ARTICLE IN PRESS

computer law & security review ■■ (2017) ■■–■■

Available online at www.sciencedirect.com

ScienceDirect

w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m

The Police and Criminal Justice Authorities

Directive: Data protection standards and impact
on the legal framework

Thomas Marquenie *
Centre for IT and IP Law (CiTiP) KU Leuven, Belgium

A B S T R A C T

Keywords: This article presents a two-sided analysis of the recently adopted Police and Criminal Justice
Data protection Authorities Directive. First, it examines the impact of the Directive on the current legal frame-
Privacy work and considers to what extent it is capable of overcoming existing obstacles to a consistent
Reform and comprehensive data protection scheme in the area of police and criminal justice. Second,
Police and Criminal Justice it delivers a brief outline and review of the provisions of the Directive itself and explores
Authorities Directive whether the instrument improves upon the current legislation and sets out adequate data
General data protection regulation protection rules and standards. Analyzing the Directive from these angles, this article finds
Law enforcement that while a considerable improvement and major step forward for the protection of per-
Legal framework sonal data in its field, the Directive is unlikely to mend the fragmented legal framework
and achieve the intended high level of data protection standards consistent across Euro-
pean Union member states.
© 2017 Thomas Marquenie. Published by Elsevier Ltd. All rights reserved.

implementations while others fell outside of the scope of Com-

1. Introduction
Data protection, or the safeguarding of individuals with regards
to the processing of personal data, has long been considered
an important part of European Union law. Originally a mere
aspect of the right to privacy1, data protection first received ex-
plicit recognition in a number of legal instruments before
subsequently being acknowledged as an autonomous human
right2. Despite this broad recognition, however, certain Euro-
pean data protection standards saw divergent national
munity law altogether, thereby creating a fragmented legal
framework plagued by inconsistencies and considerable legal
uncertainty. In particular, data protection in the areas of law
enforcement and criminal justice was spread across numer-
ous bilateral agreements and Union instruments suffering from
a limited scope of application and often low minimum
standards.
As a direct result thereof, the European Commission made
full use of the new legal basis provided by the Lisbon Treaty3
and proposed a broad data protection reform for the Union in

* KU Leuven CiTiP – IMEC, Sint-Michielsstraat 6, Leuven 3000.

E-mail address: thomas.marquenie@kuleuven.be.
http://dx.doi.org/10.1016/j.clsr.2017.03.009
0267-3649/© 2017 Thomas Marquenie. Published by Elsevier Ltd. All rights reserved.
1
For an overview of how the right to data protection recently developed in the European Court of Human Rights (ECtHR) and subse-
quently the Court of Justice of the European Union (CJEU), see: Taylor, Mistale, “Conference Report – ‘Safeguarding the right to data protection
in the EU’, 30th and 31st October 2014, Paris, France”, Utrecht Journal of International and European Law 2015, Vol. 31, Issue 80, 146–151.
2
Art. 8 Charter of Fundamental Rights of the European Union, O.J. 2012 C 326.
3
Art. 16 Consolidated version of the Treaty on the Functioning of the European Union (TFEU), O.J. C326, 13 December 2007.

Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
 ARTICLE IN PRESS
2 computer law & security review ■■ (2017) ■■–■■
20124. Accompanying the General Data Protection Regulation
(GDPR)5 which covers the processing of personal data for general
and commercial purposes, a Directive applicable to police and
criminal justice authorities was introduced by the Commission6.
Following four years of negotiations and amendments, the Eu-
ropean legislator finalized its data protection reforms and
adopted both instruments in April 2016. While generally over-
shadowed by the broader and more generally applicable GDPR,
the Police and Criminal Justice Authorities Directive (hereaf-
ter ‘the Directive’) remains of considerable importance and will
shape the processing of personal data by judicial authorities
and law enforcement agencies for years to come.
This article seeks to approach the analysis and review of
this often neglected yet unmistakably important piece of leg-
islation from two different angles. First, a closer look shall be
taken at the Directive’s role in and impact on the European
legal framework. The current legal structure shall be exam-
ined and the extent to which the Directive is capable of
overcoming existing obstacles to a consistent and compre-
hensive data protection scheme in the area of police and
criminal justice shall be evaluated. Second, a brief review of
the Directive shall be delivered which aims to establish whether,
at first sight, the instrument improves upon the current situ-
ation and sets forth adequate data protection rules and
standards.
2. The role and impact of the Directive on the
current legal framework
2.1. The state of the current legal framework
As a result of the pre-Lisbon pillar system in the European Com-
munity, data protection in the Area of Freedom, Security and
Justice was highly divided and legally distinct from other fields7.
This lack of a harmonized and coherent European data pro-
tection regime has led to a disparity in the application of general
data protection principles and an irregular patchwork of na-
tional standards and rules8. Because of this, the area of police
4
European Commission Press Release 25 January 2012,
<http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en>.
5
Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free move-
ment of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation), O.J. L119/1, 4 May 2016.
6
Directive (EU) 2016/680 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data by competent authori-
ties for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal pen-
alties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA, O.J. L119, 4 May 2016.
7 16
Glon, Christina, “Data protection in the European Union: A closer
look at the current patchwork of data protection laws and the pro-
posed reform that could replace them all”, International Journal of
Legal Information 2014, Vol. 42, 475.
8
Kasneci, Dede, “Data Protection Law: Recent Developments”, (PhD
thesis, Trieste University, 2008-09).
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
and criminal justice has been covered by a considerable number
of different European legislative instruments.
The Council of Europe’s Convention No.1089 is regarded a
‘mother instrument’ applying general data protection prin-
ciples to all automatic processing of data in both the public
and private sectors. The Convention is supplemented by Rec-
ommendation No. R(87)1510 on the use of personal data in the
police sector which sets out guidelines for the specific imple-
mentation of general data protection principles in the law
enforcement sector.
At the Union level, article 8 of the European Charter of Fun-
damental Rights establishes the autonomous right to data
protection, while article 16 of the Treaty on the Functioning
of the European Union (TFEU) serves as the legal basis for the
recent data protection reforms11. Data protection for general
and commercial purposes is currently regulated by Directive
95/45/EC12, which is set to be replaced by the GDPR in order
to improve data protection standards and mend the inconsis-
tent implementation of the instrument at the national level13.
In addition to this general purpose Directive, Regulation (EC)
45/200114 lays down the groundwork of data protection rules
for bodies of the European Union.
Data protection in the sector of law enforcement and crimi-
nal justice, however, has been the subject of far less extensive
regulation 15 and has been described as “weak and not
productive”16. It is characterized as “a patchwork of data pro-
tection regimes” offering no stable or uniform legal structure
and causing both considerable legal uncertainty and incon-
sistent enforcement of data protection rules17.
9
Council of Europe Convention for the Protection of Individu-
als with regard to Automatic Processing of Personal Data, Strasbourg,
18 January 1981.
10
Council of Europe Recommendation No. R(87)15 of the Com-
mittee of Ministers to Member States regulating the use of personal
data in the police sector, 17 September 1987.
11
Hijmans, Hielke, “The European Union as a Constitutional Guard-
ian of Internet Privacy and Data Protection: the Story of Article 16
TFEU – Short Summary”, (PhD thesis, Amsterdam University, 2016).
12
Directive 95/46/EC of the European Parliament and the Council
of 24 October 1995 on the protection of individuals with regard to
the processing of personal data and on the free movement of such
data, O.J. L281, 23 November 1995.
13
Korff, Douwe, “EC study on implementation of data protection
directive – Report on the findings of the study”, July–September 2002,
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1287667>.
14
Regulation (EC) 45/2001 of the European Parliament and of the
Council of 18 December 2000 on the protection of individuals with
regard to the processing of personal data by the Community in-
stitutions and bodies and on the free movement of such data, O.J.
L8/1, 12 January 2001.
15
Colonna, Liane, “The new EU proposal to regulate data protec-
tion in the law enforcement sector: raises the bar but not high
enough”, IRI Promemoria 2012, Issue 2, 4.
Kasneci, Dede, ‘Data Protection Law: Recent Developments’, 54
(PhD thesis, Trieste University, 2008-09).
17
Hijmans, Hielke and Scirocco, Alfonso, “Shortcomings in EU data
protection in the third and the Second Pillars. Can the Lisbon Treaty
be expected to help?”, Common Market Law Review 2009, Issue 46,
1496.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
In 2008, a Framework Decision18 serving as a lex generalis was
introduced for the purpose of setting common data protec-
tion standards at a horizontal level in this area19. Regrettably,
this Framework Decision is plagued by numerous shortcom-
ings which render it unsuitable as a general and comprehensive
data protection instrument. Consequently, the Framework De-
cision has made little to no progress in mending the current
patchwork of divergent and inconsistent pieces of legislation20.
As the flaws in this instrument serve as an ideal point of ref-
erence for comparison with the newly adopted Directive, its
pitfalls shall be discussed in further detail.
First and foremost, the Framework Decision’s limited scope
of application is arguably its most notable shortcoming. As ex-
plicitly stated in article 1(2) of the instrument, its provisions
apply only to cross-border transfers and exchanges of data,
meaning that the domestic processing of personal data by police
and judicial authorities falls entirely out of its scope of appli-
cation and is not covered by any general EU instrument21.
Second, the level of data protection it provides is gener-
ally low and insufficient. While the Framework Decision does
incorporate the general definitions and principles found in the
Directive 95/46/EC and the CoE Convention No.10822, it has been
criticized for not providing sufficient safeguards and failing to
go beyond the setting of low minimum standards23. The De-
cision sets out few requirements for consistency and does not
attain a considerably higher degree of harmonization24. It ex-
plicitly allows for higher safeguards at the national level and
leaves prior bilateral agreements with third countries unaf-
fected which can be highly detrimental to the effective and
18
Council Framework Decision 2008/977/JHA of 27 November 2008
on the protection of personal data processed in the framework of
police and judicial cooperation in criminal matters, O.J. L350, 30
December 2008.
19
European Digital Rights (EDRi), “Data Protection Framework De-
cision Adopted”, EDRi-GRAM no.7.3, 11 February 2009, <http://history
.edri.org/edri-gram/number7.3/data-protection-framework
-decision>.
20
Boehm, Franziska, Information Sharing and Data Protection in the
Area of Freedom, Security and Justice – Towards Harmonized Data Pro-
tection Principles for Information Exchange at EU-level, Heidelberg,
Springer, 2012, 171–173.
21
European Commission, “Report from the Commission to the Eu-
ropean Parliament, the Council, the European Economic and Social
Committee and the Committee of the Regions based on Article 29
(2) of the Council Framework Decision of 27 November 2008 on the
protection of personal data processed in the framework of police
and judicial cooperation in criminal matters”, Brussels, 25 January
2012, 2.
22
European Union Agency for Fundamental Rights, Handbook on
European Data Protection Law, Luxembourg, Publications Office of the
European Union, June 2014, 150.
23
De Hert, Paul and Papakonstaniou, Vagelis, “The data protec-
tion framework decision of 27 November 2008 regarding police and
judicial cooperation in criminal matters – A modest achievement
however not the improvement some have hoped for”, Computer Law
& Security Review 2009, Vol. 25, Issue 5, 1.
