Introduction and Overview
In January 2012 the European Commission adopted a proposal for two data protection instruments, a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (the Police and Criminal Justice Directive). The focus of discussion and comment has been on the Regulation and that focus has perhaps obscured the fact that the Directive will raise many challenging issues for the UK because of the UK’s unusual position in relation to criminal justice measures.
The starting point is that the proposed Regulation and Directive are being made under Article 16 of the Treaty on the Functioning of the Union. However, under Article 6a of Protocol 21 of the Treaty, the UK and Ireland are not bound to apply EU legislation based on Article 16 to the areas of policing and criminal justice unless the processing of personal data is being carried out subject to a measure which is already binding on the UK. In other words, if the proposed legislation would be a new obligation in relation to those functions, the UK and Ireland are not bound to apply it.
Three existing EU legal instruments are relevant to the areas of policing and criminal justice, Directive 95/46/EC, Council Framework Decision 2008/977/JHA of 27th November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters and Council Framework Decision 2006/960/JHA of 18th December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities (together ‘the Framework Decisions’). Directive 95/46/EC is not binding on the processing of personal data by the police and criminal justice sector. The UK and Ireland decided to implement Directive 95/46 by means of generally applicable law but were under no obligation to do so. The Framework Decisions are binding on the UK and Ireland and have been implemented in the UK by a separate statutory regime. However the Framework Decisions apply only to the processing of personal data in the exchange of data between European police forces and in the course of judicial cooperation. The result is that neither the UK nor Ireland are bound to apply the proposed Directive to the processing of personal data for the purpose of internal policing and criminal justice matters; such processing is outside the ambit of the proposed new Directive. The proposed Directive will be applicable to the exchange of information between EU forces but not to internal UK policing. In this article, the background is explained and a number of questions raised as to how the UK may deal with the subsequent challenges it will face.
Legal Basis
Background
Under the Treaty of Lisbon (the Treaty) the areas of policing and criminal justice became part of EU competence. As a consequence the implementation of EU legislation in these areas in Member States became subject to the jurisdiction of the CJEU and the powers of the European Commission. The Treaty provided for a five-year transitional period during which the jurisdiction of the CJEU and the powers of the Commission were limited. The UK negotiated a wide opt-in procedure for policing and criminal justice measures, enabling it to avoid participating in any new proposed EU measure which it considered unacceptable to the UK. In relation to existing measures it negotiated an ‘in-out’ process. It could opt-out of the entire set of legislation (‘the general opt-out’) under Article 10(1) of Protocol 36 and then opt back in to selected ones under Article 10(5) of Protocol 36.
In July 2013 the UK notified the President of the European Council that it wished to use the general opt-out. The opt-out covered around 130 measures. It also notified the President of a list of 35 measures which it wished to opt back into. The UK’s re-participation in the 35 selected measures was confirmed by a Council Decision and a Commission Decision.
As a result of opting back into the selected measures the UK had to transpose a number of provisions into UK law, although not all of the 35 selected measures required transposition. The transposition was achieved by the Criminal Justice and Data Protection (Protocol No 36) Regulations 2014. The measures covered by the 2014 Regulations included two with specific data protection provisions; the Council Framework Decision 2008/977/JHA of 27th November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters and Council Framework Decision 2006/960/JHA of 18th December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities (‘the framework decisions’).
The 2014 Regulations were made under the European Communities Act 1972 and came into force on 1 December 2014.
Data protection provisions in the 2014 Regulations
The 2014 Regulations establish a legal framework which applies to competent authorities in EEA States when transmitting or making available personal data to competent authorities in other EEA States for the prevention, investigation, detection or prosecution of criminal penalties. The framework applies to such exchanges instead of the Data Protection Act 1998, unless the 2014 Regulations provide otherwise.
Proposed EU Directive on police and criminal justice
On 25 January 2012 the Commission adopted a proposal for a Police and Criminal Justice Directive. The Police and Criminal Justice Directive was presented at the same time as the proposed General Data Protection Regulation. Both instruments would replace the current Directive on data protection (Directive 95/46/EC). The Police and Criminal Justice Directive would have to be transposed into law in Member States.
The stated aim of the Police and Criminal Justice Directive is to ensure that domestic policing in Member States is covered by appropriate and consistent rules. The Explanatory Memorandum states:
Framework Decision 2008/977/JHA has a limited scope of application, since it only applies to cross-border data processing and not to processing activities by the police and judiciary authorities at purely national level. This is liable to create difficulties for police and other competent authorities in the areas of judicial co-operation in criminal matters and police co-operation. They are not always able to easily distinguish between purely domestic and cross-border processing or to foresee whether certain personal data may become the object of a cross-border exchange at a later stage(see Section 2 below). Moreover, because of its nature and content, the Framework Decision leaves a large room for manoeuvre to Member States’ national laws in implementing its provisions. Additionally, it does not contain any mechanism or advisory group similar to the Article 29 Working Party supporting common interpretation of its provisions, nor foresees any implementing powers for the Commission to ensure a common approach in its implementation.
