TheReformoftheEUDataProtectionFrameworkintheContextofPoliceandCriminal Justice Sector: Harmonisation, Scope, Oversight and Enforcement’ (2017)InternationalLawReview,ComputersandTechnology<https://www.tandfonline.com/doi/abs/10.1080/13600869.2017.1370224>accessed30September2018ChiangCLandZelenM,‘WhatisBiostatistics?’(1985)14(3)Biometrics771Cocq C, ‘Informationand Intelligence: The Current Divergences between National LegalSystems and the Need for Common (European) Notions’ (2017) 8(3) New Journal ofEuropeanCriminalLaw352Cocq C and Galli F, ‘The Catalysing Effect of Serious Crime on the Use of SurveillanceTechnologies for Prevention and Investigation Purposes’ (2013) 4(3) New Journal ofEuropeanCriminalLaw256CostaLandPoulletY, ‘Privacyand theRegulationof2012’ (2012)28(3)ComputerLawandSecurityReview254Coudert F, ‘The Europol Regulation and Purpose Limitation: From the ‘Silo-BasedApproach’to…WhatExactly?’(2017)3(3)EDPL313

168

CustersBandUrsicH,‘BigDataandDataReuse:ATaxonomyofDataReuseforBalancingBig Data Benefits and Personal Data Protection’ (2016) 6(1) International Data PrivacyLaw4DeHertP,‘BalancingSecurityandLibertywithintheEuropeanHumanRightsFramework.ACriticalReadingof theCourt’sCaseLawin theLightofSurveillanceandCriminalLawEnforcementStrategiesafter9/11’(2005)1(1)UtrechtLawReview68De Hert P and Papakonstantinou V, ‘The Data Protection Framework Decision of 27November2008RegardingPoliceandJudicialCooperationinCriminalMatters–AModestAchievement However Not the Improvement Some Have Hoped For’ (2009) 25(5)ComputerLawandSecurityReview403DeHertPandPapakonstantinouV,‘TheNewPoliceandCriminalJusticeDataProtectionDirective:AFirstAnalysis’(2016)7(1)NewJournalofEuropeanCriminalLaw7DeHertPandRiehleC, ‘DataProtection in theAreaofFreedom,Securityand Justice.AShortIntroductionandManyQuestionsLeftUnanswered’(2010)11(2)ERAForum159Fournier NA and Ross AH, ‘Sex, Ancestral, and Pattern Type Variation of FingerprintMinutiae: A Forensic Perspective on Anthropological Dermatoglyphics’ (2016) 160(4)AmericanJournalofPhysicalAnthropology625FriedmanB,‘ValueSensitiveDesign’(1996)Interactions,November-December17GalliF, ‘DigitalRights IrelandasanOpportunity toFosteraDesirableApproximationofDataRetentionProvisions’(2016)23(3)MaastrichtJournal460Gellert R, ‘Understanding the Notion of Risk in the General Data Protection Regulation’(2018)34(2)ComputerLawandSecurityReview279GrangerMPandIrionK, ‘TheCourtofJusticeandtheDataRetentionDirectiveinDigitalRights Ireland:TellingOff theEULegislator andTeaching a Lesson inPrivacy andDataProtection’(2014)39(6)EuropeanLawReview835GrijpinkJ,‘PrivacyLaw:BiometricsandPrivacy’(2001)17(3)ComputerLawandSecurityReview154HijmansHandSciroccoA, ‘Shortcomings inEUDataProtection in the thirdand secondpillars.Can theLisbonTreatybeexpected tohelp?’46(5)CommonMarketLawReview1485HildebrandtMandTielemansL,‘DataProtectionbyDesignandTechnologyNeutralLaw’(2013)29(5)ComputerLawandSecurityReview509HornungGandSchnabelC,‘DataProtectioninGermanyI:ThePopulationCensusDecisionand the Right to Informational Self-Determination' (2009) 25(1) Computer Law andReview84

188 169

Hutchinson T and Duncan N, ‘Defining and Describing What We Do: Doctrinal LegalResearch'(2012)17(1)DeakinLawReview83IglesiasSanchezS, ‘TheCourtandtheCharter:TheImpactoftheEntryintoForceoftheLisbonTreatyontheECJ’sApproachtoFundamentalRights’(2010)49CommonMarketLawReview1565 JainA,‘BiometricAuthentication’(2008)3(6)Scholarpedia3716Jain A, Ross A, and Prabhakar ‘An Introduction to Biometric Recognition’ (2004) 14(1)IEEETransactionsonCircuitsandSystemsforVideoTechnology4JasmontaiteL,KamaraI,ZanfirFortuna,G,andLeucci,S,‘DataProtectionbyDesignandbyDefault:FramingGuidingPrinciplesintoLegalObligationsintheGDPR’(2018)4(2)EDPL168Kahn H et al, ‘A Fingerprint Marker from Early Gestation Associated with Diabetes inMiddleAge:theDutchHungerWinterFamiliesStudy’(2009)38(1)InternationalJournalofEpidemiology101KayeD, ‘QuestioningaCourtroomProofoftheUniquenessofFingerprints’(2003)71(3)InternationalStatisticalReview521KindtE,‘BiometricApplicationandtheDataProtectionLegislation:TheLegalReviewandProportionalityTest’(2007)31(3)DatenschutzundDatensicherheit166KindtE, ‘HavingYes,UsingNo?About theNewLegalRegimeforBiometricData’ (2018)34(3)ComputerLawandSecurityReview433Kokott J and Sobotta C, ‘The Distinction between Privacy and Data ProtectionJurisprudenceoftheCJEUandtheECtHR’(2013)InternationalDataPrivacyLaw22Kokott JandSobottaC, ‘TheCharterofFundamentalRightsof theEuropeanUnionafterLisbon,’EUIWorkingPapers’(2016)6AELKuner C, Cate FH, Millard C, and Svantesson DJ, ‘The Challenge of “Big Data” for DataProtection’(2012)2(2)InternationalDataPrivacyLaw47LazaroCandLeMétayerD,‘TheControloverPersonalData:TrueRemedyorFairyTale?’(2015)12(1)SCRIPT-ed3<https://script-ed.org/wp-content/uploads/2015/06/lazaro_metayer.pdf>accessed30September2018van Lieshout M, Kool L, van Schoonhoven B, and de Jonge M, ‘Privacy by Design: AnAlternativetoExistingPracticeInSafeguardingPrivacy’(2011)13(6)Info55Liu NY, ‘Identifying Legal Concerns in the Biometric Context’ (2008), 3(1) Journal ofInternationalCommercialLawandTechnology45

170

LynskeyO, ‘TheEuropeanisationofDataProtectionLaw’(2017)19CambridgeYearbookofEuropeanLegalStudies252Marquenie T, ‘The Police and Criminal Justice Authorities Directive: Data ProtectionStandardsandImpactontheLegalFramework(2017)33(3)ComputerLawandSecurityReview324Mayer J, Mutchler P, and Mitchell JC, ‘Evaluating the Privacy Properties of TelephoneMetadata’(2013)113(20)ProceedingsoftheNationalAcademyofSciencesoftheUnitedStatesofAmerica5536Mifsud Bonnici J, ‘Exploring the Non-Absolute Nature of the Right to Data Protection’(2014)28(2)InternationalReviewofLaw,ComputersandTechnology131vanOoikR,‘Cross-PillarLitigationBeforetheECJ:DemarcationofCommunityandUnionCompetences’(2008)4(3)EuropeanConstitutionalLawReview399Prabhakar S, Pankanti S, and Jain A, ‘Biometric Recognition: Security and PrivacyConcerns’(2003)1(2)IEEESecurityandPrivacy33PrinsC,‘BiometricTechnologyLaw,MakingOurBodyIdentifyforus:LegalImplicationsofBiometricTechnologies’(1998)14(3)ComputerLawandSecurityReport159PurtovaN, ‘BetweentheGDPRandthePoliceDirective:NavigatingThroughtheMazeofInformation Sharing in Public-Private Partnerships’ (2018) 8(1) International DataPrivacyLaw52RedingV,‘TheEuropeanDataProtectionFrameworkfortheTwenty-FirstCentury’(2012)2(3)InternationalDataPrivacyLaw119Ritleng D, ‘The Contribution of the Court of Justice to the Structuring of the EuropeanSpaceofFundamentalRights’(2014)5(4)NewJournalofEuropeanCriminalLaw507Ross A, Shah J, and Jain A, ‘FromTemplate to Image: Reconstructing Fingerprints fromMinutiae Points’ (2007) 29(4) IEEE Transactions on Patterns Analysis and MachineIntelligence544RubinsteinI,‘BigData:TheEndofPrivacyoraNewBeginning?’(2013)3(2)InternationalDataPrivacyLaw74Rubinstein I and Good N, ‘Privacy by Design: A Counterfactual Analysis of Google andFacebookPrivacyIncidents'(2013)28BerkeleyTechnologyLawJournal1133Saks M, ‘Forensic Identification: From a Faith-Based ‘Science’ to a Scientific Science’(2010)201(1-3)ForensicScienceInternational14SamuelG,‘CanLegalReasoningbeDemystified?’(2009)29(2)LegalStudies181SchaarP,‘PrivacybyDesign’(2010)2(3)IdentityintheInformationSociety267