24
De Hert, Paul and Papakonstantinou, Vagelis, “European Parlia-
ment Directorate-General for Internal Policies: Policy Department
Citizens’ Rights and Constitutional Affairs – The data protection
regime applying to the inter-agency cooperation and future archi-
tecture of the EU criminal justice and law enforcement area”,
European Parliament, Brussels, November 2014, 5.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
3
fluent exchange of data in police and judicial cooperation. Ad-
ditionally, it often only requires the obligations and
responsibilities imposed to be “in accordance with national law”,
allowing for severely divergent national standards and imple-
mentations of these provisions. In combination with the lack
of Commission powers to uniformly enforce the Framework
Decision’s objectives25, the abovementioned issues caused its
uneven implementation at the national level and caused the
Decision to be ineffective at mending the existing legal
uncertainty26.
While it is clear that the Framework Decision introduced
some improvements in a field lacking substantial regulation27,
criticism on the text can be summarized by the following quote
from De Hert and Papakonstantinou, stating that “rather than
a text that would resolve data protection matters, it apparently became
a text that created more problems for the protection of individual
privacy”28.
Even though the Framework Decision was a welcome first
step in the regulation of the scattered field of data protection
in the police and criminal justice sector29, its limited scope and
lacking data protection standards prevented the instrument
from providing a sufficient and comprehensive level of regu-
lation in this area. As it did not cover domestic data processing
and was not entirely in line with prior legal instruments, which
the Decision allowed to remain unaffected and even take
precedence30, the instrument has proven to be inadequate in
light of article 16 TFEU and ineffective at mending the increas-
ingly fragmented and inconsistent landscape of data protection
in the area of law enforcement and criminal justice31. As further
discussed below, it now remains to be seen if the newly in-
troduced Directive shall be able to correct these flaws.
25
European Commission, “Communication from the Commis-
sion to the European Parliament, The Council, The European
Economic and Social Committee and the Committee of the Regions:
Safeguarding Privacy in a Connected World. A European Data Pro-
tection Framework for the 21st Century”, Brussels, 25 January
2012, 9.
26
Zerdick, Thomas, “Status and scope of implementation of FD
2008/977/JHA”, (ERA Conference: Data Protection in the Area of Eu-
ropean Criminal Justice Today – Speakers’ Contributions, Trier, 5–6
November 2012).
27
Nunzi, Alfredo, “Exchange of information and intelligence among
law enforcement authorities – A European Union perspective”, In-
ternational Review of Penal Law 2007, Vol.78, 150–151.
28
De Hert, Paul and Papakonstantinou, Vagelis, “The data protec-
tion framework decision of 27 November 2008 regarding police and
judicial cooperation in criminal matters – A modest achievement
however not the improvement some have hoped for”, Computer Law
& Security Review 2009, Vol. 25, Issue 5, 414.
29
De Busser, Els and Vermeulen, Gert, “Towards a coherent EU
policy on outgoing data transfers for use in criminal matters? The
adequacy requirement and the framework decision on data pro-
tection in criminal matters. A transatlantic exercise in adequacy”
in Cools, Mark et al., EU and International Crime Control – Topical Issues,
Antwerpen, Maklu, 2010, 116–117.
30
Recital 39 and article 28 Council Framework Decision 2008/977/
JHA.
31
De Hert, Paul, “The data protection regime applying to the inter-
agency cooperation and future architecture of the EU criminal justice
and law enforcement area”, (KU Leuven Workshop: The Directive
for data protection in the police and justice sectors: a significant
step towards modern EU data protection? 1 February 2016).
 ARTICLE IN PRESS
4 computer law & security review ■■ (2017) ■■–■■
2.2. Recent developments and the data protection reforms
Considering data protection a human right and making it a pri-
ority at the Union level has not been without merit. The
adequate protection of personal data encourages governmen-
tal legitimacy and builds trust in digital security and human
rights. It contributes to the digital economy by empowering new
markets and aids in the establishment of a unified frame-
work for international cooperation and safe transfers of data32.
Particularly in the area of law enforcement and criminal justice,
adequate data protection standards can be highly beneficial
for all parties involved, as they safeguard the vital human rights
of the general public while improving international coopera-
tion, increasing the efficiency of judicial and law enforcement
activities and reinforcing the public trust therein.
Yet while the principle of data protection is not a new or
foreign concept in Europe, recent developments and increas-
ingly glaring flaws in the practical implementation of aging
legislation spurred the recent adoption of large scale data
protection reforms in the area of police and criminal justice33.
First, the Treaty of Lisbon34 presented the perfect opportu-
nity for a major overhaul of the European data protection
framework35. In addition to conferring treaty status on the
European Charter of Human Rights, which explicitly recog-
nizes the right to protection of personal data36, the Treaty
abolished the so-called pillar structure and removed artificial
barriers to the European regulation of the area of Police and
Judicial Co-Operation in Criminal Matters (PJCCM)37, thereby
allowing for a uniform approach to data protection in this
area38. The Lisbon Treaty introduced article 16 TFEU as a
potent and single legal basis which unified several provisions
previously separated across different pillars and envisioned
the comprehensive regulation of all data protection rules
32
For more on the impact and benefits of data protection, see:
Reding, Viviane, “The European data protection framework for the
twenty-first century”, International Data Privacy Law 2012, Vol. 2, No.
3, 124; Dix, Alexander, “EU Data Protection Reform: Opportunities
and Concerns”, Intereconomics 2013, Vol. 48, Issue 5, 1.
33
These developments are not limited to the European Union
alone. Both the Council of Europe’s (CoE) Convention No.108 on the
Protection of Personal Data and the Organisation for Economic Co-
operation and Development’s (OECD) Privacy Guidelines have
recently been revised for similar reasons.
34
Treaty of Lisbon amending the Treaty of the European Union
and the Treaty establishing the European Community, signed at
Lisbon, 13 December 2007, O.J. C306/01, 17 December 2007.
35
Buttarelli, Giovanni, “The EU’s data protection for police and
justice: Need for robust reform”, (ERA Conference: Data Protec-
tion in the Area of European Criminal Justice Today – Speakers’
Contributions, Trier, 5–6 November 2012).
36
Art. 8 Charter of Fundamental Rights of the European Union,
O.J. 2012 C 326.
37
Brunazzo, Marco, “Burial or resurrection? The fate of EU “pillars”
after Lisbon”, (SISP Annual Congress, 16 September 2010).
38
Buttarelli, Giovanni, “Data protection in the area of freedom, se-
curity and justice: challenges for the judiciary” in Hijmans, Hielke
and Kranenborg, Herke (eds.), Data Protection Anno 2014: How to restore
trust? Contributions in honour of Peter Hustinx, European Data Protec-
tion Supervisor 2004–2014, Cambridge, Intersentia, 2014, 53.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
falling within the scope of EU law39. As such, these changes
to the European Union’s structure provided the ideal circum-
stances for a major reform.
Second, the fragmentation of the current legal framework
and notable gaps therein has been considered problematic and
have led to the reform being characterized as “long overdue”40.
As mentioned earlier in this article, the 2008 Framework De-
cision only covers data protection for cross-border transfers
and does not go beyond the setting of general minimum stan-
dards, meaning that the area of police and criminal justice was
not yet covered by a comprehensive legal instrument41. This
approach has resulted in divergent national implementa-
tions of vague European rules and a considerable amount of
legal uncertainty for citizens, businesses and law enforce-
ment alike42.
Third, technological progress has introduced new legisla-
tive challenges to the field of data protection43. Phenomena such
as cloud computing, big data analysis, data mining, the pro-
liferation of social media and increasingly networked devices
were not yet accounted for in older data protection
instruments44. These new technologies have resulted in a con-
stant and ever-growing stream of user-generated content and
make the global access to and exchange of personal informa-
tion increasingly convenient. In addition, the heightened global
dimension of information exchange has made significant
changes to how data is processed by police services45. Law en-
forcement and judicial authorities increasingly cooperate with
entities in other countries to ensure the effective execution of
their tasks46. However, as the current legislation both imposes
unnecessary obstacles to efficient cooperation and often fails
39
Hijmans, Hielke and Scirocco, Alfonso, “Shortcomings in EU data
protection in the third and the Second Pillars. Can the Lisbon Treaty
be expected to help?”, Common Market Law Review 2009, Issue 46.
40
Den Boer, Monika, “Calling for reform? The EU’s current data
protection framework in the field of criminal justice”, (ERA Con-
ference: Data Protection in the Area of European Criminal Justice
Today – Speakers’ Contributions, Trier, 5–6 November 2012).
41
Braum, Stefan and Covolo, Valentina, “From proven fragmen-
tation to guaranteed data protection within the virtual criminal law
enforcement area: A report on personal data protection within the
framework of police and judicial cooperation in criminal matters”
in Ligeti, Katalin, Toward a Prosecutor for the European Union – Volume
1: A Comparative Analysis, Oregon, Bloomsbury Publishing, 2013.
42
European Commission, “Communication from the Commis-
sion to the European Parliament, The Council, The European
Economic and Social Committee and the Committee of the Regions:
Safeguarding Privacy in a Connected World. A European Data Pro-
tection Framework for the 21st Century”, Brussels, 25 January 2012.
43
Recital 3 Police and Criminal Justice Directive.
44
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012.
45
European Commission, “Communication from the Commis-
sion to the European Parliament, The Council, The European
Economic and Social Committee and the Committee of the Regions:
Safeguarding Privacy in a Connected World. A European Data Pro-
tection Framework for the 21st Century”, Brussels, 25 January 2012.
46
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
to provide sufficient guarantees for the protection of per-
sonal data47, the need of a thorough reform became ever clearer.
Finally, stronger data protection regulations can be benefi-
cial for the efficiency of law enforcement activities in these
changing times48. Recent analysis of the public perception of
data protection has revealed that while unaware of the intri-
cacies of data protection, the general European population does
not believe that its personal data is as strongly protected as
it should be49. A common sentiment is that once data is shared
with others, the data subject loses all control thereof and has
no clear understanding of what it might be used for. The in-
troduction of high data protection guarantees in the field of
law enforcement and criminal justice can improve public trust
in police activities and raise confidence in the integrity of private
lives being maintained and respected. Additionally, the adop-
tion of uniform practices and standards in all European member
states can remove obstacles to efficient cooperation and the
unhindered exchange of data. As such, effective data protec-
tion rules can reinforce human rights and support more
streamlined, safe and efficient processing by public authorities.
In summary, it has become clear that recent develop-
ments in society and the areas of data protection, law and
technology have put the already lacking legal framework under
growing amounts of pressure. As its flaws have become in-
creasingly glaring and the institutional reforms introduced by
Lisbon provided the perfect opportunity for a major reform,
it is clear that the European legislator has pinned its hopes on
the Directive to invigorate data protection in the area of police
and criminal justice.
2.3. The impact of the data protection reforms
In this light, the question remains whether the Directive will
be able to accomplish what the Framework Decision could not50
47
Reding, Viviane, “The upcoming data protection reform for the
European Union”, International Data Privacy Law 2011, Vol. 1, No. 1.
