15. Personal data and Law Enforcement Activities
Outline of the chapter
This chapter will focus on the use of personal data in law enforcement activities. It will discuss the case of data retention within the EU as well as the consequences of the invalidation of the Data Retention Directive. Furthermore, it will introduce another EU legal instrument for the harmonization of law enforcement activities related to data processing and exchange of personal data, namely the Law Enforcement Directive (LED).
The topics discussed are:
- Changes in law enforcement procedures (15.1)
- The Law Enforcement Directive (15.2)
- Data retention for law enforcement purposes (15.3)
- Predictive policing and the AI act (15.4)
(15.1) Changes in law enforcement procedures
With the rapid advancement of technologies, the tools that law enforcement authorities have at disposition for investigation and especially for surveillance have changed significantly. Physical surveillance has transformed into dataveillance. The amount of data that we continuously create and leave behind, as for example location data, communication data, etc., makes any physical surveillance superfluous. We carry with us state of art surveillance tools. It is enough to think of the smart devices and all the apps that we use daily. The change in the ways and technology used for surveillance, has made it easier and normal to shift from targetted surveillance to mass surveillance. This has inevitably led to distortion of the classic legal safeguards that must be provided to individuals. Such may include, for example, the right to presumption of innocence and the right not to incriminate oneself that were already studied under the right to a fair trial covered in Chapter 6 of this book.
Due to the almost unrebuttable nature of digital evidence, the right to presumtion of innocence has shifted to an almost presumption of guilt. This brings a shift in the the burden of proof requiring that the suspect activily needs to prove the innocence.[1]
The dilution of the right not to incriminate oneselve, was also discussed under chapter 6. While one is not obliged to provide his passwords for a criminal investigation, in 2021 the Dutch Supreme Court ruled that forcing suspects to provide access to their smartphone with a fingerprint is not a breach of the privilege against self-incrimination.[2]
Since the preventive, investigative, detective, etc. activities of Law Enforcement authorities clearly fall under the definition of State interference with the private sphere of individuals, the right to privacy has been extensively used for the protection of individuals from unlawful interferences. These can be also seen in the extensive case law from the ECtHR. However, the right to privacy does not protect individuals with regards to unlawful processing of their personal data. Below you can find examples that show that the right to privacy is not enough.
a. Surveillance of individuals in public spaces
ECtHR, P.G. and J.H. v. the United Kingdom, Application no. 44787/98, 25 December 2001
[57] There are a number of elements relevant to a consideration of whether a person’s private life is concerned by measures effected outside a person’s home or private premises. Since there are occasions when people knowingly or intentionally involve themselves in activities which are or may be recorded or reported in a public manner, a person’s reasonable expectations as to privacy may be a significant, although not necessarily conclusive, factor. A person who walks down the street will, inevitably, be visible to any member of the public who is also present. Monitoring by technological means of the same public scene (for example, a security guard viewing through closed-circuit television) is of a similar character. Private-life considerations may arise, however, once any systematic or permanent record comes into existence of such material from the public domain.
Following the reasoning of the ECtHR in the case above, the right to privacy will protect personal data of individuals collected in open space only when a permanent or systematic recording has taken place. Thus, not all data and not in all circumstances. The right to data protection, on the other side, focuses on protecting personal data as defined under article 4(1) GDPR, without distinguishing between the public or not nature of the data. While an interference with the private life of the individual for activities taking place in public will not always fall under the protection of the right to privacy, it will fall under the protection of the right to data protection.
b. Identified or identifiable individual
ECtHR, Friedl v Austria, application No. 15225/89, 19 May 1994
[49] In the present case, the Commission has noted the following elements: first, there was no intrusion into the “inner circle” of the applicant’s private life in the sense that the authorities entered his home and took the photographs there; secondly, the photographs related to a public incident, namely a manifestation of several persons in a public place, in which the applicant was voluntarily taking part; and thirdly, they were solely taken for the purposes, on 17 February 1988, of recording the character of the manifestation and the actual situation at the place in question, e.g. the sanitary conditions, and, on 19 February 1988, of recording the conduct of the participants in the manifestation in view of ensuing investigation proceedings for offences against the Road Traffic Regulations.