189 169

Hutchinson T and Duncan N, ‘Defining and Describing What We Do: Doctrinal LegalResearch'(2012)17(1)DeakinLawReview83IglesiasSanchezS, ‘TheCourtandtheCharter:TheImpactoftheEntryintoForceoftheLisbonTreatyontheECJ’sApproachtoFundamentalRights’(2010)49CommonMarketLawReview1565 JainA,‘BiometricAuthentication’(2008)3(6)Scholarpedia3716Jain A, Ross A, and Prabhakar ‘An Introduction to Biometric Recognition’ (2004) 14(1)IEEETransactionsonCircuitsandSystemsforVideoTechnology4JasmontaiteL,KamaraI,ZanfirFortuna,G,andLeucci,S,‘DataProtectionbyDesignandbyDefault:FramingGuidingPrinciplesintoLegalObligationsintheGDPR’(2018)4(2)EDPL168Kahn H et al, ‘A Fingerprint Marker from Early Gestation Associated with Diabetes inMiddleAge:theDutchHungerWinterFamiliesStudy’(2009)38(1)InternationalJournalofEpidemiology101KayeD, ‘QuestioningaCourtroomProofoftheUniquenessofFingerprints’(2003)71(3)InternationalStatisticalReview521KindtE,‘BiometricApplicationandtheDataProtectionLegislation:TheLegalReviewandProportionalityTest’(2007)31(3)DatenschutzundDatensicherheit166KindtE, ‘HavingYes,UsingNo?About theNewLegalRegimeforBiometricData’ (2018)34(3)ComputerLawandSecurityReview433Kokott J and Sobotta C, ‘The Distinction between Privacy and Data ProtectionJurisprudenceoftheCJEUandtheECtHR’(2013)InternationalDataPrivacyLaw22Kokott JandSobottaC, ‘TheCharterofFundamentalRightsof theEuropeanUnionafterLisbon,’EUIWorkingPapers’(2016)6AELKuner C, Cate FH, Millard C, and Svantesson DJ, ‘The Challenge of “Big Data” for DataProtection’(2012)2(2)InternationalDataPrivacyLaw47LazaroCandLeMétayerD,‘TheControloverPersonalData:TrueRemedyorFairyTale?’(2015)12(1)SCRIPT-ed3<https://script-ed.org/wp-content/uploads/2015/06/lazaro_metayer.pdf>accessed30September2018van Lieshout M, Kool L, van Schoonhoven B, and de Jonge M, ‘Privacy by Design: AnAlternativetoExistingPracticeInSafeguardingPrivacy’(2011)13(6)Info55Liu NY, ‘Identifying Legal Concerns in the Biometric Context’ (2008), 3(1) Journal ofInternationalCommercialLawandTechnology45

170

LynskeyO, ‘TheEuropeanisationofDataProtectionLaw’(2017)19CambridgeYearbookofEuropeanLegalStudies252Marquenie T, ‘The Police and Criminal Justice Authorities Directive: Data ProtectionStandardsandImpactontheLegalFramework(2017)33(3)ComputerLawandSecurityReview324Mayer J, Mutchler P, and Mitchell JC, ‘Evaluating the Privacy Properties of TelephoneMetadata’(2013)113(20)ProceedingsoftheNationalAcademyofSciencesoftheUnitedStatesofAmerica5536Mifsud Bonnici J, ‘Exploring the Non-Absolute Nature of the Right to Data Protection’(2014)28(2)InternationalReviewofLaw,ComputersandTechnology131vanOoikR,‘Cross-PillarLitigationBeforetheECJ:DemarcationofCommunityandUnionCompetences’(2008)4(3)EuropeanConstitutionalLawReview399Prabhakar S, Pankanti S, and Jain A, ‘Biometric Recognition: Security and PrivacyConcerns’(2003)1(2)IEEESecurityandPrivacy33PrinsC,‘BiometricTechnologyLaw,MakingOurBodyIdentifyforus:LegalImplicationsofBiometricTechnologies’(1998)14(3)ComputerLawandSecurityReport159PurtovaN, ‘BetweentheGDPRandthePoliceDirective:NavigatingThroughtheMazeofInformation Sharing in Public-Private Partnerships’ (2018) 8(1) International DataPrivacyLaw52RedingV,‘TheEuropeanDataProtectionFrameworkfortheTwenty-FirstCentury’(2012)2(3)InternationalDataPrivacyLaw119Ritleng D, ‘The Contribution of the Court of Justice to the Structuring of the EuropeanSpaceofFundamentalRights’(2014)5(4)NewJournalofEuropeanCriminalLaw507Ross A, Shah J, and Jain A, ‘FromTemplate to Image: Reconstructing Fingerprints fromMinutiae Points’ (2007) 29(4) IEEE Transactions on Patterns Analysis and MachineIntelligence544RubinsteinI,‘BigData:TheEndofPrivacyoraNewBeginning?’(2013)3(2)InternationalDataPrivacyLaw74Rubinstein I and Good N, ‘Privacy by Design: A Counterfactual Analysis of Google andFacebookPrivacyIncidents'(2013)28BerkeleyTechnologyLawJournal1133Saks M, ‘Forensic Identification: From a Faith-Based ‘Science’ to a Scientific Science’(2010)201(1-3)ForensicScienceInternational14SamuelG,‘CanLegalReasoningbeDemystified?’(2009)29(2)LegalStudies181SchaarP,‘PrivacybyDesign’(2010)2(3)IdentityintheInformationSociety267

190 171

SciroccoA,‘TheLisbonTreatyandtheProtectionofPersonalDataintheEuropeanUnion’(2008)5DataProtectionReviewSchramaW,‘HowtoCarryoutInterdisciplinaryLegalResearch:SomeExperienceswithanInterdisciplinaryResearchMethod'(2011)7(1)UtrechtLawReview147ShapiroS,‘PrivacybyDesign:MovingfromArttoPractice’(2010)53(6)CommunicationsoftheACM27Spiekermann S and Cranor L, ‘Engineering Privacy’ (2009) 35(1) IEEE Transactions onSoftwareEngineering67StieglerS,‘TheProblematicUnityofBiometrics’(2000)56Biometrics653TaekemaH, ‘TheoreticalandNormativeFrameworks forLegalResearch:PuttingTheoryintoPractice’(2018)1LawandMethod<https://www.bjutijdschriften.nl/tijdschrift/lawandmethod/2018/02/lawandmethod-D-17-00010>accessed30September2018Taylor J and Blenkin M, ‘Uniqueness in the Forensic Identification Sciences: Fact orFiction?’(2011)206(1-3)ForensicScienceInternational12TzanouM,‘DataProtectionasaFundamentalRightnexttoPrivacy?ReconstructinganotsoNewRight’(2013)3(2)InternationalDataPrivacyLaw88WalkerE,‘BiometricsBoom:HowthePrivateSectorCommodifiesHumanCharacteristics’(2015)25(3)FordhamIntellectualPropertyMediaandLaw831ZorkadisV andDonosP, ‘OnBiometrics-BasedAuthentication and Identification fromaPrivacy-Protection Perspective: Deriving Privacy-Enhancing Requirements’ (2004) 12IMCS125(iii)WorkingPapersandConferencePapersButinD and LeMétayer D, ‘Log Analysis for Data Protection Accountability’ in Jones C,Pihlajasaari, and Sun J (eds) FM 2014, Formal Methods, International Symposium onFormalMethods(Springer2014)163DeHertPandChristianenK,‘ReportontheApplicationofthePrinciplesofConvention108totheCollectionandProcessingofBiometricData’CommissionedbytheCouncilofEurope(2013)Hoepman JH, ‘Privacy Design Strategies’, Proceedings ICT Systems Security and PrivacyProtection-29thIFIPTC11InternationalInformationSecurityConference(SEC2014)<https://hal.inria.fr/hal-01370395/document>accessed30September2018Jasserand C, ‘Legal Perspectives on the Difficult Relationship between the Concept ofPrivacybyDesignandthePrincipleofPurposeLimitationatEuropeanLevel’(AmsterdamPrivacyConference2015)