48
European Parliament, “Press Release – New data protection stan-
dards to ensure smooth police cooperation in the EU”, 17 December
2015; European Data Protection Supervisor (EDPS), “Opinion 3/2015
– Europe’s big opportunity: EDPS recommendations on the EU’s
options for data protection reform”, 27 July 2015 (updated with ad-
dendum, 9 October 2015).
49
Hallinan, Dara, Friedewald, Michael and McCarthy, Paul, “Citi-
zens’ perceptions of data protection and privacy in Europe”, Computer
Law & Security Review 2012, Vol. 28, Issue 3; European Commis-
sion, “Special Eurobarometer 431 – Data Protection Report”, June
2015, <http://ec.europa.eu/public_opinion/archives/ebs/ebs_431
_en.pdf>.
50
It needs to be mentioned that not all actors agree with this as-
sessment. The government of the United Kingdom, for example,
is of the opinion that there are no sufficient grounds to assume
that a lack of domestic harmonization caused detriment to law en-
forcement activities and cross-border co-operation in this area.
Additionally, it voiced concerns that increasingly harmonized EU
rules in this field may actually hinder data exchange and co-
operation due to a higher burden being placed on controllers and
processors. As such, it claims that far reaching legislation impos-
ing a comprehensive and uniform standard on domestic processing
may be at odds with the European principle of subsidiarity. For more,
see: Ministry of Justice of the UK, “Government response to Justice
Select Committee’s opinion on the European Data Protection frame-
work proposals”, January 2013, 15–16.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
5
and constitute a comprehensive piece of legislation capable
of harmonizing the fragmented legal landscape and achiev-
ing uniform and strong data protection standards in this field.
When drafting the original proposal of the Directive, the Com-
mission was well aware of the inconsistent and fragmented
state of the current framework. In its Impact Assessment
Working Paper51, it explicitly recognized the abovementioned
issues and expressed a clear desire to actively address them.
As such, the foremost improvement in the Directive is the
extension of the scope of application to include domestic pro-
cessing activities52. Contrary to the current situation in which
only cross-border transfers of data are subject to a specific legal
instrument, purely internal processing activities will now be
covered by European Union legislation and common data pro-
tection rules.
In addition, the Directive raises the general data protec-
tion standards and provides stronger guarantees against
infringements on the right to data protection53, not in the least
by being directly effective in national legal systems and en-
forceable by member state courts. As further described below,
the Directive requires close compliances with these prin-
ciples while still recognizing the unique nature of data
processing in this field. Data subjects are better informed of
their rights, more potent oversight mechanisms are estab-
lished and limitations or exceptions to general principles are
bound more closely by requirements of necessity and propor-
tionality, all without losing sight of the unique intricacies and
challenges posed by the law enforcement and criminal justice
environment.
Considering the above, it seems clear that the Directive vastly
improves upon the Framework Decision and increases the level
of consistency, harmonization and data protection standards
at the substantive level while introducing more potent mecha-
nisms for their enforcement54. However, four particular aspects
of the Directive remain cause for concern.
First, the choice of legal instrument and the often broad dis-
cretion of the member states have been subject to certain
criticism and doubts55. By opting for a directive rather than a
51
European Commission, “Commission Staff Working Paper –
Impact Assessment accompanying the document Regulation of the
European Parliament and of the Council on the protection of in-
dividuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regula-
tion) and Directive of the European Parliament and of the Council
on the protection of individuals with regard to the processing of
personal data by competent authorities for the purposes of pre-
vention, investigation, detection or prosecution of criminal offences
or the execution of criminal penalties, and the free movement of
such data”, SEC(2012)72, Brussels, 25 January 2012, 31–35.
52
Art. 1–2 Police and Criminal Justice Directive.
53
De Hert, Paul, “The new features of the draft Directive”, (ERA
Conference: Data Protection in the Area of European Criminal Justice
Today – Speakers’ Contributions), Trier, 5–6 November 2012.
54
Colonna, Liane, “The new EU proposal to regulate data protec-
tion in the law enforcement sector: raises the bar but not high
enough”, IRI Promemoria 2012, Issue 2, 3.
55
Gayrel, Claire and Robert, Romain, “Proposition de règlement
sur la protection des données – Premiers commentaires”, Journal
de droit Européen 2012, No. 190, June 2012, 1–2 ; European Data Pro-
tection Supervisor (EDPS), “Opinion of the European Data Protection
Supervisor on the data protection reform package”, 7 March 2012.
 ARTICLE IN PRESS
6 computer law & security review ■■ (2017) ■■–■■
separate regulation or the inclusion of its provisions in the
GDPR, the Commission did little to mitigate the risk of diver-
gent implementations at the national level. While the Directive
intends to set high minimum standards and limit the pos-
sible exceptions to general principles and safeguards, several
provisions do allow for a considerable degree of divergence that
could result in significant differences between national data
protection regimes. In particular, the lack of specific guide-
lines on how certain general concepts such as necessity,
proportionality and appropriateness are to be implemented and
applied by member states to balance privacy with security and
other civil rights56 could pose an obstacle to a comprehen-
sive and uniform European data protection framework57.
Second, criticism has been raised regarding certain signifi-
cant differences between the Directive and GDPR. In several
instances, the Regulation provides stronger data protection guar-
antees and imposes more stringent obligations on data
controllers than the Directive58. These differences could amount
to increased legal uncertainty for both data subjects and con-
trollers alike, and could lead to practical difficulties and
confusion among police and judicial authorities subject to two
separate and different rule sets. While it is a welcome aspect
of the data protection reform59 that data processing activities
performed by competent law enforcement and judicial au-
thorities for purposes other than those of the Directive are still
regulated by the GDPR60, the application of different data pro-
tection standards and obligations raises questions of legitimacy
and could lead to confusion and public authorities wrong-
fully applying the incorrect set of rules61.
Third, article 1(3) of the Directive does not preclude member
states from providing higher safeguards than the minimum level
of protection established by the Directive. While this is not det-
rimental to high data protection standards and could result
56
Pagallo, Ugo, “Online security and the protection of civil rights:
A legal overview”, Philosophy and Technology 2013, Vol. 26, 392–393.
57
The lack of further requirements or prescriptive guidelines is
particularly regrettable, as the European legislator would have done
well in following the existing resources and guidelines on this
subject closer. For example, see: Article 29 Data Protection Working
Party (Working Party 29), “Opinion 01/2014 on the application of
necessity and proportionality concepts and data protection within
the law enforcement sector”, 27 February 2014.
58
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of indi-
viduals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detec-
tion or prosecution of criminal offences or the execution of criminal
penalties, and the free movement of such data”, 1 December 2015.
59
Article 29 Data Protection Working Party (Working Party 29), “Ap-
pendix to prior opinions and statements – Core topics in view of
trilogue”, 17 June 2015, 3.
60
Recital 9 and Art. 12 Police and Criminal Justice Directive.
61
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of
individuals with regard to the processing of personal data by
competent authorities for the purposes of prevention, investiga-
tion, detection or prosecution of criminal offences or the execution
of criminal penalties, and the free movement of such data”, 1
December 2015, 5.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
in countries going even beyond the safeguards envisioned by
the European legislator, such a provision could lead to con-
siderable differences between countries 62 committed to
upholding the highest possible level of data protection on the
one hand, and those who are reluctant to go above the bare
minimum on the other. It is not unthinkable such a situation
could hinder effective co-operation and information ex-
change with other member states and European institutions63.
Finally, while making vast improvements to the substan-
tive level of data protection, the Directive leaves parts of the
current fragmented framework unaltered. Article 60 explic-
itly states that specific provisions covering data protection in
already existing Union legal acts shall remain unaffected, and
while article 61 originally set a fixed time table for the amend-
ment of previously concluded international agreements in this
field, the final version of the text stipulates that they shall
remain in force until otherwise amended, replaced or revoked.
As such, these provisions allow possibly outdated and inad-
equate data protection standards present in existing Union legal
acts and international agreements to remain in place in an-
ticipation of the Commission’s review of the updated legal
framework set to take place only by 201964.
In light of the above, there is reason to assume that the Di-
rective will not have the originally envisaged effect of creating
a comprehensive and uniform legal framework covering all in-
stances of data processing in the sector of police and criminal
justice. The nature of the Directive and certain provisions
therein could lead to an inconsistent national implementa-
tion and divergent data protection regimes at the level of the
member states, while its final provisions leave already exist-
ing pieces of legislation entirely unaffected and do nothing to
harmonize them further.
While it is far from impossible for a data protection Direc-
tive to result in an adequate level of harmonization by limiting
member state flexibility and disallowing major exceptions to
general principles65, a considerable degree of divergence is still
likely to exist and result in legal uncertainty and inconsis-
tent applications of data protection standards. As such, these
aspects of the Directive and the absence of a remedy for the
62
Eurojus Rivista Italy, “Balance between security and fundamen-
tal rights protection: an analysis of the Directive 2016/680 for data
protection in the police and justice sectors and the Directive 2016/
681 on the use of passenger name records (PNR)”, 24 May 2016,
<http://rivista.eurojus.it/balance-between-security-and-fundamental
-rights-protection-an-analysis-of-the-directive-2016680-for-data-
protection-in-the-police-and-justice-sectors-and-the-directive-
2016681-on-the-use-of-passen/>.
63
European Data Protection Supervisor (EDPS), “Opinion 6/2015
– a further step towards comprehensive EU data protection: EDPS
recommendations on the Directive for data protection in the police
and justice sectors”, 28 October 2015, 5.
64
Alonso Blas, Diana, “The proposed Directive on data protec-
tion in the area of police and justice: A closer look – The omission
of Europol and Eurojust from the draft Directive”, (ERA Confer-
ence: Data Protection in the Area of European Criminal Justice Today
– Speakers’ Contributions), Trier, 5–6 November 2012.
65
As recognized by the European Court of Justice in a number of
cases relating to Directive 95/46/EC. See for example: CJEU, Bodil
Lindqvist, C-101/01, 6 November 2003, para. 96–97.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
current lack of comprehensiveness have been considered a main
weakness of the data protection reforms66.
3. The Directive reviewed
3.1. General provisions and scope
The first chapter of the Directive covers the general provisions
on scope, subject matter and relevant definitions. As per ar-
ticles 1 and 2, and with the exception of processing activities
falling outside the scope of Union law or conducted by Union
bodies, all processing of personal data by competent authori-
ties is covered by the Directive when done for the purposes of
law enforcement and criminal justice, being the prevention, in-
vestigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and including the safeguard-
ing against and the prevention of threats to public security.
Following the establishment of the scope and subject matter of
the Directive, article 3 presents a list of definitions of key con-
cepts, incorporating both long established European notions and
newly introduced concepts67.
The fact that the expanded scope of application now also
covers purely domestic data processing by police and crimi-
nal justice authorities marks a promising first step towards a
comprehensive European data protection regime in this field
and a clear improvement over the currently divided framework68.
