Data Sharing for Law Enforcement

Aim and Description

Aim The workshop aims to identify the limitations presented by the EU data protection framework in establishing PPPs in the law enforcement area and present workable technical, legal and societal suggestions in the form of a white paper with best practices and recommendations, which can be implemented in the short to medium term.

Description Traditionally, the use of industry-produced data by law enforcement authorities (LEAs) has been an exception. However, the Snowden revelations (on intelligence services) and the leak of data from the Hacking Team (on LEA) illustrated that the exception is effectively becoming the rule, as investigations rely increasingly on private parties that possess large amounts of data generated by users. The rise of ubiquitous computing and data analytics (with technologies such as cloud, the Internet of Things and data mining on Big Data) can be considered a catalyst of novel investigation processes, which strains the existing safeguards against abuse of power and miscarriage of justice. Citizens’ visibility on digital media platforms becomes a form of (self-) surveillance available at the discretion of LEAs, and criminal suspects and events can be tracked via crowd-sourced information on social media. The availability of digital media to the general public implies that individuals and organisations not formally affiliated with the police may engage in data sharing in a criminal-justice context. More and more companies exchange users’ personal data with LEAs, either ad-hoc or through established public-private partnerships (PPPs). For instance, banks are assigned with the duty to carry out checks on behalf of LEAs in the fight against money laundering, and telecom operators are requested to carry out monitoring activities to identify copyright infringements or are entrusted with data retention obligations, even despite the recent annulment of the Data Retention Directive by the Court of Justice of the European Union.

The fact that LEA access to data in consumer-business relations is gaining ground leads to the potential erosion of the legal protection of citizens. In the European Union, the recently adopted General Data Protection Regulation (GDPR) is setting high standards and strict obligations for legitimate data processing, it leaves data processing by LEAs out of its scope. Such processing is regulated in the Police and Criminal Justice Authorities Directive (Police Directive). The recent data protection reform, which resulted in new legal instruments on the protection of personal data in the private and public domain is an unprecedented step in data protection. We witness a similar development in cooperations between the police and the judicial branch. However, the exchange of personal data between private parties and the LEAs for the purposes of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties is surrounded by legal uncertainty. In short, these PPPs fall between the scopes of the two European data protection instruments, which makes it imperative to clarify the applicable legal framework as well as to identify legally, technically and societally acceptable solutions for all actors involved.

Given the aforementioned challenges of the European legal framework and the need to devise a holistic solution that is workable and takes into account the particularities of the European status quo, this workshop will focus on the EU. This highly important and under-researched problem shall be tackled with an efficient multi-disciplinary approach (i.e. law, political science, sociology, philosophy, media studies and engineering/computer science), as mono-disciplinary solutions will examine only some aspects of the issue. This workshop aims to identify the limitations presented by the EU data protection framework in establishing PPPs in the law enforcement area and present workable technical and societal suggestions in the form of a white paper with best practices and recommendations, which can be implemented in the short to medium term. The concepts of privacy and data protection by design will be assessed in the context of PPPs’ information exchange, together with appropriate data security measures. The outcome of the workshop that focuses on the EU can serve as the starting point for similar debates at international level, addressing similar issues in other jurisdictions. The workshop has been welcomed by highly renowned experts, based in Europe, that have already committed to participating in order to discuss in a truly multidisciplinary way in the workshop and contribute to the preparation of a white paper. The invited European experts are aware of the legal, policy and technical issues that interplay in the specific issue that is dealt with during the workshop and can immediate delve into in depth discussions on the topic. Therefore the workshop will be designed in such a way that will offer not only expert lectures from key players in the field, but also groupwork that will bring together experts with legal, technical and sociological backgrounds; this ensures that the output is a balanced framework which fits the needs of all stakeholders.