[50] In this context, the Commission attaches weight to the assurances given by the respondent Government according to which the individual persons on the photographs taken remained anonymous in that no names were noted down, the personal data recorded and photographs taken were not entered into a data processing system, and no action was taken to identify the persons photographed on that occasion by means of data processing.
[51] Bearing these factors in mind, the Commission finds that the taking of photographs of the applicant and their retention do not amount to an interference with his right to respect for his private life within the meaning of Article 8 para. 1 (Art. 8-1) of the Convention.
In the above case it was ruled that there is a distinction to be made with reference to taking and keeping of photographs depending on the purpose. Taking photos without identifying subjects is not considered to interfere with art. 8(1) ECHR. Thus, no interference with the right to privacy. However, under the right to data protection, a data subject is protected also when not directly identified but being identifiable. This is clearly stated in the defidition of article 4(1) GDPR as well as the case law of the CJEU discussed in Chapter 10 of this book.
c. Incidental collection of data or incidental surveillance
ECtHR, Kruslin v France, application no 11801/85 25 April 1990
[34] The Court does not in any way minimise the value of several of the safeguards, in particular the need for a decision by an investigating judge, who is an independent judicial authority; the latter’s supervision of senior police officers and the possible supervision of the judge himself by the Indictment Division, by trial courts and courts of appeal and, if need be, by the Court of Cassation; the exclusion of any “subterfuge” or “ruse” consisting not merely in the use of telephone tapping but in an actual trick, trap or provocation; and the duty to respect the confidentiality of relations between suspect or accused and lawyer.
It has to be noted, however, that only some of these safeguards are expressly provided for in Articles 81, 151 and 152 of the Code of Criminal Procedure. Others have been laid down piecemeal in judgments given over the years, the great majority of them after the interception complained of by Mr Kruslin (June 1982). Some have not yet been expressly laid down in the case-law at all, at least according to the information gathered by the Court; the Government appear to infer them either from general enactments or principles or else from an analogical interpretation of legislative provisions – or court decisions – concerning investigative measures different from telephone tapping, notably searches and seizure of property. Although plausible in itself, such “extrapolation” does not provide sufficient legal certainty in the present context.
Thus, in cases of incidental collection of data, the right to privacy is not considered automatically as infringed in light with the margin of appreciation left to the States for as long as there is the possibility to challenge the surveilling mandate before national courts. However, such situation qualifies as an infringement of the right to data protection since two of the principles of article 5 GDPR are infringed: the principle of purpose limitation (art 5(1)(b)) and the principle of data minimisation (art 5(1)(c)).
The example below shows a situation that would have not been falling under the violation of the right to privacy for all the 3 situations explained above: i. activity taking place in public; ii. no identification of data subjects; iii. incidental collection of data. However, a fine was issued for violation of the GDPR.
The Dutch Supervisory Authority fined the municipality of Enschede with EUR 600,000 in 2021. The municipality had installed special measurement boxes to measure crowds in the city center. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone passed by, making it possible to track the movement of passers-by.
(15.2) The Law Enforcement Directive (LED)
The LED is an EU secondary legal instrument which harmonizes the requirements for the processing of data in law enforcement activities. It replaces the 2008 Council Framework Decision and has a broader scope of application – in addition to covering activities aimed at preventing, investigating, detecting and prosecuting criminal offences, it also covers prevention of threats to public (not national) security. The rules on data processing in the LED are aligned with those established by the GDPR in order to ensure that the general principles are applicable and thus individuals retain their rights, including compensation and access to supervisory authorities.