Also taking into account that European member states are left
with the possibility to adopt higher standards than those
present in the Directive and provide further safeguards for the
protection of personal data, it is clear that the opening chapter
of the Directive establishes an ambitious scope of applica-
tion and praiseworthy objectives.
However, while broad at first sight, the scope of the Direc-
tive is restricted in a number of ways69. The lack of a clear
definition or distinction between ‘national security’, which is
a matter falling outside the scope of the Directive, and ‘safe-
guarding against threats to public security’, which is covered
66
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012, 4–5.
67
As a result of technological advancements, the notions of
pseudonymization, profiling, personal data breaches and both
genetic and biometric data have become established concepts in
the areas of data protection and criminal justice. Additionally,
changes introduced by European case law have been incorpo-
rated through the alteration of existing definitions, such as the
concept of personal data which now includes specific mention of
online identifiers following the CJEU cases Promusicae (C-275/06, 29
January 2008) and Digital Rights Ireland (Cases C-293/12 and C-594/
12, 8 April 2014).
68
Reding, Viviane, “The European data protection framework for
the twenty-first century”, International Data Privacy Law 2012, Vol. 2,
No. 3.
69
Eurojus Rivista Italy, “Balance between security and fundamen-
tal rights protection: an analysis of the Directive 2016/680 for data
protection in the police and justice sectors and the Directive 2016/
681 on the use of passenger name records (PNR)”, 24 May 2016.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
7
by the instrument, is cause for concern70 and could result in
member states making use of this vague exception to unduly
legitimize processing activities without the presence of ad-
equate data protection measures71. Additionally, the possibility
for member states to exclude court proceedings and bodies
acting in their judicial capacity from certain data protection
requirements as well as the fact that Union institutions and
bodies are not covered by the Directive constitute consider-
able limitations of its scope. This lack of concrete guidelines
and potentially broad exceptions could undermine the none-
theless ambitious scope of the Directive. Yet still, the inclusion
of purely domestic processing and the designation of public
authorities by means of their purpose rather than potentially
limited statutes is undoubtedly a noteworthy accomplishment.
3.2. Data protection principles
Taking into account the fundamental aspects of data protec-
tion as a human right, the second chapter of the Directive sets
out a number of general principles for the processing of per-
sonal data which controllers must demonstrate compliance
with. Being nearly identical to the GDPR72 and retaining most
of the established data protection principles, article 4 states
that data processing activities must meet the requirements of
purpose limitation, data minimization, accuracy, lawfulness,
fairness, transparency and both integrity and confidentiality.
Elaborating on these fundamental principles of lawfulness and
purpose limitation, articles 8 and 9 specifically require pro-
cessing activities to be necessary for the performance of the
tasks of competent authorities as set out by a law specifying
the data to be processed as well as the objectives and pur-
poses of the processing. Additionally, article 5 explicitly calls
for the introduction of a periodic review of the need for the
storage of personal data or for the implementation of appro-
priate time limits for storage enforced by procedural measures.
Furthermore, article 6 requires a distinction to be made
between different categories of data subjects. In doing so, the
Directive recognizes the importance of classifying and treat-
ing data differently based on the degree of the data subject’s
involvement in a crime. As such, a distinction must be made
between (a) those suspected of having committed a crime, (b)
those convicted of an offence, (c) potential and certain victims
of an offence and (d) other parties such as witnesses, con-
tacts and informants. A comparable rule can be found in article
7, which states that a distinction shall be maintained between
types of personal data based on fact and on personal assess-
ments while also requiring the verification of the accuracy,
reliability and completeness of data before it can be transmit-
ted or made available.
Following article 10, particular attention shall be paid to the
processing of special categories of special data. By broaden-
ing the traditional categories of sensitive data such as religious
70
Colonna, Liane, “The new EU proposal to regulate data protec-
tion in the law enforcement sector: raises the bar but not high
enough”, IRI Promemoria 2012, Issue 2, 5.
71
European Data Protection Supervisor (EDPS), “Opinion 6/2015
– a further step towards comprehensive EU data protection: EDPS
recommendations on the Directive for data protection in the police
and justice sectors”, 28 October 2015, 6.
72
Art. 5 General Data Protection Regulation.
 ARTICLE IN PRESS
8 computer law & security review ■■ (2017) ■■–■■
beliefs, sexuality, political opinion and racial origins by the in-
clusion of genetic and biometric data, the Directive takes notice
of recent technological developments and creates an ad-
equate regime awarding special protection to the processing
of certain data which might result in a greater impact on the
data subject’s life73.
Lastly, article 11 sets out specific rules for automated in-
dividual decision-making and the practice of profiling. Such
activities are generally prohibited when these decisions are
based solely on automated processing and produce adverse legal
effects for data subjects or significantly affect them. While the
practice of profiling can adversely affect data subjects in a law
enforcement context, the Directive provides safeguards to miti-
gate undue interferences with the private lives of the persons
involved. Only when authorized by law and covered by appro-
priate safeguards for the rights and freedoms of the data subject,
which include at least the right to obtain human interven-
tion, may such fully automated decisions affecting the data
subject be made. If these decisions are based on the special
categories of data described above, the Directive requires further
suitable measures to safeguard legitimate interests and the data
subject’s rights and freedoms. However, if such decisions would
result in discrimination against a natural person, they shall
always be prohibited.
In general, the introduction of and expansion upon the es-
tablished European data protection principles in the sector of
police and criminal justice is a remarkable step forward. While
recognizing the unique nature of data processing in this sector,
the Directive succeeds at upholding general principles and es-
tablishing basic safeguards set to protect data subject rights
and guide data controllers throughout the processing of per-
sonal data74. The extraordinary status of special categories of
sensitive data, the explicit recognition of time limits for storage
and the distinctions between types of data and categories of
data subjects are notable innovations set to protect data sub-
jects and improve the effectiveness and accuracy of law
enforcement activities based on hard and soft intelligence75.
However, while the application of these principles in this
sector is a laudable achievement, a number of complaints must
still be voiced. Regrettably76, not all of the practical guide-
lines in CoE Convention No.108 and Recommendation R(87)15
73
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of indi-
viduals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detec-
tion or prosecution of criminal offences or the execution of criminal
penalties, and the free movement of such data”, 1 December 2015,
8–9.
74
De Hert, Paul, “The new features of the draft Directive”, (ERA
Conference: Data Protection in the Area of European Criminal Justice
Today – Speakers’ Contributions), Trier, 5–6 November 2012.
75
Colonna, Liane, “The new EU proposal to regulate data protec-
tion in the law enforcement sector: raises the bar but not high
enough”, IRI Promemoria 2012, Issue 2, 5–6.
76
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of
individuals with regard to the processing of personal data by
competent authorities for the purposes of prevention, investiga-
tion, detection or prosecution of criminal offences or the execution
of criminal penalties, and the free movement of such data”, 1
December 2015, 3.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
were followed77, as the data minimization clause only re-
quires the collection of data to be “not excessive” rather than
“limited to the minimum necessary” and a number of addi-
tional safeguards were omitted. Additionally, the purpose
limitation principle allowing for subsequent processing of data
for different purposes under relatively broad conditions is likely
to result in significantly divergent national implementations78.
The lack of concrete criteria for a periodic review of the need
for the storage of personal data and the mere requirement of
“appropriate” time limits rather than a clear schedule are re-
grettable in light of recent case law of the Court of Justice of
the European Union (CJEU)79. As for the newly introduced dis-
tinctions between types of data, the fact that they must only
be introduced “as far as possible” as well as the absence of spe-
cific safeguards for non-suspects or different types of crime80
and the lack of technical and organizational criteria make the
practical and uniform compliance with these provisions
difficult81.
77
For example, the CoE Convention No.108 states that further use
for different purposes should only be allowed when provided for
by law, necessary in a democratic society, precise, foreseeable and
proportionate in view of the intended objectives.
78
Despite being an improvement over the implementation of the
principle in the 2008 Framework Decision, few additional safe-
guards are provided for the further processing for different purposes
than those for which the data was originally collected. As long as
the controller is adequately authorized by national law and the pro-
cessing is necessary and proportionate for these other purposes,
personal data can be processed for other purposes. As the lack of
concrete guidelines or supplementary requirements allows diver-
gent national interpretations of the notions of proportionality and
necessity, it is not unthinkable that this key principle will be un-
dermined by national authorities adopting different approaches and
processing data for different purposes without sufficient safe-
guards being in place. As such, stronger safeguards, the
acknowledgement of different categories of data subjects and a case-
by-case analysis of the original circumstances and the existence
of an adequate legal basis would be desirable for the safeguard-
ing of this key principle. For more, see: Article 29 Data Protection
Working Party (Working Party 29), “Opinion 03/2013 on Purpose Limi-
tation”, 2 April 2013.
79
In recent case law, the CJEU gave a clear opinion on data re-
tention periods. Partially due to the absence of a distinction between
categories of data and persons, as well the absence of objective cri-
teria determining the period of retention and the possible usefulness
of data in comparison to the purposes of the processing activi-
ties, the CJEU recently annulled the Data Retention Directive. As
such, it is regrettable that the European legislator did not take this
judgment further into account by implementing similar safe-
guards in the Directive. For more, see: CJEU, Digital Rights Ireland
and Seitlinger and Others, Joined Cases C-293/12 and C-594/12, O.J.
C258, 8 April 2014.
80
For example, the Working Party 29 recommended that the
processing of personal data of non-suspects “should only be
allowed under certain specific conditions and when absolutely
necessary for a legitimate, well-defined and specific purpose”
and would require additional safeguards to be implemented. See:
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 01/2013 providing further input into the discussions on
the draft Police and Criminal Justice Data Protection Directive”,
26 February 2013, 3.
81
Colonna, Liane, “The new EU proposal to regulate data protec-
tion in the law enforcement sector: raises the bar but not high
enough”, IRI Promemoria 2012, Issue 2, 6.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
In regards to the protection of special categories of data, it
is regrettable that no particular attention is paid to the rights
of children and that general notions such as “appropriate safe-
guards” are left undefined82 while the broad clause “where
authorized by Union or Member State law” risks serving as a
potential catch-all basis for the processing of such sensitive
personal information. Finally, while general profiling is ad-
equately covered by safeguards such as the right to human
intervention, the final version of the text allows the use of sen-
sitive personal data for profiling activities83 without notably
stronger guarantees for the protection of human rights84.
In summary, it can be said that while the introduction of
general data protection principles and a number of funda-
mental guiding rules in the area of police and criminal justice
is a considerable improvement over the current legal frame-
work, the often broad exceptions thereto and the use of general
and vague terms without further guidelines on their imple-
mentation do pose the risk that the effectiveness of these
provisions might be eroded in their national implementation.
3.3. Data subject rights
The third chapter of the Directive regulates the protection and
exercise of data subject rights. A clear set of rules and proce-
dures is established through the introduction of a number of
rights belonging to the data subject, the restrictions appli-
cable thereto and the modalities for the exercise and
communication thereof by and to the data subject.
General modalities for the exercise of these rights are es-
tablished in article 12 and seek to lower the administrative and
practical burden by requiring data subject requests to be fol-
lowed up on without undue delay and information to be made
available in a concise, intelligible, generally free and easily ac-
cessible form. Following article 13, the information made
available to the data subject must include the identity of the
controller and the data processing officer, the purposes of the
processing and the possibility to lodge a complaint with the
supervisory authority or request rectification or erasure of per-
sonal data.
