Skip to main content
SpringerLink
Log in

Privatization of Information and the Data Protection Reform

  • Chapter
  • First Online:
Reloading Data Protection

Abstract

Law enforcement authorities frequently process personal data that they received from private entities, such as banks, private companies, etc. for the purpose of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties. The processing of personal data by EU law enforcement authorities and the processing of personal data by private entities is, however, governed by different legal instruments. An additional issue arises when these transfers are done to a law enforcement authority of a third state. Thus, personal data transfers from private entities to law enforcement authorities risks falling into a gap between two legal instruments. With the currently applicable legal instruments on data protection being revised, provisions could be included to avoid this risk. This contribution therefore deals with the question where these provisions should be included for transfers within the EU and to a third state.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Agreement on between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, O.J. L 195, July 27, 2010, 5.

  2. 2.

    Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, O.J. L 105, April 13, 2006, 54.

  3. 3.

    Both Europol and Interpol use a definition of “private parties”, respectively “private entities”. Apart from minor differences, both definitions are largely the same. The similarities in both is that a private entity should be a legal person that is governed by private law such as a business, company, commercial association or a not-for-profit organization and that is not categorized as an international organization. For the purpose of this research, this definition will be used.

  4. 4.

    O.J. L 281/95, November 23, 1995, 31.

  5. 5.

    O.J. L 350, December 30, 2008, 60.

  6. 6.

    Additionally, the scope of the Framework Decision includes personal data that have been transmitted or made available by Member States to authorities or to information systems established on the basis of Title VI of the Treaty on European Union; or are or have been transmitted or made available to the competent authorities of the Member States by authorities or information systems established on the basis of the Treaty on European Union or the Treaty establishing the European Community.

  7. 7.

    Article 22 of Directive 2005/60/EC on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, O.J. L 309, November 25, 2005, 27.

  8. 8.

    Recently a new proposal was published that further strengthens the data protection regime that Europol has in place: Regulation on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA, COM(2013) 173 final, March 27, 2013. This proposal is currently in its preparatory phase in the European Parliament.

  9. 9.

    Article 25 Europol Decision and Article 28 Interpol Rules on the Processing of Data.

  10. 10.

    Article 16 of Directive 95/46/EC (Article 27 of the proposed regulation) and Article 22 of the proposed directive.

  11. 11.

    Article 17 of Directive 95/46/EC (Article 26 of the proposed regulation) and Article 21 of the proposed directive.

  12. 12.

    Article 29 Working Party (2013).

  13. 13.

    Bygrave (2002, p. 340). See also De Busser (2009, p. 68).

  14. 14.

    Such purchasing behavior, while being the owner of an agricultural firm, was reportedly one of the preparatory acts of Anders Behring Breivik using the chemicals to produce and detonate a bomb in the centre of Oslo, Norway in July 2011.

  15. 15.

    Council, 6450/3/06, May 11, 2006, 15.

  16. 16.

    COM(2005) 475 final, October 4, 2005, 16. See also the European Data Protection Supervisor’s second opinion on the proposal, O.J. C 91, April 26, 2007, 11.

  17. 17.

    See also De Busser (2009, pp. 131–134).

  18. 18.

    Council Decision on adopting the implementing rules for Europol analysis work files, O.J. L 325, December 11, 2009.

  19. 19.

    Europol Information Management Booklet, File no: 2510–271. See also “Europol: `4 × 4´ intelligence handling codes includes `dodgy data´”,Statewatch, accessed January 7, 2013, http://www.statewatch.org/news/2013/jan/03europol-dodgy-data.htm.

  20. 20.

    Article 28 Europol Decision.

  21. 21.

    Article 7, § 2 and Article 63 Interpol Rules of Processing Data.

  22. 22.

    Article 28, §§ 4 and 10 Interpol Rules on the Processing of data.

  23. 23.

    Article 24 Europol Decision.

  24. 24.

    Article 29 Working Party (2013).

  25. 25.

    Bygrave (2002, p. 340). See also De Busser (2009, p. 68).

  26. 26.

    ECtHR, The Sunday Times v. United Kingdom (1979), 49; Malone v. United Kingdom (1984), 67–68; Rotaru v. Romania (2000), 55 and Amman v. Switzerland (2000), 56.

  27. 27.

    In the first version of the Agreement, Article 4 referred to the 2003 EU-US MLA Agreement as the legal basis for the UST’s requests to obtain SWIFT data.

  28. 28.

    Article 4 of the TFTP Agreement.

  29. 29.

    Report on the second joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging data from the European Union to the United States for the purposes of the TFTP, SWD(2012) 454 final, 14.12.2012, 6–7.

  30. 30.

    JSB Report 2012, Public Statement, 2.

  31. 31.

    JSB Report 2012, Public Statement, 2–3.

  32. 32.

    JSB of Europol, Implementation of the TFTP Agreement: assessment of the follow-up of the JSB recommendations, Ref. 13–01, March 18, 2013.

  33. 33.

    ECJ C-317/04 and C-318/04, Parliament v. Council (2006).

  34. 34.

    ECJ C-301/06, Ireland v. Council and Parliament (2009).

  35. 35.

    Boehmer and Palmer (1993); Bennet and Raab (1997) and Long and Pang Quek (2002).

  36. 36.

    The same goes for Eurojust: Council Decision 2009/426/JHA on the strengthening of Eurojust and amending Decision 2002/187/JHA setting up Eurojust with a view to reinforcing the fight against serious crime, O.J L 138, June 4, 2009, 14.