There are various reasons why the processing of data in the framework of law enforcement activities are regulated in a separate Directive and not in the GDPR. The first and main reason lies in the fact that criminal law and procedure are not harmonised at EU level. As a result, national criminal law procedures vary from one Member State to another. As such, the field is better suited for harmonization through directives as opposed to regulations.
The second reason is linked with the standards for protecting data subjects. Given the nature of law enforcement activities, and especially the operational needs of authorities for data during the performance of their tasks, LED offers lower and varied safeguards for data subjects, depending on their status as: victims, witnesses, suspects, etc. The ‘transparency’ requirements in the LED, for example, are reduced. This is justified by the nature of law enforcement tasks. For the same reasons, data subject rights are also limited in cases when the right:
- obstructs an official/legal inquiry, investigation or procedure;
- prejudices the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- jeopardizes public security, national security or the rights and freedoms of others;
- requirement of accuracy should not appertain to accuracy of statement but merely to the fact that a specific statement has been made.
Recital 30 LED – The principle of accuracy of data should be applied while taking account of the nature and purpose of the processing concerned. In particular in judicial proceedings, statements containing personal data are based on the subjective perception of natural persons and are not always verifiable. Consequently, the requirement of accuracy should not appertain to the accuracy of a statement but merely to the fact that a specific statement has been made.
…..
Recital 47 LED – A natural person should have the right to have inaccurate personal data concerning him or her rectified, in particular where it relates to facts, and the right to erasure where the processing of such data infringes this Directive. However, the right to rectification should not affect, for example, the content of a witness testimony. A natural person should also have the right to restriction of processing where he or she contests the accuracy of personal data and its accuracy or inaccuracy cannot be ascertained or where the personal data have to be maintained for purpose of evidence. In particular, instead of erasing personal data, processing should be restricted if in a specific case there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. In such a case, restricted data should be processed only for the purpose which prevented their erasure. Methods to restrict the processing of personal data could include, inter alia, moving the selected data to another processing system, for example for archiving purposes, or making the selected data unavailable. In automated filing systems the restriction of processing should in principle be ensured by technical means. The fact that the processing of personal data is restricted should be indicated in the system in such a manner that it is clear that the processing of the personal data is restricted. Such rectification or erasure of personal data or restriction of processing should be communicated to recipients to whom the data have been disclosed and to the competent authorities from which the inaccurate data originated. The controllers should also abstain from further dissemination of such data.
Recital 48 LED – Where the controller denies a data subject his or her right to information, access to or rectification or erasure of personal data or restriction of processing, the data subject should have the right to request that the national supervisory authority verify the lawfulness of the processing. The data subject should be informed of that right. Where the supervisory authority acts on behalf of the data subject, the data subject should be informed by the supervisory authority at least that all necessary verifications or reviews by the supervisory authority have taken place. The supervisory authority should also inform the data subject of the right to seek a judicial remedy.
(15.2.1) LED personal and material scope of application
To understand if the GDPR or LED is the applicable law in a specific situation, one must take a closer look at their scopes and purposes. While the GDPR has a wide material and personal scope, the LED applies only to competent authorities when exervising law enforcement purposes. For reaching this conclusion, Articles 1(1), 2(1) and 3(7-9) LED need to be considered jointly.
Article 1(1) LED – Subject-matter and objectives
1. This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Article 2(1) LED – Scope
1. This Directive applies to the processing of personal data by competent authorities for the purposes set out in Article 1(1).
Article 3(7-9) LED – Definitions
7. ‘competent authority’ means:
a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
8. ‘controller’ means the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
9. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(15.3) Data retention for law enforcement purposes
The EU Data Retention Directive (2006/24/EC), adopted in 2006, required Member States to store metadata from electronic communications (such as phone calls, emails, and text messages) for a period of 6 months up to 2 years. The purpose was to assist law enforcement authorities in combating serious crime, including terrorism. The metadata retained included information such as call duration, location, device, communication participants, etc., but not the content of the communications. .