Under article 14, data subjects are given the right to access
personal data concerning them and to obtain knowledge of
ongoing processing activities involving their personal data. On
their request, they shall be given further information about the
purposes and legal basis of the processing and the categories
of data concerned, as well as the origins and recipients of the
82
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012, 57.
83
De Hert, Paul and Papakonstantinou, Vagelis, “The Police and
Criminal Justice Data Protection Directive: Comment and Analy-
sis”, Computers & Law Magazine of SCL 2012, Vol. 22, No. 6, 3.
84
The only additional conditions applicable to profiling based on
sensitive information are that measures safeguarding rights and
freedoms must now be “suitable” rather than “appropriate” and that
“legitimate interests” must receive protection as well. As no further
explanation on how these requirements must be interpreted is
given, it is not unimaginable that national implementations of this
provision shall not offer the sufficiently stronger safeguards this
sensitive data deserves.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
9
data and storage periods thereof. Additionally, article 16 grants
data subjects the opportunity to obtain the rectification or
erasure of their personal data as well as, in certain cases, re-
strictions on its processing. Their personal data can be corrected
when inaccurate and erased in case of a legal obligation or in-
fringement of certain data protection standards.
Nonetheless, the abovementioned rights are not absolute
and their exercise is subject to a number of limitations in order
to protect the integrity and confidentiality of criminal inves-
tigations and procedures. The obligation on the controller to
make information available to the data subject may be re-
stricted, delayed or omitted by law if such a measure is
necessary and proportionate in a democratic society with due
regard for fundamental rights and legitimate interests of
persons concerned, and serves to avoid obstructing legal and
criminal procedures, protect the rights and freedoms of others
or safeguard national or public security. According to article
15, data subjects’ requests for access to data or the rectifica-
tion and erasure thereof may be refused on the same grounds,
on the added condition that they are informed of the refusal
without undue delay, are made aware of their right to lodge a
complaint against the decision and are given the reasons for
the refusal unless doing so would undermine one of the
abovementioned purposes.
Yet, in the event that a data subject’s rights to obtain in-
formation, access personal data and obtain rectification or
erasure thereof would be limited or denied by means of the
exceptions mentioned above, article 17 grants the data subject
the possibility of tasking the supervisory authority with the
exercise of these rights on his or her behalf. While this does
not serve as an indirect method for the data subject to still
obtain the desired information, access or erasure, the super-
visory authority must conduct all necessary verifications and
reviews of the processing of the data and inform the data
subject of the outcome thereof.
As such, the Directive’s provisions on data subject rights
are largely satisfactory and introduce a number of adequate
safeguards. Administrative and practical obstacles are ad-
dressed by setting out clear rules on the modalities of the
exercise of these rights. Data subjects are given adequate in-
formation about data processing activities concerning them and
are sufficiently informed about the possibilities to file com-
plaints, obtain access to further information, request the
rectification or erasure of their data and, if necessary, rely on
the supervisory authority to aid in the exercise of their rights.
The existence of certain restrictions for the public interest, free-
doms of others and integrity of criminal investigations cannot
be considered as invalidating the protection offered by these
rights.
Yet, while the degree of transparency in this chapter is gen-
erally well received85, some regret the removal of certain aspects
85
Transparency and the right to be informed about processing are
considered fundamental and necessary components of the effec-
tive exercise of other data protection rights. See: Bäcker, Matthias
and Hornung, Gerrit, “Data processing by police and criminal justice
authorities in Europe – The influence of the Commission’s draft
on the national police laws and laws of criminal procedure”, Com-
puter Law & Security Review 2012, Vol. 28, Issue 6, 631.
 ARTICLE IN PRESS
10 computer law & security review ■■ (2017) ■■–■■
of the original proposal86, the lack of information concerning
security measures and safeguards for international transfers87,
and the possibility for member states to determine entire cat-
egories of data subjects with restricted rights88. As such, the
Directive does grant data subjects more powers to address vio-
lations of their rights but does not necessarily prevent further
uncertainties or practical issues from arising89.
3.4. Data controller obligations
3.4.1. General obligations
The fourth chapter of the Directive introduces a number of new
obligations on data controllers and processors. Following article
19, it is up to the controller to provide appropriate technical
and organizational measures to ensure and be able to dem-
onstrate compliance with the Directive, taking into account both
the nature and purposes of the processing as well as the po-
tential risks for the freedoms of the data subjects.
Supplementing this, the controller shall be tasked with the
implementation of appropriate data protection policies when
proportionate to the nature of the data processing activities.
Under article 20, data controllers shall be required to imple-
ment the principles of data protection by design and by default.
As for the design part, technical and organizational mea-
sures will have to be adopted to implement necessary
safeguards into the processing acts themselves90, while data
protection by default shall require built-in mechanisms en-
suring that only personal data necessary for a specific purpose
shall be processed, stored and made accessible.
Specific rules are also established for joint controllers and
data processors in articles 21 through 23. All data controllers
must implement appropriate measures to ensure that the pro-
cessors they collaborate with are in compliance with the newly
introduced data protection rules, while joint controllers are re-
quired to conclude an arrangement to determine their
respective responsibilities. The data processors may only process
personal data under the instructions of the controller and must
be governed by a binding contract setting out the data sub-
jects’ rights and the purposes, nature and duration of the
processing activities. Additionally, prior written authoriza-
tion by the controller shall also be required for data processors
to engage and cooperate with other processors.
86
European Data Protection Supervisor (EDPS), “Opinion 6/2015
– a further step towards comprehensive EU data protection: EDPS
recommendations on the Directive for data protection in the police
and justice sectors”, 28 October 2015, 7.
87
Article 29 Data Protection Working Party (Working Party 29), “Ap-
pendix to prior opinions and statements – Core topics in view of
trilogue”, 17 June 2015, 11.
88
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 01/2013 providing further input into the discussions on
the draft Police and Criminal Justice Data Protection Directive”, 26
February 2013, 4.
89
Galetta, Antonella and De Hert, Paul, “Exercising democratic
rights under surveillance regimes – a European perspective on data
protection and access rights”, (Increasing Resilience in Surveil-
lance Societies (IRISS) Deliverable D5) May 2014, 17–18.
90
Le Métayer, Daniel, “Privacy by design: a matter of choice” in
Gutwirth, Serge, Yves Poullet and Paul De Hert, Data Protection in a
Profiled World, Dordrecht, Springer, 2010, 323–326.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
At the more technical level, articles 24 and 25 establish the
requirements of recordkeeping and logging which require data
controllers to maintain records and logs of the data process-
ing and are set to support the demonstration of compliance
with data protection rules and improve the transparency, ac-
countability and effective supervision of processing activities91.
These requirements shall assist with the establishing of the
justification and lawfulness of processing activities as well as
determining the identity of the person consulting, disclosing
and receiving the data. In order to ensure compliance with the
objectives of the Directive, the logs and records shall be made
available to supervisory authorities upon their request.
In the event that a method of processing is considered likely
to cause a high risk to the rights and freedoms of individu-
als, article 27 requires the controller to conduct a prior
assessment of the impact of the processing activity on the pro-
tection of personal data, hereafter referred to as a Data
Protection Impact Assessment (DPIA). These impact assess-
ments must take into account the rights and legitimate interests
of data subjects and concerned persons, as well as include the
envisaged operations, applicable data protection safeguards,
potential risks to freedoms and the measures used to manage
them. As DPIA’s take into consideration wider consequences
for the rights and freedoms of data subjects while contribut-
ing to the accountability of controllers and the proper
compliance with data protection obligations in the Directive,
they shall play an especially important role in the manage-
ment of new surveillance and processing technologies.
Following articles 26 and 28, data controllers and proces-
sors are under a general obligation to cooperate with
supervisory authorities and provide the necessary informa-
tion for the fulfilment of their enquiries. In the event that a
particular type of processing using new technologies or pro-
cedures involves a high risk to data subject rights, or a data
protection impact assessment reveals that processing activi-
ties would result in such a risk in the absence of special
measures taken by the controller, this provision requires the
controller or processor to consult the supervisory authority prior
to the processing and disclose the results of the DPIA. The su-
pervisory authorities may also establish a list of processing
operations requiring such prior consultation by default to ensure
that these particular operations do not escape scrutiny. Addi-
tionally, these provisions determine that the authorities must
also be consulted during the legislative process on data pro-
cessing and are capable of using their powers discussed in
section 3.5.2 to halt processing activities which infringe on the
Directive.
While the lack of technical standards for the implementa-
tion of certain aspects of these provisions might prove
problematic for police and judicial authorities, the introduc-
tion of specific obligations on data controllers in the area of
police and criminal justice is a welcome addition to the Eu-
ropean data protection framework. The implementation of the
principles of data protection by design and by default marks
a step towards further respect for privacy from the ground up,
91
Article 29 Data Protection Working Party (Working Party 29), “Ap-
pendix to prior opinions and statements – core topics in view of
trilogue”, 17 June 2015, 16.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
while the robust requirements of recordkeeping and logging
seek to promote transparency, accountability and compli-
ance with the legal framework. Additionally, a high level of data
protection standards is provided for by guaranteeing that
persons or entities processing data on behalf of the data con-
trollers shall be held to the same standards and fall under their
direct authority. Equally promising is the broad involvement
of the supervisory authority in the workings and activities of
the data controllers92 as well as the introduction of an impact
assessment when certain processing methods are likely to cause
a heightened risk to the rights and freedoms of individuals.
These safeguards are expected to make improvements to the
accountability of data controllers and assist in the exercise of
data subject rights93.
3.4.2. Security
Another noteworthy addition to the legal framework of data
protection in police and criminal justice sectors are the rules
concerning data security. As law enforcement authorities apply
modern technologies to process and use increasingly large
amounts of data, it is of the utmost importance that the in-
tegrity of police investigations and the security of personal data
handled by law enforcement officials are maintained. As such,
article 29 states that controllers, taking into account practi-
cal concerns such as the nature of the processing, costs and
risks for the rights of data subjects, shall be required to imple-
ment appropriate technical and organizational safeguards to
ensure a risk-appropriate level of security. In addition to this
general obligation, an exhaustive list is given of specific mea-
sures to be adopted, such as safeguards for data integrity as
well as procedures for data recovery and equipment, access,
communication and storage control.
In the event that a personal data breach94 would occur, article
30 imposes an obligation on the data controller to document
the event and notify the supervisory authority unless it can
be demonstrated that the breach is unlikely to result in a risk
to the rights and freedoms of natural persons involved95. As
a personal data breach and the consequences thereof could
92
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of indi-
viduals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detec-
tion or prosecution of criminal offences or the execution of criminal
penalties, and the free movement of such data”, 1 December 2015,
11–12.
93
Thomas, Richard, “Accountability – a modern approach to regu-
lating the 21st century data environment” in Hijmans, Hielke and
Kranenborg, Herke (eds.), Data Protection Anno 2014: How to restore
trust? Contributions in honour of Peter Hustinx, European Data Protec-
tion Supervisor 2004–2014, Cambridge, Intersentia, 2014, 143.