UK options
The Police and Criminal Justice Directive was a new measure proposed in the area of Freedom Justice and Security, the UK therefore had the right to opt-out of the Directive in its entirety. The question was considered by Parliament in April 2012 and the UK voted to opt-in to the proposed Directive. The opt-in was however intended to ensure that the UK preserves its position in respect of the power to exchange personal data with other EU police forces. The UK position is that the proposed Directive will not apply to domestic UK processing because of the operation of another provision negotiated in the Lisbon Treaty in Article 6a of Protocol 21.
Protocol 21, Article 6a
Article 6a of Protocol 21 states:
The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article.
Article 16 of the TFEU sets out the basis for passing data protection legislation at EU level. Chapters 4 and 5 of Title V deal with policing and criminal justice. It is understood that the legal advice to the UK Government is that Article 6a means that any EU legislation based on Article 16 will apply only to the areas of policing and criminal justice where the processing of personal data is being carried out subject to a measure which is already binding on the UK, for example the Framework Decision. It will not apply where the processing is outside existing EU law. Directive 95/46/EC is not binding on the processing of personal data by the police and criminal justice sector. Therefore such processing is outside the ambit of the proposed new Directive. It should be noted that Article 6a excludes the UK and Ireland as a matter of law. There is no requirement for an opt-out decision to be taken.
It is clear from the Report of the House of Commons Justice Committee setting out its opinions on the proposed data protection framework[1] that the position of the UK is that the Directive will not apply and the UK will rely upon its opt-out. It is understood that Ireland have decided not to rely on the opt-out and will be implementing the Directive in full (assuming that the instrument is agreed and passed). The UK will therefore be alone in the EU in not applying the Directive to its internal policing.
Possible Implementation in the UK
There can be little doubt that the UK will retain general law governing the processing of personal data in these areas. The UK was under no obligation to apply Directive 95/46/EC to the processing of personal data for the purposes of domestic policing and criminal justice. The decision to implement that Directive by generally applicable primary legislation was a policy decision of the UK Government. There is no indication from the Parliamentary debate of April 2012 or the Justice Committee Report[2] that there is any change in Government policy on the need to have a data protection framework in place to govern the processing of personal data in the areas of policing and criminal justice. The question will be what the nature and scope of the framework will be.
The most obvious option would be for the police and criminal justice sectors to remain subject to the UK’s current DPA. The DPA is primary legislation, as such it will survive the repeal of Directive 95/46/EC. However, there must be a risk that the current DPA would be regarded by European forces as offering weaker protection to individuals than the new Directive and such a perception could lead to reluctance to share data with entities in the UK. It seems highly likely therefore that the UK DPA would have to be amended to align more closely with the new European norms to deal with this risk.
The exchange of information with other EU States for the purposes of policing and criminal justice will be covered by the new Directive. The new Directive repeals the Framework Decision. As the legislation implementing the Framework Decision into UK law was made under secondary legislation under the European Communities Act 1972 it will have to be considered whether it will be necessary for the UK to replace those provisions by some form of new legislative instrument. This could be by:
a) amending the relevant parts of the 2014 Regulations;
b) repealing the relevant sections of the 2014 Regulations and replacing them either by new Regulations or new primary legislation; or
c) repealing the relevant sections of the 2014 regulations and amending the DPA to add provisions which cover the rules on transfer between EU States.
Scope of implementation
It would be difficult to leave the 2014 Regulations in place. Clearly, if the relevant provisions of the 2014 Regulations could be argued to cover all the provisions of the proposed Directive which are relevant to the exchange of data with other EU States, it is (at least theoretically) possible that the UK could maintain that the current provisions sufficiently implement the new Directive and require no further change. This would however be a difficult call. There is clearly a mismatch between the provisions of the 2014 Regulations and the proposed Directive. The provisions in the Regulation replace the 1998 Act for the relevant data but they only relate to a very limited palate of processing. The proposed Directive would cover all processing in the policing and criminal justice sectors for the relevant purposes. As such it is drafted far more widely than the Framework Decision. It seems that the better view is that legislation in some form will be also required to replace the 2014 Regulations.
Conclusion
The fact that the UK has an opt-out from the proposed new Directive does not appear to have been the subject of much, if any, comment. It does however raise some potentially difficult questions. A few particular questions seem to leap out.
· If private sector organisations are restricted by the tighter terms of the Regulation in making disclosures will they be comfortable passing information to police forces which are subject to a lesser level of data protection supervision?
· Will it be politically acceptable for the police and criminal justice sector to remain subject to a lower level of obligation to the private sector and the rest of the public sector in relation to the new and more stringent requirements for accountability, individual rights and the regulatory powers of the Commissioner?
· Will other EU police forces be happy to transfer and disclose personal data to the UK when the UK standards for data protection do not fully reflect those required by the proposed new Directive?
Rosemary Jay is a consultant senior attorney with Hunton & Williams and a free-lance trainer in data protection. Rosemary is the author of Sweet & Maxwell’s Data Protection Law & Practice, now in its fourth edition, a contributing editor to The White Book and an editor of the Encyclopedia of Data Protection and Privacy. She is a Fellow of the British Computer Society and writes and lecturers widely on data protection matters.
The views expressed in this article are those of the author and do not represent the views of Hunton & Williams.
[1] Third Report of Session 2012-13
[2] Ibid