The Court of Justice of the European Union annulled the Data Retention Directive (2006/24/EC) in its Digital Rights Ireland judgment (Joined cases C-293/12 and C-594/12) on 8 April 2014, with ex tunc effect, meaning it was void retroactively as if it had never been in force. The Court ruled that the Directive violated fundamental rights under the EU Charter of Fundamental Rights, specifically the right to privacy (Article 7 CFR) and the right to data protection (Article 8 CFR). It found the Directive disproportionate, as it required indiscriminate and bulk retention of metadata from all individuals, regardless of any link to criminal activity, and lacked sufficient safeguards against abuse or misuse of retained data.[3]
33. To establish the existence of an interference with the fundamental right to privacy, it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way (see, to that effect, Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others EU:C:2003:294, paragraph 75) […]
37. It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.
Justification of the interference with the rights guaranteed by Articles 7 and 8 of the Charter
38. Article 52(1) of the Charter provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
39. So far as concerns the essence of the fundamental right to privacy and the other rights laid down in Article 7 of the Charter, it must be held that, even though the retention of data required by Directive 2006/24 constitutes a particularly serious interference with those rights, it is not such as to adversely affect the essence of those rights given that, as follows from Article 1(2) of the directive, the directive does not permit the acquisition of knowledge of the content of the electronic communications as such […]
41. As regards the question of whether that interference satisfies an objective of general interest, it should be observed that, whilst Directive 2006/24 aims to harmonise Member States’ provisions concerning the obligations of those providers with respect to the retention of certain data which are generated or processed by them, the material objective of that directive is, as follows from Article 1(1) thereof, to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. The material objective of that directive is, therefore, to contribute to the fight against serious crime and thus, ultimately, to public security […]
44. It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest.
45.l In those circumstances, it is necessary to verify the proportionality of the interference found to exist […]
49. As regards the question of whether the retention of data is appropriate for attaining the objective pursued by Directive 2006/24, it must be held that, having regard to the growing importance of means of electronic communication, data which must be retained pursuant to that directive allow the national authorities which are competent for criminal prosecutions to have additional opportunities to shed light on serious crime and, in this respect, they are therefore a valuable tool for criminal investigations. Consequently, the retention of such data may be considered to be appropriate for attaining the objective pursued by that directive […]
51. As regards the necessity for the retention of data required by Directive 2006/24, it must be held that the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 being considered to be necessary for the purpose of that fight […]
56. As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population […]
58. Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy […]
64. Furthermore, that period is set at between a minimum of 6 months and a maximum of 24 months, but it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary […]
69. Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter […]
71. Consequently, the answer to the second question, parts (b) to (d), in Case C-293/12 and the first question in Case C-594/12 is that Directive 2006/24 is invalid.
However, despite the invalidation of the Directive, Member States continued to maintain their national laws on data retention. This was based on the EU principle of subsidiarity in shared competences. If the EU has not occupied the field, the Member States can have their national regulation in place. The CJEU has discussed the topick of data retention in a number of judgments following the Digital Rights Ireland case. In Tele2 Sverige, national data retention laws for the purposes of law enforcement are discussed.
Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others EU:C:2016:970
103. Further, while the effectiveness of the fight against serious crime, in particular organised crime and terrorism, may depend to a great extent on the use of modern investigation techniques, such an objective of general interest, however fundamental it may be, cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight.
Note: see by analogy in relation to Directive 2006/24, the Digital Rights judgment, paragraph 51.
Member States have also introduced national laws for data retention for the purposes of national security. Despite the fact that national security falls outside the scope of application of EU law, as provided for in article 4(2) TEU, the CJEU has linked such cases to the functioning of the internal market since the providers of electronic communication services are operators in the internal market.