94
Art. 3(11) defines this as “a breach of security leading to the ac-
cidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored or oth-
erwise processed”.
95
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012, 62.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
11
result in significant damage to all parties96, the notification must
take place without undue delay and, if feasible, within 72 hours
or accompanied with reasons for the delay, and shall include
a description of the data breach and other relevant informa-
tion. Additionally, if it is determined that the breach is likely
to result in a high risk to the rights and freedoms of natural
persons, article 31 requires the data controller to also inform
the data subject by describing the nature of the breach and
disclosing certain relevant information. However, if the con-
troller takes subsequent steps to prevent the high risk from
materializing or protectionary measures render the data un-
intelligible, this communication to the data subject shall no
longer be necessary.
It is without doubt that the introduction of detailed rules
on data security marks a significant improvement over the pre-
vious legal framework in this area. The strict obligations on data
controllers to ensure data security and notify data breaches
to the supervisory authorities and, in certain instances, the data
subjects, promote further transparency, security and integ-
rity of criminal investigations. While earlier versions of the
Directive included shorter time limits and more stringent ob-
ligations than the current text, the final provisions recognize
practical difficulties and set out a realistic and satisfactory duty
to notify and address data breaches as part of the improved
framework97.
However, it is regrettable that the originally included pos-
sibility for the Commission to adopt implementing acts
specifying the abovementioned requirements and setting out
common encryption standards has been removed in the final
version of the Directive. And while the existence of different
notifications to the supervisory authority and individuals has
been well received, some regret the lack of a distinction between
different categories of data subjects98 and the choice for the
requirement of “likely to result in a high risk”99 rather than the
less restrictive “likely to adversely affect” used in other data
protection instruments100.
Nonetheless, the establishment of basic security require-
ments and a duty of notification deserves praise and is set to
assist in making data processing activities more secure and
transparent.
96
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2014 on Personal Data Breach Notification”, 25 March
2014.
97
Wong, Rebecca, Data Security Breaches and Privacy in Europe,
Springer, London, 2013, 31–35.
98
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of indi-
viduals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detec-
tion or prosecution of criminal offences or the execution of criminal
penalties, and the free movement of such data”, 1 December 2015,
12.
99
Article 29 Data Protection Working Party (Working Party 29), “Ap-
pendix to prior opinions and statements – Core topics in view of trilogue”,
17 June 2015, 16–17.
100
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the
measures applicable to the notification of personal data breaches
under Directive 2002/58/EC of the European Parliament and of the
Council on privacy and electronic communications, O.J. L173, 26
June 2013.
 ARTICLE IN PRESS
12 computer law & security review ■■ (2017) ■■–■■
3.5. Oversight mechanisms
3.5.1. Data protection officers
Under articles 32 through 34 of the Directive, data controllers
must appoint a publicly designated Data Protection Officer (DPO)
to assist in the protection of personal data. These officers are
required to be involved in all issues relating to data protec-
tion in a proper and timely manner, and be provided with the
necessary resources to carry out their tasks effectively. Among
these tasks are the informing and advising of the controller,
monitoring compliance with data protection legislation, par-
ticipating in data protection impact assessments, cooperating
with supervisory authorities and acting as a contact point for
data subjects and other actors with concerns related to data
protection.
While the introduction of highly qualified DPO’s contrib-
utes to a higher degree of data protection expertise and closer
compliance with data protection rules101, the fact that courts
and other judicial authorities may be exempt from this obli-
gation creates a potentially problematic situation where such
actors may not be assisted by a data protection expert in the
exercise of their duties. Furthermore, the considerable differ-
ences between the Directive and the GDPR102 as well as the lack
of rules on independence, confidentiality and conflicts of in-
terest are regrettable and could erode the effectiveness of the
data protection officers.
3.5.2. Supervisory authorities
The sixth chapter of the Directive establishes independent su-
pervisory authorities. According to article 41, these authorities
shall monitor the national application of the Directive, ensure
the protection of human rights and facilitate the flow of per-
sonal data within the EU by assisting and cooperating with the
Commission and authorities of other member states. These
oversight bodies shall exist at the national level and are to be
completely independent from external influence, which is the
result of recent developments in CJEU case law103 and is to be
enforced by a number of safeguards and conditions on their
establishment and functioning found in articles 42 through 44.
For the fulfilment of their duties described in article 46, it is
required under article 47 that the authorities are granted
101
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012, 63.
102
Art. 38 General Data Protection Regulation.
103
In the Germany v. Commission case, the CJEU states that “in the
light of the foregoing, the second subparagraph of Article 28(1) of
Directive 95/46 is to be interpreted as meaning that the supervi-
sory authorities responsible for supervising the processing of
personal data outside the public sector must enjoy an indepen-
dence allowing them to perform their duties free from external
influence. That independence precludes not only any influence ex-
ercised by the supervised bodies, but also any directions or any other
external influence, whether direct or indirect, which could call into
question the performance by those authorities of their task con-
sisting of establishing a fair balance between the protection of the
right to private life and the free movement of personal data.” See:
CJEU, Germany v. European Commission, Case C–518/07, 9 March 2010,
para. 30.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
effective advisory, investigative and corrective powers to advise
institutions and controllers, obtain all necessary information
and correct data controller activities violating the provisions
of the Directive.
The addition of a more detailed and well-regulated over-
sight mechanism similar to that in the GDPR104 has been well
received as a major improvement over the 2008 Framework
Decision105 as effective supervision has increasingly been con-
sidered a highly important aspect of data protection106. The
introduction of these supervisory authorities is expected to
foster accountability, strengthen data subject rights and improve
the oversight of data controllers.
However, certain aspects of these provisions are still cause
for concern. The authorities’ competence set out in article 45
shall not include the supervision of processing operations of
courts which are acting in their judicial capacity, and it is up
to the member states’ discretion whether to extend the au-
thorities’ competence to independent judicial authorities other
than courts when acting in their judicial capacity107. Despite
it being understandable why these authorities would be exempt
from supervision, the broad scope of the exception can be con-
sidered unfortunate as judicial authorities too can benefit from
data protection standards108. Additionally, while the sug-
gested powers of issuing warnings, imposing limitations on
processing and ordering the controller to comply with the Di-
rective in a specified manner within a certain time period could
be considered effective, they have been the subject of criti-
cism for not being sufficiently compulsory and inadequate when
compared to the much more compelling provisions in the
GDPR109. As such, some fear that this might lead to a frag-
mented landscape of differently empowered supervisory
authorities that would undermine their effectiveness and hinder
efficient cooperation110.
104
Chapter VI General Data Protection Regulation.
105
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 01/2013 providing further input into the discussions on
the draft Police and Criminal Justice Data Protection Directive”, 26
February 2013, 5.
106
Article 29 Data Protection Working Party (Working Party 29), “Joint
statement of the European Data Protection Authorities assembled
in the Article 29 Working Party”, 26 November 2014, 2.
107
Recital 80 gives the example of the public prosecutor’s office
which, while technically not a court, could still fall outside of the
competence of the supervisory authorities if the member state so
wishes.
108
For more on how data protection standards could contribute
to the effectiveness of the judiciary, see: Buttarelli, Giovanni, “Data
protection in the area of freedom, security and justice: chal-
lenges for the judiciary” in Hijmans, Hielke and Kranenborg, Herke,
(eds.), Data Protection Anno 2014: How to restore trust? Contributions
in honour of Peter Hustinx, European Data Protection Supervisor 2004–
2014, Cambridge, Intersentia, 2014, 59–65.
109
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012, 66.
110
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 01/2013 providing further input into the discussions on
the draft Police and Criminal Justice Data Protection Directive”, 26
February 2013, 6.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
3.5.3. The European Data Protection Board
The European Data Protection Board (EDPB) established by the
GDPR111 shall perform a number of tasks such as promoting
cooperation between supervisory authorities, advising the Com-
mission and issuing guidelines for the purpose of contributing
to the consistent application of the Directive. Due to the rela-
tively broad scope of its tasks, the Board could make significant
contributions to the clarification of a number of provisions and
promote a uniform and comprehensive implementation of the
Directive. However, contrary to the more detailed rules found
in the GDPR, article 51 does not assign the EDPB a central role
in the field of law enforcement112, nor does it provide proce-
dural rules regarding time limits or the frequency of the
performance of these tasks. As such, there is little certainty
on when and to what extent certain parts of the Directive will
be further elaborated on, making the lack of more stringent
guidelines and procedures regrettable.
3.6. International data transfers
On the topic of the transfer of personal data to third coun-
tries and international organizations, the fifth chapter of the
Directive introduces a tiered system of data exchanges. First,
a number of general principles are set out in article 35. The
transfer of personal data to third countries must be neces-
sary for the processing purposes of the Directive and can only
take place when the conditions described hereafter are met.
The transmitting and receiving controllers must be compe-
tent authorities, and the transferring member states must
authorize further onward transfers to other third countries or
organizations after considering relevant factors. If data origi-
nating from a different member state is transmitted, the
member state from which the data originated must autho-
rize the transfer unless it would prove necessary for the
prevention of an immediate or serious threat to public secu-
rity. Additionally, article 40 sets out a number of basic rules
to promote international cooperation and facilitate the ex-
change of information by determining the appropriate steps
to a more inclusive and comprehensive data protection frame-
work for international exchanges.
Article 36 describes the first situation in which data can
be transferred to a third country, namely when the European
Commission has issued an adequacy decision establishing
that this nation offers sufficient safeguards for the protec-
tion of European personal data. In absence of such an adequacy
decision, article 37 determines that it falls upon the transfer-
ring country to ensure that adequate data protection standards
exist in the country receiving the data, either by confirming
that a legally binding instrument provides appropriate guar-
antees or by assessing all relevant circumstances surrounding
the transfer and concluding that such safeguards are
111
Art. 68 General Data Protection Regulation.
112
Eurojus Rivista Italy, “Balance between security and fundamen-
tal rights protection: an analysis of the Directive 2016/680 for data
protection in the police and justice sectors and the Directive 2016/
681 on the use of passenger name records (PNR)”, 24 May 2016.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
13
effectively present113. With no adequacy decision or appropri-
ate safeguards in place, article 38 states that data may only
be transferred to third countries when necessary to protect
vital interests of a person, safeguard legitimate interests of
the data subject or prevent immediate and serious threats to
public security.
As for the transfer of data directly to private recipients in
third countries, article 39 determines that such a transfer can
only be allowed in individual and specific cases where certain
conditions are met. Among others, the transferring authority
must determine that the rights of the data subject do not out-
weigh the public interests necessitating the transmission and
that transferring the information to a competent authority
would be ineffective or inappropriate114. Additionally, the su-
pervisory authority must be notified and the recipient must
be instructed only to process the information when neces-
sary. Finally, the transfer must be documented and strictly
necessary for the performance of the tasks of the transfer-
ring authority for the purposes of the Directive.