172

Kemelmacher-ShlizermanI,SeitzS,MillerDandBrossardE,‘TheMegaFaceBenchmark:1MillionFacesforRecognitionatScale'(2015)<https://arxiv.org/abs/1512.00596>accessed30September2018KlozaDetal,‘DataProtectionImpactAssessmentsintheEuropeanUnion:ComplementingtheNewLegalFrameworkTowardsaMoreRobustProtectionofIndividuals’(2017)<https://cris.vub.be/files/32009890/dpialab_pb2017_1_final.pdf>accessed30September2018Mallory S, ‘The Concept of Asymmetrical Policing’ (2007) 12 Policing Working PaperSeriesMoerel L and Prins C, ‘Privacy for the Homo Digitalis, Proposal for a new RegulatoryFrameworkforDataProtectionintheLightofBigDataandtheInternetofThings'(2016)<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123>accessed10April2018(iv)ReportsBignami F, ‘The US Legal System on Data Protection in the Field of Law Enforcement.Safeguards, Rights and Remedies for EU Citizens' (Study for the LIBE Committee,EuropeanParliament2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU%282015%29519215_EN.pdf>accessed30September2018Boehm F, ‘A comparison between US and EU Data Protection Legislation for LawEnforcement,’ (Study for the LIBE Committee, European Parliament 2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf>accessed30September2018BoehmF andColeM, ‘DataRetention after the Judgement of theCourt of Justice of theEuropeanUnion’(2014)Report for theGreens,EuropeanFreeAlliance, in theEuropeanParliament<https://www.janalbrecht.eu/fileadmin/material/Dokumente/Boehm_Cole_-_Data_Retention_Study_-_June_2014.pdf>accessed1August2017CannataciJ,‘StudyonRecommendationNo.R(87)15of17September1987RegulatingtheUse of Personal Data in the Police Sector ‘Data Protection Vision 2020- Options forImprovingEuropeanPolicyandLegislationduring2010-2020’(2010),22ndMeeting15-17November 2010, Bureau of the Consultative Committee of the Convention for theProtectionofIndividualswithRegardtoAutomaticProcessingofPersonalData,T-PD-BUR(2010)12final<https://www.um.edu.mt/library/oar/bitstream/handle/123456789/26239/JACannataciReporttoCouncilofEuropecompletewithAppendices31Oct2010.pdf?sequence=1&isAllowed=y>accessed30September2018Cannataci J and Caruana M, ‘Recommendation R (87)15: Twenty-Five Years Down theLine'(2013),ReporttotheConsultativeCommitteeoftheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalDataT-PD(2013)11<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016804e7a3c>accessed30September2018

191 171

SciroccoA,‘TheLisbonTreatyandtheProtectionofPersonalDataintheEuropeanUnion’(2008)5DataProtectionReviewSchramaW,‘HowtoCarryoutInterdisciplinaryLegalResearch:SomeExperienceswithanInterdisciplinaryResearchMethod'(2011)7(1)UtrechtLawReview147ShapiroS,‘PrivacybyDesign:MovingfromArttoPractice’(2010)53(6)CommunicationsoftheACM27Spiekermann S and Cranor L, ‘Engineering Privacy’ (2009) 35(1) IEEE Transactions onSoftwareEngineering67StieglerS,‘TheProblematicUnityofBiometrics’(2000)56Biometrics653TaekemaH, ‘TheoreticalandNormativeFrameworks forLegalResearch:PuttingTheoryintoPractice’(2018)1LawandMethod<https://www.bjutijdschriften.nl/tijdschrift/lawandmethod/2018/02/lawandmethod-D-17-00010>accessed30September2018Taylor J and Blenkin M, ‘Uniqueness in the Forensic Identification Sciences: Fact orFiction?’(2011)206(1-3)ForensicScienceInternational12TzanouM,‘DataProtectionasaFundamentalRightnexttoPrivacy?ReconstructinganotsoNewRight’(2013)3(2)InternationalDataPrivacyLaw88WalkerE,‘BiometricsBoom:HowthePrivateSectorCommodifiesHumanCharacteristics’(2015)25(3)FordhamIntellectualPropertyMediaandLaw831ZorkadisV andDonosP, ‘OnBiometrics-BasedAuthentication and Identification fromaPrivacy-Protection Perspective: Deriving Privacy-Enhancing Requirements’ (2004) 12IMCS125(iii)WorkingPapersandConferencePapersButinD and LeMétayer D, ‘Log Analysis for Data Protection Accountability’ in Jones C,Pihlajasaari, and Sun J (eds) FM 2014, Formal Methods, International Symposium onFormalMethods(Springer2014)163DeHertPandChristianenK,‘ReportontheApplicationofthePrinciplesofConvention108totheCollectionandProcessingofBiometricData’CommissionedbytheCouncilofEurope(2013)Hoepman JH, ‘Privacy Design Strategies’, Proceedings ICT Systems Security and PrivacyProtection-29thIFIPTC11InternationalInformationSecurityConference(SEC2014)<https://hal.inria.fr/hal-01370395/document>accessed30September2018Jasserand C, ‘Legal Perspectives on the Difficult Relationship between the Concept ofPrivacybyDesignandthePrincipleofPurposeLimitationatEuropeanLevel’(AmsterdamPrivacyConference2015)

172

Kemelmacher-ShlizermanI,SeitzS,MillerDandBrossardE,‘TheMegaFaceBenchmark:1MillionFacesforRecognitionatScale'(2015)<https://arxiv.org/abs/1512.00596>accessed30September2018KlozaDetal,‘DataProtectionImpactAssessmentsintheEuropeanUnion:ComplementingtheNewLegalFrameworkTowardsaMoreRobustProtectionofIndividuals’(2017)<https://cris.vub.be/files/32009890/dpialab_pb2017_1_final.pdf>accessed30September2018Mallory S, ‘The Concept of Asymmetrical Policing’ (2007) 12 Policing Working PaperSeriesMoerel L and Prins C, ‘Privacy for the Homo Digitalis, Proposal for a new RegulatoryFrameworkforDataProtectionintheLightofBigDataandtheInternetofThings'(2016)<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123>accessed10April2018(iv)ReportsBignami F, ‘The US Legal System on Data Protection in the Field of Law Enforcement.Safeguards, Rights and Remedies for EU Citizens' (Study for the LIBE Committee,EuropeanParliament2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU%282015%29519215_EN.pdf>accessed30September2018Boehm F, ‘A comparison between US and EU Data Protection Legislation for LawEnforcement,’ (Study for the LIBE Committee, European Parliament 2015)<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf>accessed30September2018BoehmF andColeM, ‘DataRetention after the Judgement of theCourt of Justice of theEuropeanUnion’(2014)Report for theGreens,EuropeanFreeAlliance, in theEuropeanParliament<https://www.janalbrecht.eu/fileadmin/material/Dokumente/Boehm_Cole_-_Data_Retention_Study_-_June_2014.pdf>accessed1August2017CannataciJ,‘StudyonRecommendationNo.R(87)15of17September1987RegulatingtheUse of Personal Data in the Police Sector ‘Data Protection Vision 2020- Options forImprovingEuropeanPolicyandLegislationduring2010-2020’(2010),22ndMeeting15-17November 2010, Bureau of the Consultative Committee of the Convention for theProtectionofIndividualswithRegardtoAutomaticProcessingofPersonalData,T-PD-BUR(2010)12final<https://www.um.edu.mt/library/oar/bitstream/handle/123456789/26239/JACannataciReporttoCouncilofEuropecompletewithAppendices31Oct2010.pdf?sequence=1&isAllowed=y>accessed30September2018Cannataci J and Caruana M, ‘Recommendation R (87)15: Twenty-Five Years Down theLine'(2013),ReporttotheConsultativeCommitteeoftheConventionfortheProtectionofIndividualswithregardtoAutomaticProcessingofPersonalDataT-PD(2013)11<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016804e7a3c>accessed30September2018

192 173

CavoukianA,‘PrivacybyDesign,The7FoundationalPrinciples’(2009)<https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf>accessed30September2018CavoukianA,‘PrivacybyDesigninLaw,PolicyandPractice’AWhitePaperforRegulators,Decision-MakersandPolicy-Makers(2011)<http://www.ontla.on.ca/library/repository/mon/25008/312239.pdf>accessed30November2018DeHertP,‘Biometrics:LegalIssuesandImplications’,BackgroundPaperfortheInstituteofProspectiveTechnologicalStudies,DGJRC-SevillaEuropeanCommission(2005)Enterprise Privacy Group, ‘Privacy by Design: An Overview of Privacy EnhancingTechnologies’(2008)<http://www.dsp.utoronto.ca/projects/surveillance/docs/pbd_pets_paper.pdf>accessed30December2018Greer, ‘Exceptions to Articles 8 to 11 of the European Convention on Human Rights’(1997)<http://www.echr.coe.int/LibraryDocs/DG2/HRFILES/DG2-EN-HRFILES-15(1997).pdf>accessed10April2018SchlehahnE,MarquenieT,andKindtE, ‘DataProtection ImpactAssessments (DPIAs) inthe Law Enforcement Sector according to Directive (EU) 2016/680- A ComparativeAnalysisofMethodologies’(2016)DeliverablefortheVALCRIproject(VisualAnalyticsforSense-MakinginCriminalIntelligenceAnalysis)<http://valcri.org/our-content/uploads/2018/06/VALCRI-DPIA-Guidelines-Methodological-Comparison.pdf>accessed30December2018(v)NewspaperArticlesAndriole S, ‘Facebook's Zuckerberg Quietly Drops Another Privacy Bomb- FacialRecognition'Forbes(12April2018)<https://www.forbes.com/sites/steveandriole/2018/04/12/facebooks-zukerberg-quietly-drops-another-privacy-bomb-facial-recognition/#27ebe7fe51c0>accessed30September2018BradshawT,‘FacebookEndsFacialRecognitioninEurope’FinancialTimes(21September2012)<https://www.ft.com/content/fa9c4af8-03fc-11e2-b91b-00144feabdc0>accessed30September2018Cagle, M, ‘Facebook, Instagram, and Twitter Provided Data Access for a SurveillanceProduct Marketed to Target Activists of Color’ ACLU Northern California (11 October2016)<https://www.aclunc.org/blog/facebook-instagram-and-twitter-provided-data-access-surveillance-product-marketed-target>accessed30September2018Chan C, ‘What Facebook Deals with Everyday: 2.7 Billion Likes, 300 Million PhotosUploadedand500TerabytesofData’Gizmodo(22August2012)<https://gizmodo.com/5937143/what-facebook-deals-with-everyday-27-billion-likes-300-million-photos-uploaded-and-500-terabytes-of-data>accessed30September2018