Case C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others EU:C:2020:790
44. Article 4(2) TEU, to which the governments listed in paragraph 32 above have made reference, cannot invalidate that conclusion. Indeed, according to the settled case-law of the Court, although it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law […]
48. By contrast, where the Member States directly implement measures that derogate from the rule that electronic communications are to be confidential, without imposing processing obligations on providers of electronic communications services, the protection of the data of the persons concerned is not covered by Directive 2002/58, but by national law only, subject to the application of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89), with the result that the measures in question must comply with, inter alia, national constitutional law and the requirements of the ECHR.
49. Having regard to the foregoing considerations, the answer to the first question is that Article 1(3), Article 3 and Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU, must be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive […]
60. In addition, it is apparent from the third sentence of Article 15(1) of Directive 2002/58 that the Member States are not permitted to adopt legislative measures to restrict the scope of the rights and obligations provided for in Articles 5, 6 and 9 of that directive unless they do so in accordance with the general principles of EU law, including the principle of proportionality, and with the fundamental rights guaranteed in the Charter. In that regard, the Court has previously held that the obligation imposed on providers of electronic communications services by a Member State by way of national legislation to retain traffic data for the purpose of making it available, if necessary, to the competent national authorities raises issues relating to compatibility not only with Articles 7 and 8 of the Charter, relating to the protection of privacy and to the protection of personal data, respectively, but also with Article 11 of the Charter, relating to the freedom of expression (see, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others, C-293/12 and C-594/12, EU:C:2014:238, paragraphs 25 and 70, and of 21 December 2016, Tele2, C-203/15 and C-698/15, EU:C:2016:970, paragraphs 91 and 92 and the case-law cited) […]
62. Thus, the interpretation of Article 15(1) of Directive 2002/58 must take account of the importance both of the right to privacy, guaranteed in Article 7 of the Charter, and of the right to protection of personal data, guaranteed in Article 8 thereof, as derived from the case-law of the Court, as well as the importance of the right to freedom of expression, given that that fundamental right, guaranteed in Article 11 of the Charter, constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which, under Article 2 TEU, the Union is founded […]
64. Indeed, as can be seen from Article 52(1) of the Charter, that provision allows limitations to be placed on the exercise of those rights, provided that those limitations are provided for by law, that they respect the essence of those rights and that, in compliance with the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others […]
82. In the light of all the foregoing considerations, the answer to the second question is that Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.
Joined Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net and Others v Premier ministre and Others EU:C:2020:791
[137] Thus, in situations such as those described in paragraphs 135 and 136 of the present judgment, Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not, in principle, preclude a legislative measure which permits the competent authorities to order providers of electronic communications services to retain traffic and location data of all users of electronic communications systems for a limited period of time, as long as there are sufficiently solid grounds for considering that the Member State concerned is confronted with a serious threat, as referred to in paragraphs 135 and 136 of the present judgment, to national security which is shown to be genuine and present or foreseeable. Even if such a measure is applied indiscriminately to all users of electronic communications systems, without there being at first sight any connection, within the meaning of the case-law cited in paragraph 133 of the present judgment, with a threat to the national security of that Member State, it must nevertheless be considered that the existence of that threat is, in itself, capable of establishing that connection.
[138] The instruction for the preventive retention of data of all users of electronic communications systems must, however, be limited in time to what is strictly necessary. Although it is conceivable that an instruction requiring providers of electronic communications services to retain data may, owing to the ongoing nature of such a threat, be renewed, the duration of each instruction cannot exceed a foreseeable period of time. Moreover, such data retention must be subject to limitations and must be circumscribed by strict safeguards making it possible to protect effectively the personal data of the persons concerned against the risk of abuse. Thus, that retention cannot be systematic in nature.
[139] In view of the seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter resulting from a measure involving the general and indiscriminate retention of data, it must be ensured that recourse to such a measure is in fact limited to situations in which there is a serious threat to national security as referred to in paragraphs 135 and 136 of the present judgment. For that purpose, it is essential that decisions giving an instruction to providers of electronic communications services to carry out such data retention be subject to effective review, either by a court or by an independent administrative body whose decision is binding, the aim of that review being to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed.
