Towards a global data protection framework in the field of law enforcement : an EU perspective

Abstract

This thesis seeks to examine the existing EU frameworks for data-sharing for law enforcement purposes, both within the EU and between the EU and third countries, the data protection challenges to which these give rise, and the possible responses to those challenges at both EU and global levels. The analysis follows a bottom-up approach, starting with an examination of the EU internal data-sharing instruments. After that, it studies the data transfers conducted under the scope of an international agreement; and finally, it concludes by discussing the current international initiatives for creating universal data protection standards. As for the EU data-sharing instruments, this thesis demonstrates that these systems present shortcomings with regard to their implementation and usage. Moreover, each instrument has its own provisions on data protection and, despite the adoption of a Framework Decision in 2008, this has not brought about a convergence of data protection rules in the JHA field. A similar multiplicity of instruments is also found when the EU transfers data to third countries for the purpose of preventing and combating crimes. This is evident from examining the existing data-sharing agreements between the EU and the US. Each agreement has a section on data protection and data security rules, which again differ from the general clauses of the 2008 Framework Decision. This study demonstrates the influence of US interests on such agreements, as well as on the ongoing negotiations for an umbrella EU-US Data Protection Agreement. One possible way to ensure a high level of EU data protection standards in the field of law enforcement in the face of US pressure is by enhancing the role of Europol. This EU Agency shares information with EU member states and third countries. This thesis demonstrates that Europol has a full-fledged data protection framework, which is stronger than most of the member states’ privacy laws. However, taking Europol rules as a reference for global standards would only partially achieve the desired result. The exchange of data for security purposes does not only involve law enforcement authorities, but also intelligence services. The recent NSA revelations have shown that the programmes used by these bodies to collect and process data can be far more intrusive and secretive than any current law enforcement system. In view of the above, this thesis explores the potential of CoE Convention 108 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and ii the Cybercrime Convention as the basis for a global regime for data protection in law enforcement. This thesis concludes that an optimum global data protection framework would entail a combination of the 108 CoE Data Protection Convention and the Cybercrime Convention. The cumulative effect of these two legal instruments would bind both law enforcement and intelligence services in the processing of data. In sum, by promoting the Europol approach to data protection and existing Council of Europe rules, the EU could play a crucial role in the creation of global data protection standards.