174

GrossmanW,‘IsSchoolFingerprintingoutofBounds?’TheGuardian(30March2006)<https://www.theguardian.com/technology/2006/mar/30/schools.guardianweeklytechnologysection>accessed30September2018LundenI, ‘FacebookTurnsOffFacialRecognitionintheEU,GetstheAll-ClearonSeveralPoints from Ireland's Data Protection Commissioner on its Review' TechCrunch (21September2012)<https://techcrunch.com/2012/09/21/facebook-turns-off-facial-recognition-in-the-eu-gets-the-all-clear-from-irelands-data-protection-commissioner-on-its-review/>accessed30September2018MizrochA, ‘PayPalWantsYoutoInjectYourUsernameandEatYourPassword’theWallStreetJournal(17April2015)<http://blogs.wsj.com/digits/2015/04/17/paypal-wants-you-to-inject-your-username-and-eat-your-password/>accessed30May2016PetroffA,‘MasterCardLaunchingSelfiePayments’CNN(22February2016)<http://money.cnn.com/2016/02/22/technology/mastercard-selfie-pay-fingerprint-payments/>accessed30May2016PiddH, ‘FacebookFacialRecognitionSoftwareViolatesPrivacyLaws,SaysGermany’TheGuardian(3August2011)<https://www.theguardian.com/technology/2011/aug/03/facebook-facial-recognition-privacy-germany>accessed30September2018PressAssociation,‘FacebookFacesFinesupto£80K’TheGuardian(21September2012)<https://www.theguardian.com/technology/2012/sep/21/facebook-faces-privacy-fine>accessed30September2018__ __ ‘Facebook Receives Nearly 2,000 Data Requests fromUK Police’TheGuardian (11April2014)<https://www.theguardian.com/technology/2014/apr/11/facebook-2000-data-requests-police>accessed30September2018Quiñonero Candela J, ‘Managing Your Identity on Facebook with Face RecognitionTechnology’FacebookNewsroom(19December2017)<https://newsroom.fb.com/news/2017/12/managing-your-identity-on-facebook-with-face-recognition-technology/>accessed10April2018RamA, ‘TechCompaniesEndureNear-DoublingofRequests forPersonalData’FinancialTimes(30August2017)<https://www.ft.com/content/b754882e-8cbd-11e7-9084-d0c17942ba93> accessed 10 April2018Sengupta S, ‘Facebook’s ProspectsMayRest onTrove ofData’NewYorkTimes (14May2012)<https://www.nytimes.com/2012/05/15/technology/facebook-needs-to-turn-data-trove-into-investor-gold.html?pagewanted=all>accessed30September2018StewartT,‘FacebookisUsingGDPRasaMeanstoBringFacialRecognitionBacktoEurope’MobileMarketing(18April2018)

193 173

CavoukianA,‘PrivacybyDesign,The7FoundationalPrinciples’(2009)<https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf>accessed30September2018CavoukianA,‘PrivacybyDesigninLaw,PolicyandPractice’AWhitePaperforRegulators,Decision-MakersandPolicy-Makers(2011)<http://www.ontla.on.ca/library/repository/mon/25008/312239.pdf>accessed30November2018DeHertP,‘Biometrics:LegalIssuesandImplications’,BackgroundPaperfortheInstituteofProspectiveTechnologicalStudies,DGJRC-SevillaEuropeanCommission(2005)Enterprise Privacy Group, ‘Privacy by Design: An Overview of Privacy EnhancingTechnologies’(2008)<http://www.dsp.utoronto.ca/projects/surveillance/docs/pbd_pets_paper.pdf>accessed30December2018Greer, ‘Exceptions to Articles 8 to 11 of the European Convention on Human Rights’(1997)<http://www.echr.coe.int/LibraryDocs/DG2/HRFILES/DG2-EN-HRFILES-15(1997).pdf>accessed10April2018SchlehahnE,MarquenieT,andKindtE, ‘DataProtection ImpactAssessments (DPIAs) inthe Law Enforcement Sector according to Directive (EU) 2016/680- A ComparativeAnalysisofMethodologies’(2016)DeliverablefortheVALCRIproject(VisualAnalyticsforSense-MakinginCriminalIntelligenceAnalysis)<http://valcri.org/our-content/uploads/2018/06/VALCRI-DPIA-Guidelines-Methodological-Comparison.pdf>accessed30December2018(v)NewspaperArticlesAndriole S, ‘Facebook's Zuckerberg Quietly Drops Another Privacy Bomb- FacialRecognition'Forbes(12April2018)<https://www.forbes.com/sites/steveandriole/2018/04/12/facebooks-zukerberg-quietly-drops-another-privacy-bomb-facial-recognition/#27ebe7fe51c0>accessed30September2018BradshawT,‘FacebookEndsFacialRecognitioninEurope’FinancialTimes(21September2012)<https://www.ft.com/content/fa9c4af8-03fc-11e2-b91b-00144feabdc0>accessed30September2018Cagle, M, ‘Facebook, Instagram, and Twitter Provided Data Access for a SurveillanceProduct Marketed to Target Activists of Color’ ACLU Northern California (11 October2016)<https://www.aclunc.org/blog/facebook-instagram-and-twitter-provided-data-access-surveillance-product-marketed-target>accessed30September2018Chan C, ‘What Facebook Deals with Everyday: 2.7 Billion Likes, 300 Million PhotosUploadedand500TerabytesofData’Gizmodo(22August2012)<https://gizmodo.com/5937143/what-facebook-deals-with-everyday-27-billion-likes-300-million-photos-uploaded-and-500-terabytes-of-data>accessed30September2018

174

GrossmanW,‘IsSchoolFingerprintingoutofBounds?’TheGuardian(30March2006)<https://www.theguardian.com/technology/2006/mar/30/schools.guardianweeklytechnologysection>accessed30September2018LundenI, ‘FacebookTurnsOffFacialRecognitionintheEU,GetstheAll-ClearonSeveralPoints from Ireland's Data Protection Commissioner on its Review' TechCrunch (21September2012)<https://techcrunch.com/2012/09/21/facebook-turns-off-facial-recognition-in-the-eu-gets-the-all-clear-from-irelands-data-protection-commissioner-on-its-review/>accessed30September2018MizrochA, ‘PayPalWantsYoutoInjectYourUsernameandEatYourPassword’theWallStreetJournal(17April2015)<http://blogs.wsj.com/digits/2015/04/17/paypal-wants-you-to-inject-your-username-and-eat-your-password/>accessed30May2016PetroffA,‘MasterCardLaunchingSelfiePayments’CNN(22February2016)<http://money.cnn.com/2016/02/22/technology/mastercard-selfie-pay-fingerprint-payments/>accessed30May2016PiddH, ‘FacebookFacialRecognitionSoftwareViolatesPrivacyLaws,SaysGermany’TheGuardian(3August2011)<https://www.theguardian.com/technology/2011/aug/03/facebook-facial-recognition-privacy-germany>accessed30September2018PressAssociation,‘FacebookFacesFinesupto£80K’TheGuardian(21September2012)<https://www.theguardian.com/technology/2012/sep/21/facebook-faces-privacy-fine>accessed30September2018__ __ ‘Facebook Receives Nearly 2,000 Data Requests fromUK Police’TheGuardian (11April2014)<https://www.theguardian.com/technology/2014/apr/11/facebook-2000-data-requests-police>accessed30September2018Quiñonero Candela J, ‘Managing Your Identity on Facebook with Face RecognitionTechnology’FacebookNewsroom(19December2017)<https://newsroom.fb.com/news/2017/12/managing-your-identity-on-facebook-with-face-recognition-technology/>accessed10April2018RamA, ‘TechCompaniesEndureNear-DoublingofRequests forPersonalData’FinancialTimes(30August2017)<https://www.ft.com/content/b754882e-8cbd-11e7-9084-d0c17942ba93> accessed 10 April2018Sengupta S, ‘Facebook’s ProspectsMayRest onTrove ofData’NewYorkTimes (14May2012)<https://www.nytimes.com/2012/05/15/technology/facebook-needs-to-turn-data-trove-into-investor-gold.html?pagewanted=all>accessed30September2018StewartT,‘FacebookisUsingGDPRasaMeanstoBringFacialRecognitionBacktoEurope’MobileMarketing(18April2018)