More recently, the CJEU has also ruled with regards to the admissibility of evidence based on data retention practices that have been invalidated.
Joined Cases C-339/20 VD and C-397/20 SR
[105] In that regard, it is sufficient to refer to the Court’s case-law, in particular to the principles recalled in paragraphs 41 to 44 of the judgment of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications) (C‑746/18, EU:C:2021:152), from which it follows that such admissibility falls, in accordance with the principle of the procedural autonomy of the Member States, within the scope of national law, subject to compliance, inter alia, with the principles of equivalence and effectiveness.
[106] As regards the latter principle, it should be noted that it requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law or by means of access of the competent authority to those data in breach of EU law, in the context of criminal proceedings against persons suspected of having committed criminal offences, where those persons are not in a position to comment effectively on that information and that evidence and they pertain to a field of which the judges have no knowledge and are likely to have a preponderant influence on the findings of fact (see, to that effect, judgment of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications), C‑746/18, EU:C:2021:152, paragraph 44 and the case-law cited).
[107] In the light of the findings above, the answer to the second and third questions in the present cases is that EU law must be interpreted as precluding a national court from restricting the temporal effects of a declaration of invalidity which it is required to make, under national law, with respect to provisions of national law which, first, require operators providing electronic communications services to retain generally and indiscriminately traffic data and, second, allow such data to be submitted to the competent financial authority, without prior authorisation from a court or independent administrative authority, owing to the incompatibility of those provisions with Article 15(1) of Directive 2002/58 read in the light of the Charter. The admissibility of evidence obtained pursuant to provisions of national law that are incompatible with EU law is, in accordance with the principle of procedural autonomy of the Member States, a matter for national law, subject to compliance, inter alia, with the principles of equivalence and effectiveness.
15.4 Predictive policing and the AI Act
The AI act has introduced a number of provisions that are linked with the use of AI in the work of law enforcement authorities.
Certain uses of AI for law enforcement are prohibited. We find these under article 5 AI act.
Article 5 AI act
Para 1(d) – the placing on the market, the putting into service for this specific purpose, or the use of an AI system for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics; this prohibition shall not apply to AI systems used to support the human assessment of the involvement of a person in a criminal activity, which is already based on objective and verifiable facts directly linked to a criminal activity;
Para 1(e) – the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage;
…
Para 1(h) – the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, unless and in so far as such use is strictly necessary for one of the following objectives:
i. the targeted search for specific victims of abduction, trafficking in human beings or sexual exploitation of human beings, as well as the search for missing persons;
ii. the prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons or a genuine and present or genuine and foreseeable threat of a terrorist attack;
iii. the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.
Point (h) of the first subparagraph is without prejudice to Article 9 of Regulation (EU) 2016/679 for the processing of biometric data for purposes other than law enforcement.
2. The use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement for any of the objectives referred to in paragraph 1, first subparagraph, point (h), shall be deployed for the purposes set out in that point only to confirm the identity of the specifically targeted individual, and it shall take into account the following elements:
|
(a) |
the nature of the situation giving rise to the possible use, in particular the seriousness, probability and scale of the harm that would be caused if the system were not used; |
|
(b) |
the consequences of the use of the system for the rights and freedoms of all persons concerned, in particular the seriousness, probability and scale of those consequences. |
In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement for any of the objectives referred to in paragraph 1, first subparagraph, point (h), of this Article shall comply with necessary and proportionate safeguards and conditions in relation to the use in accordance with the national law authorising the use thereof, in particular as regards the temporal, geographic and personal limitations. The use of the ‘real-time’ remote biometric identification system in publicly accessible spaces shall be authorised only if the law enforcement authority has completed a fundamental rights impact assessment as provided for in Article 27 and has registered the system in the EU database according to Article 49. However, in duly justified cases of urgency, the use of such systems may be commenced without the registration in the EU database, provided that such registration is completed without undue delay.