  37. 37.

    O.J. L 215, August 11, 2012, 5.

  38. 38.

    O.J. L 186, July 14, 2012, 4.

  39. 39.

    O.J. L 86, March 24, 2006, 15.

  40. 40.

    O.J. C 88, March 30, 1999, 1.

  41. 41.

    See De Busser (2009, pp. 322–334).

  42. 42.

    Council, 13696/1/02, November 28, 2002, 10.

  43. 43.

    Agreement 25 June 2003 on mutual legal assistance between the European Union and the United States of America, O.J. L 181, 19 July 2003, 41.

  44. 44.

    Agreement between Eurojust and the United States of America, November 6, 2006.

  45. 45.

    Article 9 of the 2003 EU-US Agreement and Article 9 of the 2006 Eurojust-US Agreement.

  46. 46.

    De Busser (2009, p. 343).

  47. 47.

    COM(2011) 429 final, July 13, 2011.

  48. 48.

    Council, 9831/08, EU US Summit, June 12, 2008—Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection, May 28, 2008, 2. See also European Data Protection Supervisor (2008).

  49. 49.

    See inter Fijnaut (2004); Vervaele (2005) and Manget (2006).

  50. 50.

    Angwin (2012).

  51. 51.

    COM(2012) 9 final, January 25, 2012, 11–12.

  52. 52.

    The same goes for Eurojust: Council Decision 2009/426/JHA on the strengthening of Eurojust and amending Decision 2002/187/JHA setting up Eurojust with a view to reinforcing the fight against serious crime, O.J L 138, June 4, 2009, 14.

  53. 53.

    De facto the criteria being used are the same with regard to Directive 95/46/EC since the Article 29 Working Party published a working document in 1998 on the application of articles 25 and 26: Article 29 Working Party (1998).

  54. 54.

    Article 29 Data Protection Working Party (2012).

  55. 55.

    16908/11, November 15, 2011.

  56. 56.

    De Busser (2009, pp. 293–303).

  57. 57.

    Opinion of the European Data Protection Supervisor on the data protection reform package, March 7, 2012, 64.

  58. 58.

    Opinion of the European Data Protection Supervisor on the data protection reform package, March 7, 2012, 65.

Bibliography

  • Angwin, Julia. 2012. U.S. terrorism agency to tap a vast database of citizens. The Wall Street Journal, 13. December. http://online.wsj.com. Accessed 20 Feb 2013.

  • Article 29 Data Protection Working Party. 2012. Opinion 01/2012 on the data protection reform proposals, WP 191, March 23, 2012, 30 and Opinion of the European Data Protection Supervisor on the data protection reform package, March 7, 2012, 65.

    Google Scholar 

  • Article 29 Working Party. 1998. Working Document, WP12 Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, July 24, 1998.

    Google Scholar 

  • Article 29 Working Party. 2013. Opinion 03/2013 on purpose limitation, WP 203, April 2, 2013, 20–27.

    Google Scholar 

  • Bennet, Colin, and Charles Raab. 1997. The adequacy of privacy: The European union data protection directive and the north American response. The Information Society 13:245–263.

    Article  Google Scholar 

  • Boehmer, Robert, and Todd Palmer. 1993. The 1992 EC data protection proposal: an examination of it implications for the US business and the US privacy law. American Business Law Journal 31:265–311.

    Article  Google Scholar 

  • Bygrave, Lee. 2002. Data protection law. Approaching its rationale, logic and limits, 340. The Hague: Kluwer law International.

    Google Scholar 

  • De Busser, Els. 2009. Data protection in EU and US criminal cooperation. Antwerp: Maklu.

    Google Scholar 

  • European Data Protection Supervisor. 2008. Press Release November 11, 2008, Opinion on transatlantic information sharing for law enforcement purposes: Progress is welcomed, but additional work is needed, 13.

    Google Scholar 

  • Fijnaut, Cyrille. 2004. Inlichtingendiensten in Europa en Amerika: de heroriëntatie sinds de val van de Muur en 11 september 2001. Justitiële Verkenningen 3:10–42.

    Google Scholar 

  • Long, William, and Marc Pang Quek. 2002. Personal data privacy protection in an age of globalization: the US-EU safe harbor compromise. Journal of European Public Policy 9:325–344.

    Article  Google Scholar 

  • Manget, Fred. 2006. Intelligence and the criminal law system. Stanford Law & Policy Review 17:415–435.

    Google Scholar 

  • Vervaele, John. 2005. Terrorism and information sharing between the intelligence and law enforcement communities in the US and the Netherlands: Emergency criminal law? Utrecht Law Review 1:1–27.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Max Planck Institute for Foreign and International Criminal Law, Günterstalstraße 73, 79100, Freiburg im Breisgau, Germany

    Dr. Els De Busser

Authors
  1. Dr. Els De Busser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Els De Busser .

Editor information

Editors and Affiliations

  1. Law, Science, Technology & Society (LSTS), Vrije Universiteit Brussels, Brussels, Belgium

    Serge Gutwirth

  2. Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  3. Law, Science, Technology & Society (LSTS), Vrije Universiteit Brussel, Brussels, Belgium

    Paul De Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media Dordrecht

About this chapter

Cite this chapter

Busser, E. (2014). Privatization of Information and the Data Protection Reform. In: Gutwirth, S., Leenes, R., De Hert, P. (eds) Reloading Data Protection. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-7540-4_8

Download citation

Publish with us

Policies and ethics

Search

Navigation