194 175

<https://mobilemarketingmagazine.com/facebook-facial-recognition-eu-europe-gdpr-canada>accessed30September2018Wollacott E, ‘Protection when Tech Gets Rather Personal’, Biometrics and IdentityManagement’LeRaconteur(30April2015)<https://www.raconteur.net/biometrics-2015>accessed30May2016(vi)Miscellaneous____ ‘The Biometrics for Banking: Market and Technology Analysis, Adoption StrategiesandForecasts2018-2023-SecondEdition’(businesswire.com,29June2018)<https://www.businesswire.com/news/home/20180629005676/en/Biometrics-Banking-2018-Market-Technology-Analysis-Adoption>accessed30September2018Adler A, ‘Can Sample Images be Regenerated from Biometric Templates?’ (BiometricsConference,22-23September2003)<http://www.sce.carleton.ca/faculty/adler/publications/2003/adler-2003-biometrics-conf-regenerate-templates.pdf>accessed30May2016AfoninO,‘GovernmentRequestReports:Google,AppleandMicrosoft‘(ElcomSoftblog,16January2017)<https://blog.elcomsoft.com/2017/01/government-request-reports-google-apple-and-microsoft/>accessed1August2017Apple’s Transparency Report, ‘Report on Government and Private Party Requests forCustomerInformation,January1-June30,2017)[2017]<https://images.apple.com/legal/privacy/transparency/requests-2017-H1-en.pdf/> accessed 10April2018Ayer E, ‘How Government Biometrics are Moving into the Private Sector’ (BiometricUpdate,28June2017)<https://www.biometricupdate.com/201706/how-government-biometrics-are-moving-intothe-private-sector>accessed30September2018BarattaR,‘ComplexityofEUlawinthedomesticimplementingprocess’(Speechatthe19thQualityofLegislationSeminar‘EULegislativeDrafting:ViewsfromthoseapplyingEUlawintheMemberStates’,3July2014)<http://ec.europa.eu/dgs/legal_service/seminars/20140703_baratta_speech.pdf>accessed10April2018BioPrivacy,FAQs‘AreBiometricsUniqueIdentifiers?’<http://www.bioprivacy.org>accessed30May2016BrewczyńskaM,‘thePrincipleofAccountabilityintheGeneralDataProtectionRegulation:CallingtheEULegislatortoAccountforLimitingtheWordingofArticle5(2)GDPRtoDataControllers'[2018](LL.Mthesis)<arno.uvt.nl/show.cgi?fid=144595>accessed30September2018BrombaM, ‘On the Reconstruction of Biometric Raw Data from Template Data’ (2006)<http://www.bromba.com/knowhow/temppriv.htm>accessed30May2016

176

Facebook’sTransparencyReport[2017]<https://newsroom.fb.com/news/2017/12/reinforcing-our-commitment-to-transparency/>accessed10April2018_____________half-year[2018]<https://transparency.facebook.com/government-data-requests>accessed10April2018Google’sTransparencyReport[2018]<https://transparencyreport.google.com/user-data/overview>accessed10April2018Korff,D‘TheStandardApproachunderArticles8-11ECHRandArticle2ECHR’(2009)<http://ec.europa.eu/justice/news/events/conference_dp_2009/presentations_speeches/KORFF_Douwe_a.pdf>accessed10April2018LarduinatX, ‘BiometricsandtheNextFinancialSectorRevolution’(blog.Gemalto,22May2018)<https://blog.gemalto.com/financial-services/2018/05/22/biometrics-and-the-next-financial-sector-revolution/>accessed30September2018LeBlancJ,‘KillAllPasswords’(2015)<http://www.slideshare.net/jcleblanc/kill-all-passwords>accessed30May2016Microsoft’sTransparencyReport[2018]<https://www.microsoft.com/en-us/about/corporate-responsibility/lerr/>accessed10April2018Microsoft,LawEnforcementRequestsReport<https://www.microsoft.com/about/csr/transparencyhub/lerr>accessed10April2018Stalla-BourdillonS,‘theGDPRandtheBiggestMessofAll:WhyAccurateLegalDefinitionsReallyMatter…’blogpost(PeepBeep,12April2016)<https://peepbeep.wordpress.com/2016/04/12/the-gdpr-and-the-biggest-mess-of-all-why-accurate-legal-definitions-really-matter/>accessed30May2016WoodsL,‘DataRetentionandNationalLaw:theECJRulinginJoinedCasesC-203/15andC-698/15Tele2andWatson(GrandChamber)’(EULawAnalysis,21December2016)<http://eulawanalysis.blogspot.nl/2016/12/data-retention-and-national-law-ecj.html>accessed1August2017

195 175

<https://mobilemarketingmagazine.com/facebook-facial-recognition-eu-europe-gdpr-canada>accessed30September2018Wollacott E, ‘Protection when Tech Gets Rather Personal’, Biometrics and IdentityManagement’LeRaconteur(30April2015)<https://www.raconteur.net/biometrics-2015>accessed30May2016(vi)Miscellaneous____ ‘The Biometrics for Banking: Market and Technology Analysis, Adoption StrategiesandForecasts2018-2023-SecondEdition’(businesswire.com,29June2018)<https://www.businesswire.com/news/home/20180629005676/en/Biometrics-Banking-2018-Market-Technology-Analysis-Adoption>accessed30September2018Adler A, ‘Can Sample Images be Regenerated from Biometric Templates?’ (BiometricsConference,22-23September2003)<http://www.sce.carleton.ca/faculty/adler/publications/2003/adler-2003-biometrics-conf-regenerate-templates.pdf>accessed30May2016AfoninO,‘GovernmentRequestReports:Google,AppleandMicrosoft‘(ElcomSoftblog,16January2017)<https://blog.elcomsoft.com/2017/01/government-request-reports-google-apple-and-microsoft/>accessed1August2017Apple’s Transparency Report, ‘Report on Government and Private Party Requests forCustomerInformation,January1-June30,2017)[2017]<https://images.apple.com/legal/privacy/transparency/requests-2017-H1-en.pdf/> accessed 10April2018Ayer E, ‘How Government Biometrics are Moving into the Private Sector’ (BiometricUpdate,28June2017)<https://www.biometricupdate.com/201706/how-government-biometrics-are-moving-intothe-private-sector>accessed30September2018BarattaR,‘ComplexityofEUlawinthedomesticimplementingprocess’(Speechatthe19thQualityofLegislationSeminar‘EULegislativeDrafting:ViewsfromthoseapplyingEUlawintheMemberStates’,3July2014)<http://ec.europa.eu/dgs/legal_service/seminars/20140703_baratta_speech.pdf>accessed10April2018BioPrivacy,FAQs‘AreBiometricsUniqueIdentifiers?’<http://www.bioprivacy.org>accessed30May2016BrewczyńskaM,‘thePrincipleofAccountabilityintheGeneralDataProtectionRegulation:CallingtheEULegislatortoAccountforLimitingtheWordingofArticle5(2)GDPRtoDataControllers'[2018](LL.Mthesis)<arno.uvt.nl/show.cgi?fid=144595>accessed30September2018BrombaM, ‘On the Reconstruction of Biometric Raw Data from Template Data’ (2006)<http://www.bromba.com/knowhow/temppriv.htm>accessed30May2016