It is clear that the establishment of these procedures and
cascading rules for data exchanges with third countries marks
a step forward in the international cooperation of law enforce-
ment and judicial authorities115. The closer engagement of the
supervisory authorities, the introduction of clear criteria for
the issuing of adequacy decisions and the further involve-
ment of the European Commission conducting in-depth
analyses and reviews will likely create a more secure environ-
ment for the efficient and safe exchange of personal data116.
113
As suggested by recital 71 of the Directive, this assessment might
include cooperation agreements concluded between Europol or
Eurojust and third countries, confidentiality obligations, the imple-
mentation of the principle of specificity and whether the data might
be used to support any form of cruel and inhuman treatment.
114
Recital 73 of the Directive reveals that this is particularly the
case when “the transfer could not be carried out in a timely manner,
or because that authority in the third country does not respect the
rule of law or international human rights norms and standards”
or where “there is an urgent need to transfer personal data to save
the life of a person who is in danger of becoming a victim of a crimi-
nal offence or in the interest of preventing an imminent perpetration
of a crime, including terrorism”.
115
The fact that high data protection standards for the exchange
of personal data are a necessity in an increasingly globalized world
has been stressed by data protection authorities and the Euro-
pean Court of Justice. For more, see: CJEU, Maximilian Schrems v Data
Protection Commissioner, Case C-362/14, O.J. C351, 6 October 2014; Eu-
ropean Commission, “Communication from the Commission to the
European Parliament, The Council, The European Economic and
Social Committee and the Committee of the Regions: Safeguard-
ing Privacy in a Connected World. A European Data Protection
Framework for the 21st Century”, Brussels, 25 January 2012, 11.
116
Naturally, the effectiveness of these safeguards depends on how
diligently the European Commission analyses the data protection
standards in the law enforcement sector of the receiving country.
While the EDPS has suggested that this evaluation is to take account
of all circumstances and recital 68 requires the Commission to co-
operate with the European Data Protection Board, concerns remain
that political considerations rather than actual data protection stan-
dards will dictate the establishment of adequacy decisions. For more,
see: De Busser, Els, “EU data protection in transatlantic coopera-
tion in criminal matters. Will the EU be serving its citizens an
American meal?”, Utrecht Law Review 2010, Vol. 6, Issue 1, 92–93.
 ARTICLE IN PRESS
14 computer law & security review ■■ (2017) ■■–■■
However, some aspects of these provisions do raise further
concerns117. The vague provisions on the establishment of ap-
propriate safeguards by the transferring country allow for
member states to implement and employ divergent ad-
equacy standards. Contrary to earlier version of the texts which
required the authorization of a supervisory authority118, an im-
mediate threat to public security, or the existence of a need
to protect vital interests of the data subject, the final version
of the Directive sets out no strict criteria or guidelines for the
member states’ assessment of data protection standards in third
countries119. This is regrettable, as such a lack of implement-
ing protocols could lead to divergent national implementations
and transfers to countries with lower data protection stan-
dards than originally envisioned120.
Similar complaints can be raised about the transfer of data
when adequacy decisions or appropriate safeguards are
absent121. Because of the vague wording and broad scope of ap-
plication, concerns have been raised 122 about divergent
interpretations of these conditions and the potential use of the
“for individual cases for the purposes set out in article 1(1)”
as a catch-all clause to transfer information for a large number
of reasons and without proper data protection standards in
place. As calls for the strictly necessary and restrictive appli-
cation of this provision can only be found in the non-binding
recitals of the Directive123, and the obligation to provide docu-
mentation of the transfers to supervisory authorities only exists
upon request by the authorities themselves, this procedure is
unlikely to make sufficient contributions to the envisioned com-
prehensive and uniform regime on the transferring of
information covered by strong data protection safeguards.
3.7. Remedies, liability and penalties
In line with the GDPR, the eight chapter of the Directive in-
troduces new mechanisms for the enforcement of its provisions.
In addition to the abovementioned methods of oversight and
supervision, it establishes a set of remedies, liabilities and
117
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012, 64.
118
Art. 35(2) European Parliament Version of the Proposal of the
Police and Criminal Justice Directive.
119
The lack of safeguards and conditions to ensure transfers to en-
tities providing equally strong and adequate data protection
standards becomes especially clear when comparing the provi-
sions of the Directive to those of the GDPR. Article 46 of the GDPR
sets out stronger safeguards and detailed guidelines to aid the ad-
equacy assessment by data controllers, including the close
involvement of supervisory authorities, which are not present in
the final version of the Directive.
120
De Busser, Els, “Transatlantic adequacy and a certain degree of
perplexity”, The Art of Crime: European Criminal Law, February 2012.
121
European Union Agency for Fundamental Rights, “Opinion of
the European Union Agency for Fundamental Rights on the pro-
posed data protection reform package”, 1 October 2012, 11.
122
Colonna, Liane, “The new EU proposal to regulate data protec-
tion in the law enforcement sector: raises the bar but not high
enough”, IRI Promemoria 2012, Issue 2, 9.
123
Recital 72 Directive Police and Criminal Justice Directive.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
penalties to enforce proper adherence to its provisions and
rules. Under the Directive, data subjects are granted a number
of opportunities to safeguard their rights. Following article 52,
a data subject who considers that the processing of personal
data relating to him or her infringes on the Directive shall be
able to lodge a complaint with a supervisory authority, which
shall then evaluate and investigate the complaint before in-
forming the data subject of the process and the outcome
thereof. Additionally, articles 53 and 54 grant the data subject
the right to an effective judicial remedy against both the su-
pervisory authority on the one hand, and the data controllers
and processors on the other. This allows them to obtain judi-
cial review of all binding decisions of the supervisory authority,
including the exercise of the abovementioned investigative, cor-
rective or authorization powers as well as the rejection of
complaints, and to receive a thorough assessment of the le-
gality of data processing activities conducted by controllers and
processors.
Supplementing the above, article 55 provides these data sub-
jects with the opportunity to have their rights exercised on their
behalf by a not-for-profit organization with statutory objec-
tives in the public interest, which is set to relieve the
administrative and practical burden capable of preventing some
data subjects from otherwise seeking remedies. In the event
that unlawful processing operations do occur, articles 56 and
57 state that member states must recognize the data sub-
jects’ ability to seek redress for material and non-material
damages caused, and are to penalize and effectively address
infringements of the new data protection rules by imposing
penalties on both natural and legal persons which are effec-
tive, proportionate and dissuasive.
These remedies, liabilities and penalties imposed by the Di-
rective are set to support the enforcement of data subject
rights124. The existence of a complaint mechanism involving
an independent institution and the judicial review of the actions
of the supervisory authority as well as the data controllers and
processors empowers the data subjects and grants them in-
creased control over their personal data. Additionally, the fact
that penalties for infringements are to be effective, propor-
tionate and dissuasive should be seen as a clear and
unmistaken obligation for the member states to effectively sanc-
tion violations of data protection rules, making this an
important chapter set to support data subjects and enforce the
provisions of the Directive.
3.8. Implementing acts and final provisions
The final two chapters of the Directive cover implementing and
closing acts. According to article 58, a committee procedure shall
be established to assist the Commission in the exercise of its
new tasks of issuing adequacy decisions and adopting further
implementing acts. Additionally, it is determined by article 62
124
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of indi-
viduals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detec-
tion or prosecution of criminal offences or the execution of criminal
penalties, and the free movement of such data”, 1 December 2015,
16.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
that the Commission shall submit a report on the evaluation
and review of the Directive every four years after its transpo-
sition. Following article 63, the national transposition and
implementation of the Directive must take form within two
years after its adoption, meaning that the current deadline is
set on the 6th of May 2018 while allowing for an extension for
certain automated processing systems. While moderately
delayed from the ambitious original time schedule125, the fact
that the Directive is on the same track as the GDPR and is
treated as a worthwhile counterpart in the data protection
reforms is a satisfactory outcome to the legislative process126.
The provision regarding the Commission reports is without
doubt the most notable part of this section. As the legal in-
strument in question is merely a Directive, some of the most
serious concerns relate to the potentially uneven national imple-
mentation and widely divergent interpretations of key concepts
and clauses. While regrettably not taking place as soon as some
had hoped for127, this review of existing European instru-
ments could help improve consistency between data processing
at the level of member states and European agencies.
Less satisfactory, however, are the closing articles 59 through
61 which determine the Directive’s relationship with existing
legal instruments. While the predecessor of the Directive, being
Framework Decision 2008/977/JHA, will be repealed in 2018, other
existing instruments are left entirely unaffected. It is highly
regrettable that already existing Union legal acts in the field of
police and judicial cooperation in criminal matters remain un-
altered and that no concrete steps to address possible disparities
are set to be taken. Additionally, international agreements
between member states and third countries or organizations
in compliance with Union law before the data protection reforms
shall remain in force until amended, replaced or revoked. While
earlier versions required these agreements to be amended and
brought in line with the new data protection rules within five
years after the entry into force of the Directive, the current text
contains no such obligation. By allowing such agreements based
on outdated and possibly inadequate data protection rules to
remain in existence, it is possible that they shall result in the
circumvention and erosion of the newly devised and stronger
data protection standards128.
125
Originally, a final agreement on the Directive was foreseen for
the year 2013. As it became clear that such a schedule was overly
ambitious, the Directive’s finalization was delayed to 2014 and con-
sequently 2015. In the end, a final agreement on the Directive was
not reached until the trilogues in December 2015, almost three years
after the originally envisioned date.
126
European Data Protection Supervisor (EDPS), “Opinion of the Eu-
ropean Data Protection Supervisor on the data protection reform
package”, 7 March 2012.
127
European Data Protection Supervisor (EDPS), “Opinion 6/2015
– a further step towards comprehensive EU data protection: EDPS
recommendations on the Directive for data protection in the police
and justice sectors”, 28 October 2015, 9.
128
Article 29 Data Protection Working Party (Working Party 29),
“Opinion 03/2015 on the draft directive on the protection of indi-
viduals with regard to the processing of personal data by competent
authorities for the purposes of prevention, investigation, detec-
tion or prosecution of criminal offences or the execution of criminal
penalties, and the free movement of such data”, 1 December 2015,
16.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
15
4. Conclusion
It is without doubt that the Directive constitutes a major step
forward for the EU data protection regime. For the first time in
the history of the Union, data protection in the previous third
pillar area of police and judicial cooperation in criminal matters
shall largely be covered by a single legal instrument with direct
effect in national legal systems. By including purely domestic
law enforcement and judicial activities, acknowledging and
building upon fundamental data processing principles through
the introduction of new safeguards, and recognizing recent
changes in technology and data processing methods, the Di-
rective vastly improves upon the situation under the previous
Framework Decision. Among others, the expansion of estab-
lished definitions, the introduction of distinctions between
categories of data and data subjects, and the inclusion of matters
like access rights, DPIA’s, judicial review, complaint lodging
mechanisms, standards for transfers to third countries and in-
dependent supervision measures all contribute to a more
effective and adequate data processing regime in this field.
However, a number of issues could undermine the consid-
erable potential of this Directive. While the regulation and
recognition of the abovementioned themes are a welcome ad-
dition to the European legal framework in this domain, their
effectiveness greatly depends on the existence of a high level
of substantive safeguards and the adequate implementation
thereof at the national level.