3. For the purposes of paragraph 1, first subparagraph, point (h) and paragraph 2, each use for the purposes of law enforcement of a ‘real-time’ remote biometric identification system in publicly accessible spaces shall be subject to a prior authorisation granted by a judicial authority or an independent administrative authority whose decision is binding of the Member State in which the use is to take place, issued upon a reasoned request and in accordance with the detailed rules of national law referred to in paragraph 5. However, in a duly justified situation of urgency, the use of such system may be commenced without an authorisation provided that such authorisation is requested without undue delay, at the latest within 24 hours. If such authorisation is rejected, the use shall be stopped with immediate effect and all the data, as well as the results and outputs of that use shall be immediately discarded and deleted.
The competent judicial authority or an independent administrative authority whose decision is binding shall grant the authorisation only where it is satisfied, on the basis of objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system concerned is necessary for, and proportionate to, achieving one of the objectives specified in paragraph 1, first subparagraph, point (h), as identified in the request and, in particular, remains limited to what is strictly necessary concerning the period of time as well as the geographic and personal scope. In deciding on the request, that authority shall take into account the elements referred to in paragraph 2. No decision that produces an adverse legal effect on a person may be taken based solely on the output of the ‘real-time’ remote biometric identification system. […]
Other uses of AI are considered as high risk for the protection of the rights of individuals. We find these under Annex III of the AI Act. In these cases, the use of AI technology is not prohibited, but strict safeguards need to be followed in compliance with the provisions of the Act.
AI Act Annex III – High-risk AI systems referred to in Article 6(2)
High-risk AI systems pursuant to Article 6(2) are the AI systems listed in any of the following areas:
- Biometrics, in so far as their use is permitted under relevant Union or national law:
a. remote biometric identification systems.
This shall not include AI systems intended to be used for biometric verification the sole purpose of which is to confirm that a specific natural person is the person he or she claims to be;
b. AI systems intended to be used for biometric categorisation, according to sensitive or protected attributes or characteristics based on the inference of those attributes or characteristics;
c. AI systems intended to be used for emotion recognition.
…
6. Law enforcement, in so far as their use is permitted under relevant Union or national law:
|
(a) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union institutions, bodies, offices or agencies in support of law enforcement authorities or on their behalf to assess the risk of a natural person becoming the victim of criminal offences; |
|
(b) |
AI systems intended to be used by or on behalf of law enforcement authorities or by Union institutions, bodies, offices or agencies in support of law enforcement authorities as polygraphs or similar tools; |
|
(c) |
AI systems intended to be used by or on behalf of law enforcement authorities, or by Union institutions, bodies, offices or agencies, in support of law enforcement authorities to evaluate the reliability of evidence in the course of the investigation or prosecution of criminal offences; |
|
(d) |
AI systems intended to be used by law enforcement authorities or on their behalf or by Union institutions, bodies, offices or agencies in support of law enforcement authorities for assessing the risk of a natural person offending or re-offending not solely on the basis of the profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680, or to assess personality traits and characteristics or past criminal behaviour of natural persons or groups; |
|
(e) |
AI systems intended to be used by or on behalf of law enforcement authorities or by Union institutions, bodies, offices or agencies in support of law enforcement authorities for the profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of the detection, investigation or prosecution of criminal offences. |
- Milaj-Weishaar, J., & Mifsud Bonnici, J. (2014). Unwitting subjects of surveillance and the presumption of innocence. Computer Law & Security Review, 30(4), 419-428 ↵
- https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:HR:2021:202 ↵
- Milaj, J. (2015). Invalidation of the data retention directive - Extending the proportionality test. Computer Law & Security Review, 31(5), 604-617. https://doi.org/10.1016/j.clsr.2015.07.004 ↵
Feedback/Errata