176

Facebook’sTransparencyReport[2017]<https://newsroom.fb.com/news/2017/12/reinforcing-our-commitment-to-transparency/>accessed10April2018_____________half-year[2018]<https://transparency.facebook.com/government-data-requests>accessed10April2018Google’sTransparencyReport[2018]<https://transparencyreport.google.com/user-data/overview>accessed10April2018Korff,D‘TheStandardApproachunderArticles8-11ECHRandArticle2ECHR’(2009)<http://ec.europa.eu/justice/news/events/conference_dp_2009/presentations_speeches/KORFF_Douwe_a.pdf>accessed10April2018LarduinatX, ‘BiometricsandtheNextFinancialSectorRevolution’(blog.Gemalto,22May2018)<https://blog.gemalto.com/financial-services/2018/05/22/biometrics-and-the-next-financial-sector-revolution/>accessed30September2018LeBlancJ,‘KillAllPasswords’(2015)<http://www.slideshare.net/jcleblanc/kill-all-passwords>accessed30May2016Microsoft’sTransparencyReport[2018]<https://www.microsoft.com/en-us/about/corporate-responsibility/lerr/>accessed10April2018Microsoft,LawEnforcementRequestsReport<https://www.microsoft.com/about/csr/transparencyhub/lerr>accessed10April2018Stalla-BourdillonS,‘theGDPRandtheBiggestMessofAll:WhyAccurateLegalDefinitionsReallyMatter…’blogpost(PeepBeep,12April2016)<https://peepbeep.wordpress.com/2016/04/12/the-gdpr-and-the-biggest-mess-of-all-why-accurate-legal-definitions-really-matter/>accessed30May2016WoodsL,‘DataRetentionandNationalLaw:theECJRulinginJoinedCasesC-203/15andC-698/15Tele2andWatson(GrandChamber)’(EULawAnalysis,21December2016)<http://eulawanalysis.blogspot.nl/2016/12/data-retention-and-national-law-ecj.html>accessed1August2017

Samenvatting

Biometrische technologieën zijn overal in ons dagelijks leven. Lange tijd werden zijslechtsingezetdoorderechtshandhavingsautoriteiten(hiernatenbehoevevandelees-baarheid:politie)enbijgrenscontroles,maarbiometrischetechnologieënwordentegen-woordigookveelgebruiktdoorprivatepartijen.Vingerafdrukken,gezichtsscans,stem-enirisherkenningwordenallengebruiktomtransactiestevoltooien,toegangtekrijgentotwerkplekken,enommobieleapparatenmeeteontgrendelen.Socialemediabevattenookeengrotehoeveelheidpersoonlijkegegevens,waarvansommige(zoalsgezichtsaf-beeldingen)kunnenwordenomgewerktvoorbiometrischeherkenningsdoeleinden.Om-datdezegegevensgebruiktkunnenwordenompersonenmeeteidentificeren,vormenzijeenzeerwaardevollebronvoordepolitie.Ditproefschriftrichtzichophettoenemendehergebruikvanpersoonsgegevensdieoor-spronkelijkvooreenanderdoelverzameldzijn.Inhetbijzonderfocusthetzichophetpolitiegebruikvanbiometrischegegevensdiedoorprivatepartijenverzameld zijn. ZowordtnagegaanofdenieuweEU-regelsvoorgegevensbeschermingvoldoendewaarbor-genbiedenaanpersoneninditscenario.Deonderzoeksvraagluidtalsvolgt:

WelkewaarborgenbiedthetnieuweEU-kadervoorgegevensbeschermingaanna-tuurlijkepersonenvanwiebiometrischegegevens,dieoorspronkelijkdoorprivatepartijenverzameldzijn,verwerktwordenvoorpolitiedoeleindendoorbevoegdeau-toriteiten?

VoordathethuidigeEU-kadervoorgegevensbeschermingwerdaangenomen,warenderegelsvoordeverwerkingvanpersoonsgegevensverdeeldtussendeRichtlijnGegevens-bescherming(Richtlijn95/46/EG)eneenlappendekenvanverschillendeinstrumentendievantoepassingwarenoppolitiëleenjustitiëlesamenwerking.Ditgefragmenteerdejuridischekaderisvervangendoorééninstrumentdatvantoepassingisopdeverwerkingvanpersoonsgegevensinallesectoren(Verordening2016/679,deAlgemeneVerorde-ningGegevensbeschermingofdeAVG)enéénmeerspecifiekerichtlijnvoordeverwer-kingvanpersoonsgegevensindepolitiëleenstrafrechtelijkecontext(Richtlijn2016/680,ofde‘Politie’-Richtlijn).Dekernvanhetonderzoekwordtgevormddoorhetraakvlaktus-sendezetweeinstrumentenendegevolgendaarvanvoordewaarborgenvoornatuurlijkepersonen.Ditboekwerkbestaatuitviergepubliceerdeartikelenenéénnognietgepubliceerdarti-kel,waarineenaantalbelangrijkebevindingenzijngedaan.Teneersteheefthetonder-zoekaangetoonddatereengroteafstandbestaattussendejuridischeentechnischedefi-nitiesvanhetkernbegrip‘biometrischegegevens.’Watbijhetbeginvanhetonderzoekeenterminologischprobleemleektezijn,werdeenkritischediscussieoverdereikwijdtevanhetbegripnaarmatehetonderzoekvorderde.Zoalsuitgelegdinhoofdstuk2,warenbiometrische gegevens niet juridisch gedefinieerd in het oude EU-gegevensbescher-mingslandschap.Ditiswelhetgevalinhetnieuwekadermaar,zoistelezeninhoofdstuk

199

Biometrische technologieën zijn overal in ons dagelijks leven. Lange tijd werden zijslechtsingezetdoorderechtshandhavingsautoriteiten(hiernatenbehoevevandelees-baarheid:politie)enbijgrenscontroles,maarbiometrischetechnologieënwordentegen-woordigookveelgebruiktdoorprivatepartijen.Vingerafdrukken,gezichtsscans,stem-enirisherkenningwordenallengebruiktomtransactiestevoltooien,toegangtekrijgentotwerkplekken,enommobieleapparatenmeeteontgrendelen.Socialemediabevattenookeengrotehoeveelheidpersoonlijkegegevens,waarvansommige(zoalsgezichtsaf-beeldingen)kunnenwordenomgewerktvoorbiometrischeherkenningsdoeleinden.Om-datdezegegevensgebruiktkunnenwordenompersonenmeeteidentificeren,vormenzijeenzeerwaardevollebronvoordepolitie.Ditproefschriftrichtzichophettoenemendehergebruikvanpersoonsgegevensdieoor-spronkelijkvooreenanderdoelverzameldzijn.Inhetbijzonderfocusthetzichophetpolitiegebruikvanbiometrischegegevensdiedoorprivatepartijenverzameld zijn. ZowordtnagegaanofdenieuweEU-regelsvoorgegevensbeschermingvoldoendewaarbor-genbiedenaanpersoneninditscenario.Deonderzoeksvraagluidtalsvolgt:

WelkewaarborgenbiedthetnieuweEU-kadervoorgegevensbeschermingaanna-tuurlijkepersonenvanwiebiometrischegegevens,dieoorspronkelijkdoorprivatepartijenverzameldzijn,verwerktwordenvoorpolitiedoeleindendoorbevoegdeau-toriteiten?

VoordathethuidigeEU-kadervoorgegevensbeschermingwerdaangenomen,warenderegelsvoordeverwerkingvanpersoonsgegevensverdeeldtussendeRichtlijnGegevens-bescherming(Richtlijn95/46/EG)eneenlappendekenvanverschillendeinstrumentendievantoepassingwarenoppolitiëleenjustitiëlesamenwerking.Ditgefragmenteerdejuridischekaderisvervangendoorééninstrumentdatvantoepassingisopdeverwerkingvanpersoonsgegevensinallesectoren(Verordening2016/679,deAlgemeneVerorde-ningGegevensbeschermingofdeAVG)enéénmeerspecifiekerichtlijnvoordeverwer-kingvanpersoonsgegevensindepolitiëleenstrafrechtelijkecontext(Richtlijn2016/680,ofde‘Politie’-Richtlijn).Dekernvanhetonderzoekwordtgevormddoorhetraakvlaktus-sendezetweeinstrumentenendegevolgendaarvanvoordewaarborgenvoornatuurlijkepersonen.Ditboekwerkbestaatuitviergepubliceerdeartikelenenéénnognietgepubliceerdarti-kel,waarineenaantalbelangrijkebevindingenzijngedaan.Teneersteheefthetonder-zoekaangetoonddatereengroteafstandbestaattussendejuridischeentechnischedefi-nitiesvanhetkernbegrip‘biometrischegegevens.’Watbijhetbeginvanhetonderzoekeenterminologischprobleemleektezijn,werdeenkritischediscussieoverdereikwijdtevanhetbegripnaarmatehetonderzoekvorderde.Zoalsuitgelegdinhoofdstuk2,warenbiometrische gegevens niet juridisch gedefinieerd in het oude EU-gegevensbescher-mingslandschap.Ditiswelhetgevalinhetnieuwekadermaar,zoistelezeninhoofdstuk

200 2

3,dewettelijkedefinitievanbiometrischegegevensisonnauwkeurigenstaatlosvandewetenschappelijkebetekenis.Deanalysetoontverder,opbasisvandedefinitievanbio-metrischegegevens(artikel4,lid14,AVG)envaneenoverwegingwaarinwordtbepaaldwanneer foto’s biometrische gegevens bevatten (overweging 11 AVG), inconsistentiesaanindebetekenisvan‘uniekeidentificatie.’Ditproefschriftsteltdat‘uniekeidentifica-tie’metbetrekkingtotbiometrischegegevensmoetwordenbegrepenvanuithetoogpuntvangegevensbescherminginplaatsvandebiometrischeidentificatiemodaliteit.Hetbe-palenvandebetekenisvandeze‘uniekeidentificatie’iscruciaalomdathetcriteriumookwordtgebruiktombiometrischegegevenstekunnenclassificerenalsgevoeligegegevens.Volgensartikel9,lid1AVGenartikel10vande‘Politie’-Richtlijnzijnalleenbiometrischegegevensdiewordenverwerktomeennatuurlijkepersoon‘uniekteidentificeren’gevoe-ligegegevens.Nadezebehandelingvandewettelijkeentechnischeachtergrond,bespreektdestudiehetscenariowaarindepolitiepersoonlijkegegevensverwerktdiezijnverzamelddoorparticulierepartijen.Dehoofdstukken4en5richtenzichophetraakvlaktussendeAVGende ‘Politie’-Richtlijn.Hoewel deAVGvan toepassing is opde verzameling vanper-soonsgegevensdoorprivatepartijen,zijnderegelsinde‘Politie’-Richtlijnvantoepassingophetlateregebruikvandezegegevensdoordepolitievooreenwetshandhavingsdoel-eind.GeenvanbeideinstrumentenbiedtechterduidelijkeregelsoverdestatusvanhetlateregebruikvanAVG-gegevensdoordepolitie.Hoofdstuk4onderzoektofde‘Politie’-Richtlijnadequatewaarborgenbiedtaanpersonenvanwiedepersoonsgegevens,verzameldonderdeAVG,opnieuwwordenverwerktvol-gensde‘Politie’-Richtlijn.DeanalysebouwtvoortopdejurisprudentievanhetEuropeesHofvanJustitie(hierna:hetHof)inzakedezogenaamdegegevensretentieverplichtingenmeer specifiekopDigitalRights Ireland enTele2Sverige.De scenario’sdieaandeoor-sprongliggenvandezebeslissingenvanhetHofzijnandersdanwelkeinditproefschriftbehandeldworden.Inhetgevalvangegevensretentiezijnprivatepartijenwettelijkver-plichtomdeverzameldegegevenstebewaren,zodatdepolitiehiertoegangtoekankrij-genendezekanverwerken.AangezienhetHofduidelijkonderscheidmaaktetussenre-tentieentoegang/hergebruik,wordtinditonderzoeknaaranalogievandebevindingenvanhetHofmetbetrekkingtotdittweedeaspectgeredeneerd.Alsgevolghiervankomtdezestudietotdeconclusiedatde‘Politie’-Richtlijnmogelijkgeenafdoendeprocedureleenwezenlijkewaarborgenbiedt.InhetbijzonderschietdeRichtlijntekortopdevolgendepunten:dedefinitievan‘objectievecriteria’diedevoorwaardenvoortoegangengebruikdoorwetshandhaversbepaalt;despecifiekeprocedurelevoorschriftenbetreffendehetvooronderzoekvaneentoegangsverzoek,endeformuleringvanhetrechtopinformatie.MetbetrekkingtothetlaatstepuntoordeeldehetHofdatnatuurlijkepersonenwiensge-gevensdoordepolitiezijngeraadpleegdhierovermoetenwordengeïnformeerd.Hiermeemaggewachtwordentotdat lopendonderzoekenniet langergeschaadzoudenkunnen

worden.Dezekennisgevinggeeftdebetrokkenendemogelijkheidomeenberoepintestellenbijeenrechter,evenalsdemogelijkheidomgebruiktemakenvanandererechten(zoalshetrechtvantoegang).Inhetonderzoekrijzentwijfelsoverdevraagofhetrechtopinformatie,zoalsgeformuleerdinartikel13vande‘Politie’-Richtlijn,rechtshandha-vingsinstantiesverplichtompersonenervaninkennistestellendathungegevenszijnverwerkt. Sommigeauteursmenendat artikel13, lid2, dezeverplichting zoukunnenovernemen.Dezebepalingverwijstechternochnaareenmeldingsplicht,nochnaareenspecifiektijdstipwaaropeendergelijkekennisgevingmoetwordengedaan.Tenslottebe-spreekthoofdstuk4kortderolvanhetdoelbindingsprincipealseenwaarborgbijhether-gebruikenvanpersoonsgegevensoverdetweeinstrumenten.Ditlaatstepuntvormtdeovergangnaarhetvolgendehoofdstuk,datvolledigopdatprincipegerichtis.DeanalysevandebepalingenindeAVGende‘Politie’-Richtlijntoontaandathetdoelbin-dingsprincipegeenduidelijkerolspeelt inhetgevalvan(her)verwerkingdiedebeideinstrumentenkruist.Deze conclusie isomminstens twee redenenproblematisch.Teneerstemaakthetbeginseldeeluitvanhetfundamentelerechtopgegevensbeschermingdatisvastgelegdinartikel8vanhetHandvestvandeGrondrechtenvandeEuropeseUnie.Opdezemanierzouheteengarantiemoetenvormenvoordebeschermingvanpersoon-lijkegegevens.Tentweedeheefthetprincipetotdoelomdevoorwaardenvoordever-dereverwerkingvanpersoonsgegevensintekaderen.Afwijkingenenuitzonderingenophetprincipezijnmogelijk;deverwerkingmoetdanechtervoldoenaanspecifiekevoor-waarden.Hoofdstuk5concludeertdathetscenariowaarditproefschriftopfocustnochdeeluitmaaktnochwordtopgehelderdineenoverwegingvanéénvandebeideinstru-menten.Hetlijkterzelfsopdateenkeuzehieroveropzettelijkisvermeden,zodatdelid-staten vrij kunnen beslissen hoe zij de herverwerking van AVG-persoonsgegevens opgrondvanderegelsuitde‘Politie’-Richtlijninrichten.Dezesituatielegtdeklooftussendetweeinstrumentenblootenwerptlichtopdeproblemendiewordenveroorzaaktdoordesplitsingvanregelstussentweeverschillendeinstrumenten.Afsluitendanalyseertditonderzoekgegevensbeschermingdoorontwerpenstandaard-instellingen(dataprotectionbydesignandbydefault)engegevensbeschermingseffectbe-oordelingen(dataprotectionimpactassessments,hierna:GBEB)ineenpogingomaanbe-velingentedoen.BeidemaatregelenzijninhetnieuweEU-kadervoorgegevensbescher-ming geïntroduceerd als verantwoordingsinstrumenten voor de verwerkingsverant-woordelijken.Zoalsinhoofdstuk6wordtgesuggereerd,kunnendezehulpmiddelenookextrawaarborgenbiedenvoornatuurlijkepersonenwiens gegevensopnieuwwordenverwerkt voor politiedoeleinden. Noch de AVG, noch de ‘Politie’-Richtlijn biedt echterspecifieke richtsnoeren voor de toepassing of uitvoering ervan. Gegevensbeschermingdoorontwerpenstandaardinstellingenzijnoverkoepelendprincipesdiezowelgegevens-beschermingsbeleidalsspecifiekoplossingenvoorhetbehoudvanprivacykunnenom-vatten(zoalsversleutelingenanonimisering).GBEBszijneenaanvullendhulpmiddeldat

201 2

3,dewettelijkedefinitievanbiometrischegegevensisonnauwkeurigenstaatlosvandewetenschappelijkebetekenis.Deanalysetoontverder,opbasisvandedefinitievanbio-metrischegegevens(artikel4,lid14,AVG)envaneenoverwegingwaarinwordtbepaaldwanneer foto’s biometrische gegevens bevatten (overweging 11 AVG), inconsistentiesaanindebetekenisvan‘uniekeidentificatie.’Ditproefschriftsteltdat‘uniekeidentifica-tie’metbetrekkingtotbiometrischegegevensmoetwordenbegrepenvanuithetoogpuntvangegevensbescherminginplaatsvandebiometrischeidentificatiemodaliteit.Hetbe-palenvandebetekenisvandeze‘uniekeidentificatie’iscruciaalomdathetcriteriumookwordtgebruiktombiometrischegegevenstekunnenclassificerenalsgevoeligegegevens.Volgensartikel9,lid1AVGenartikel10vande‘Politie’-Richtlijnzijnalleenbiometrischegegevensdiewordenverwerktomeennatuurlijkepersoon‘uniekteidentificeren’gevoe-ligegegevens.Nadezebehandelingvandewettelijkeentechnischeachtergrond,bespreektdestudiehetscenariowaarindepolitiepersoonlijkegegevensverwerktdiezijnverzamelddoorparticulierepartijen.Dehoofdstukken4en5richtenzichophetraakvlaktussendeAVGende ‘Politie’-Richtlijn.Hoewel deAVGvan toepassing is opde verzameling vanper-soonsgegevensdoorprivatepartijen,zijnderegelsinde‘Politie’-Richtlijnvantoepassingophetlateregebruikvandezegegevensdoordepolitievooreenwetshandhavingsdoel-eind.GeenvanbeideinstrumentenbiedtechterduidelijkeregelsoverdestatusvanhetlateregebruikvanAVG-gegevensdoordepolitie.Hoofdstuk4onderzoektofde‘Politie’-Richtlijnadequatewaarborgenbiedtaanpersonenvanwiedepersoonsgegevens,verzameldonderdeAVG,opnieuwwordenverwerktvol-gensde‘Politie’-Richtlijn.DeanalysebouwtvoortopdejurisprudentievanhetEuropeesHofvanJustitie(hierna:hetHof)inzakedezogenaamdegegevensretentieverplichtingenmeer specifiekopDigitalRights Ireland enTele2Sverige.De scenario’sdieaandeoor-sprongliggenvandezebeslissingenvanhetHofzijnandersdanwelkeinditproefschriftbehandeldworden.Inhetgevalvangegevensretentiezijnprivatepartijenwettelijkver-plichtomdeverzameldegegevenstebewaren,zodatdepolitiehiertoegangtoekankrij-genendezekanverwerken.AangezienhetHofduidelijkonderscheidmaaktetussenre-tentieentoegang/hergebruik,wordtinditonderzoeknaaranalogievandebevindingenvanhetHofmetbetrekkingtotdittweedeaspectgeredeneerd.Alsgevolghiervankomtdezestudietotdeconclusiedatde‘Politie’-Richtlijnmogelijkgeenafdoendeprocedureleenwezenlijkewaarborgenbiedt.InhetbijzonderschietdeRichtlijntekortopdevolgendepunten:dedefinitievan‘objectievecriteria’diedevoorwaardenvoortoegangengebruikdoorwetshandhaversbepaalt;despecifiekeprocedurelevoorschriftenbetreffendehetvooronderzoekvaneentoegangsverzoek,endeformuleringvanhetrechtopinformatie.MetbetrekkingtothetlaatstepuntoordeeldehetHofdatnatuurlijkepersonenwiensge-gevensdoordepolitiezijngeraadpleegdhierovermoetenwordengeïnformeerd.Hiermeemaggewachtwordentotdat lopendonderzoekenniet langergeschaadzoudenkunnen

worden.Dezekennisgevinggeeftdebetrokkenendemogelijkheidomeenberoepintestellenbijeenrechter,evenalsdemogelijkheidomgebruiktemakenvanandererechten(zoalshetrechtvantoegang).Inhetonderzoekrijzentwijfelsoverdevraagofhetrechtopinformatie,zoalsgeformuleerdinartikel13vande‘Politie’-Richtlijn,rechtshandha-vingsinstantiesverplichtompersonenervaninkennistestellendathungegevenszijnverwerkt. Sommigeauteursmenendat artikel13, lid2, dezeverplichting zoukunnenovernemen.Dezebepalingverwijstechternochnaareenmeldingsplicht,nochnaareenspecifiektijdstipwaaropeendergelijkekennisgevingmoetwordengedaan.Tenslottebe-spreekthoofdstuk4kortderolvanhetdoelbindingsprincipealseenwaarborgbijhether-gebruikenvanpersoonsgegevensoverdetweeinstrumenten.Ditlaatstepuntvormtdeovergangnaarhetvolgendehoofdstuk,datvolledigopdatprincipegerichtis.DeanalysevandebepalingenindeAVGende‘Politie’-Richtlijntoontaandathetdoelbin-dingsprincipegeenduidelijkerolspeelt inhetgevalvan(her)verwerkingdiedebeideinstrumentenkruist.Deze conclusie isomminstens twee redenenproblematisch.Teneerstemaakthetbeginseldeeluitvanhetfundamentelerechtopgegevensbeschermingdatisvastgelegdinartikel8vanhetHandvestvandeGrondrechtenvandeEuropeseUnie.Opdezemanierzouheteengarantiemoetenvormenvoordebeschermingvanpersoon-lijkegegevens.Tentweedeheefthetprincipetotdoelomdevoorwaardenvoordever-dereverwerkingvanpersoonsgegevensintekaderen.Afwijkingenenuitzonderingenophetprincipezijnmogelijk;deverwerkingmoetdanechtervoldoenaanspecifiekevoor-waarden.Hoofdstuk5concludeertdathetscenariowaarditproefschriftopfocustnochdeeluitmaaktnochwordtopgehelderdineenoverwegingvanéénvandebeideinstru-menten.Hetlijkterzelfsopdateenkeuzehieroveropzettelijkisvermeden,zodatdelid-staten vrij kunnen beslissen hoe zij de herverwerking van AVG-persoonsgegevens opgrondvanderegelsuitde‘Politie’-Richtlijninrichten.Dezesituatielegtdeklooftussendetweeinstrumentenblootenwerptlichtopdeproblemendiewordenveroorzaaktdoordesplitsingvanregelstussentweeverschillendeinstrumenten.Afsluitendanalyseertditonderzoekgegevensbeschermingdoorontwerpenstandaard-instellingen(dataprotectionbydesignandbydefault)engegevensbeschermingseffectbe-oordelingen(dataprotectionimpactassessments,hierna:GBEB)ineenpogingomaanbe-velingentedoen.BeidemaatregelenzijninhetnieuweEU-kadervoorgegevensbescher-ming geïntroduceerd als verantwoordingsinstrumenten voor de verwerkingsverant-woordelijken.Zoalsinhoofdstuk6wordtgesuggereerd,kunnendezehulpmiddelenookextrawaarborgenbiedenvoornatuurlijkepersonenwiens gegevensopnieuwwordenverwerkt voor politiedoeleinden. Noch de AVG, noch de ‘Politie’-Richtlijn biedt echterspecifieke richtsnoeren voor de toepassing of uitvoering ervan. Gegevensbeschermingdoorontwerpenstandaardinstellingenzijnoverkoepelendprincipesdiezowelgegevens-beschermingsbeleidalsspecifiekoplossingenvoorhetbehoudvanprivacykunnenom-vatten(zoalsversleutelingenanonimisering).GBEBszijneenaanvullendhulpmiddeldat

202

alleenwordtgebruiktalseenverwerkingshandeling‘waarschijnlijktoteenhoogrisico’leidtvoorderechtenenvrijhedenvannatuurlijkepersonen.HoeweldeAVGrichtlijnenbevatoverwateen‘hoogrisico’kanvormen,ontbrekendezeinde‘Politie’-Richtlijn.Meerinhetbijzonderwordt‘elktypeverwerkingvanbiometrischegegevens’nietals‘hoogri-sico’beschouwd.VolgenshetEuropeesComitévoorgegevensbeschermingleidtdever-werkingvanbiometrischegegevensalleentoteenGBEBalsdeverwerkingleidttotge-voeligegegevens(d.w.z.biometrischgegevenswordenverwerktomeenpersoonuniekteidentificeren)en/ofeenandercriteriumaanwezigis(zoalsverwerkingopgroteschaalofresulterendsystematischtoezicht).Opbasisvandezebeschouwingvandebepalingenvanbeideinstrumenten,wordtinhoofdstuk6opgeroepenomdepolitieverwerkingvanbiometrischegegevensdiezijnverzamelddoorprivatepartijentebeschouwenals‘hoogrisico’-procesdatdeverplichtingtothetuitvoerenvaneenGBEBteweegbrengt.Eengezaghebbendeinterpretatievandenieuweregelsisnoodzakelijk.Zoalsvoorgesteldindeverschillendehoofdstukkenvanhetonderzoek,kunnenhiervoorverschillendepa-denwordenbewandeld,ookallijkthetdatgeenvanhendeperfecteoplossingbiedt.TeneerstezouhetEuropeesComitévoorGegevensbescherming(datdeGroepGegevensbe-schermingArtikel29vervangt)aanbevelingenenrichtsnoerenkunnenuitvaardigenomteverduidelijkenwatdereikwijdtevanderegelsisenwatdevoorwaardenzijnwaaron-der biometrische gegevens als gevoelige gegevens worden beschouwd. Er zijn voortsrichtsnoerennodigmetbetrekkingtotderegelsdievantoepassingzijnopdeverwerkingvanpersoonsgegevensdiedetweeinstrumentenkruist.Derichtlijnenenaanbevelingenvan het Europees Comité zijn echter niet bindend. Ten tweede, aangezien Richtlijn2016/680indelidstatenisgeïmplementeerd,kunnennationalerechtbankenprejudiciëlevragenstellenaanhetHofvanJustitieopbasisvannationalebepalingen.Hoewelditpadderechtszekerheidhetbestewaarborgt,zalditeenlangewegzijnenzalhetdeijvervaneenactivistischeburgervereisenomeengerechtelijkeprocedureopnationaalniveautestarten.

University of Groningen Reprocessing of biometric data for law enforcement … · 2019-07-11 ·...

Documents

Transcript of University of Groningen Reprocessing of biometric data for law enforcement … · 2019-07-11 ·...