As numerous concerns regarding the substantive level of
data protection in the Directive have been raised, it remains
to be seen to what extent the ambitious objectives of the data
protection reform shall be achieved. In particular, the lack of
detailed criteria and stringent guidelines on the application of
numerous provisions and general notions such as necessity,
appropriateness and proportionality are cause for concern.
Despite major improvements made over the original Commis-
sion proposal of 2012, the final version of the Directive still
maintains a number of vague provisions open to interpreta-
tion and at times establishes low or inadequate data protection
standards when compared to the GDPR. While the newly formed
European Data Protection Board (EDPB) is tasked with issuing
guidelines on the consistent application of the Directive and
the European Commission shall issue reports and, if neces-
sary, proposals for amendments every four years, it remains
to be seen whether this will suffice to achieve a comprehen-
sive framework. Equally regrettable is the fact that the European
legislator took seemingly little notice of the already existing
and extensive collection of instructions issued by WP29 and
the EDPS, and neglected to incorporate certain ground rules
established by the Council of Europe in its data protection Con-
vention and Recommendations.
As for the role of the Directive in the legal framework and
its impact thereon, several remarks need to be made. While
introducing a more comprehensive instrument is commend-
able, the choice for a Directive, which allows for divergent
national safeguards and different interpretations of certain pro-
visions, over the inclusion in the GDPR or a regulation of its
own is questionable in the light of certain discrepancies between
the GDPR and the Directive which generally confer a stron-
ger level of data protection in the general and commercial
 ARTICLE IN PRESS
16 computer law & security review ■■ (2017) ■■–■■
sectors than in the area of police and criminal justice. In ad-
dition to the strong possibility of considerably divergent national
implementations of the Directive, the lack of a clear policy on
data protection in Union bodies does little to address the current
patchwork of legislation. By allowing both existing Union acts
on data protection in this field and previously concluded in-
ternational agreements to remain in effect without establishing
a definite approach to this issue, the Directive does not appear
fully capable of addressing the fragmentation and inconsis-
tencies of the current framework.
To conclude, it appears that while undoubtedly a consid-
erable improvement and major step forward for the protection
of personal data in its field, the Directive on the processing of
personal data by police and criminal justice authorities is un-
likely to mend the fragmented legal framework and achieve
the intended high level of data protection standards consis-
tent across European Union member states.
Acknowledgment
This article is a shortened and updated version of an LL.M thesis
prepared under the supervision of Prof. Eva Lievens and Prof.
Peggy Valcke in the context of the KU Leuven Advanced Master
of Intellectual Property and IT Law in Brussels. The text has
been revised and updated in the context of the VALCRI project
(Visual Analytics for Sense-making in Criminal Intelligence
Analysis), an Integrating Project funded through the Euro-
pean Commission’s 7th Framework Programme, Contract
Number FP7-IP-608142.
REFERENCES
Alonso Blas D. The proposed Directive on data protection in the
area of police and justice: a closer look – the omission of
Europol and Eurojust from the draft Directive. In: ERA
Conference: data protection in the area of European criminal
justice today – speakers’ contributions. Trier: 2012 5–6
November.
Bäcker M, Hornung G. Data processing by police and criminal
justice authorities in Europe – the influence of the
Commission’s draft on the national police laws and laws of
criminal procedure. Comput Law Secur Rev 2012;28(6):
627–33.
Boehm F. Information sharing and data protection in the area of
freedom, security and justice – towards harmonised data
protection principles for information exchange at EU-level.
Heidelberg: Springer; 2012.
Braum S, Covolo V. From proven fragmentation to guaranteed
data protection within the virtual criminal law enforcement
area: a report on personal data protection within the
framework of police and judicial cooperation in criminal
matters. In: Ligeti K, editor. Toward a prosecutor for the
European Union: a comparative analysis, vol. 1. Oregon:
Bloomsbury Publishing; 2013. p. 1011–46.
Brunazzo M. Burial or resurrection? The fate of EU “pillars” after
Lisbon. In: SISP annual congress. 2010 16 September.
Buttarelli G. The EU’s data protection for police and justice: need
for robust reform. In: ERA conference: data protection in the
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
area of European criminal justice today – speakers’
contributions. Trier: 2012 5–6 November.
Buttarelli G. Data protection in the area of freedom, security and
justice: challenges for the judiciary. In: Hijmans H,
Kranenborg H, editors. Data protection anno 2014: how to
restore trust? Contributions in honour of Peter Hustinx,
European data protection supervisor 2004–2014. Cambridge:
Intersentia; 2014.
CJEU, Promusicae, C-275/06, 29 January 2008.
CJEU, Germany v. European Commission, Case C–518/07, 9 March
2010.
CJEU, Digital rights Ireland and Seitlinger and others, Joined
Cases C-293/12 and C-594/12, O.J. C258, 8 April 2014.
CJEU, Maximilian Schrems v. Data Protection Commissioner,
Case C-362/14, O.J. C351, 6 October 2014.
Colonna L. The new EU proposal to regulate data protection in
the law enforcement sector: raises the bar but not high
enough. IRI Promemoria 2012;(2).
De Busser E. EU data protection in transatlantic cooperation in
criminal matters. Will the EU be serving its citizens an
American meal? Utrecht Law Rev 2010; 6(1):86–100.
De Busser E. Transatlantic adequacy and a certain degree of
perplexity, The Art of Crime: European Criminal Law,
February 2012.
De Busser E, Vermeulen G. Towards a coherent EU policy on
outgoing data transfers for use in criminal matters? The
adequacy requirement and the framework decision on data
protection in criminal matters. A transatlantic exercise in
adequacy. In: Cools M, De Ruyver B, Easton M, Pauwels, L,
Ponsaers, P, Walle GV, et al., editors. EU and international
crime control: topical issues. Antwerpen: Maklu; 2010. p. 95–
122.
De Hert P. The new features of the draft Directive. In: ERA
conference: data protection in the area of European criminal
justice today – speakers’ contributions. Trier: 2012 5–6
November.
De Hert P. The data protection regime applying to the inter-
agency cooperation and future architecture of the EU criminal
justice and law enforcement area. In: KU Leuven workshop:
the directive for data protection in the police and justice
sectors: a significant step towards modern EU data
protection? 2016 1 February.
De Hert P, Papakonstantinou V. The data protection framework
decision of 27 November 2008 regarding police and judicial
cooperation in criminal matters – a modest achievement
however not the improvement some have hoped for. Comput
Law Secur Rev 2009;25(5).
De Hert P, Papakonstantinou V. The Police and Criminal Justice
Data Protection Directive: comment and analysis. Comput
Law Mag SCL 2012;22(6):21–5.
De Hert P, Papakonstantinou V. European Parliament
Directorate-General for Internal Policies: Policy Department
Citizens’ Rights and Constitutional Affairs – the data
protection regime applying to the inter-agency cooperation
and future architecture of the EU criminal justice and law
enforcement area, European Parliament, Brussels, November
2014.
Den Boer M. Calling for reform? The EU’s current data protection
framework in the field of criminal justice. In: ERA conference:
data protection in the area of European criminal justice today
– speakers’ contributions. Trier: 2012 5–6 November.
Dix A. EU data protection reform: opportunities and concerns.
Interecon 2013;48(5):268–85.
Eurojus Rivista Italy. Balance between security and fundamental
rights protection: an analysis of the Directive 2016/680 for
data protection in the police and justice sectors and the
Directive 2016/681 on the use of passenger name records
(PNR), 24 May 2016.
 ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
European Commission. Communication from the Commission to
the European Parliament, The Council, The European
Economic and Social Committee and the Committee of the
Regions: Safeguarding Privacy in a Connected World. A
European Data Protection Framework for the 21st Century,
Brussels, 25 January 2012a.
European Commission. Press release – commission proposes a
comprehensive reform of data protection rules to increase
users’ control of their data and to cut costs for businesses,
Brussels, 25 January 2012b.
European Commission. Report from the Commission to the
European Parliament, the Council, the European Economic
and Social Committee and the Committee of the Regions
based on Article 29 (2) of the Council Framework Decision of
27 November 2008 on the protection of personal data
processed in the framework of police and judicial cooperation
in criminal matters, Brussels, 25 January 2012c, 8.
European Commission. Commission staff working paper –
impact assessment accompanying the document Regulation
of the European Parliament and of the Council on the
protection of individuals with regard to the processing of
personal data and on the free movement of such data
(General Data Protection Regulation) and Directive of the
European Parliament and of the Council on the protection of
individuals with regard to the processing of personal data by
competent authorities for the purposes of prevention,
investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, and the free movement
of such data, SEC(2012)72, Brussels, 25 January
2012d.
European Commission. Special Eurobarometer 431 – data
protection, June 2015.
European Data Protection Supervisor (EDPS). Opinion of the
European Data Protection Supervisor on the data protection
reform package, 7 March 2012.
European Data Protection Supervisor (EDPS). Opinion 3/2015 –
Europe’s big opportunity: EDPS recommendations on the EU’s
options for data protection reform, 27 July 2015a (updated
with addendum, 9 October 2015).
European Data Protection Supervisor (EDPS). Opinion 6/2015 – a
further step towards comprehensive EU data protection: EDPS
recommendations on the Directive for data protection in the
police and justice sectors, 28 October 2015b.
European Digital Rights (EDRi). Data Protection Framework
Decision Adopted, EDRi-GRAM no. 7.3, 11 February 2009.
European Union Agency for Fundamental Rights. Opinion of the
European Union Agency for Fundamental Rights on the
proposed data protection reform package, 1 October
2012.
European Union Agency for Fundamental Rights. Handbook on
European data protection law, Luxembourg, Publications
Office of the European Union, June 2014.
Galetta A, De Hert P. Increasing Resilience in Surveillance
Societies (IRISS) Deliverable D5: exercising democratic rights
under surveillance regimes – a European perspective on data
protection and access rights, May 2014.
Gayrel C, Robert R. Proposition de règlement sur la protection des
données – premiers commentaires. J de droit Européen
2012;(190).
Glon C. Data protection in the European Union: a closer look at
the current patchwork of data protection laws and the
proposed reform that could replace them all. Int J Legal
Inform 2014;42:471–88.
Hallinan D, Friedewald M, McCarthy P. Citizens’ perceptions of
data protection and privacy in Europe. Comput Law Secur Rev
2012;28(3):263–72.
Please cite this article in press as: Thomas Marquenie, The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.03.009
17
Hijmans H. The European Union as a constitutional guardian of
Internet privacy and data protection: the story of article 16
TFEU [Ph.D. thesis]. Short Summary, Faculty of Law – Institute
for Information Law; 2016.
Hijmans H, Scirocco A. Shortcomings in EU data protection in the
third and the second pillars. Can the Lisbon Treaty be
expected to help? Common Mark Law Rev 2009;46(5):1485–
525.
Article 29 Data Protection Working Party (Working Party 29). Joint
statement of the European Data Protection Authorities
assembled in the Article 29 Working Party, 26 November 2014.
Kasneci D. Data protection law: recent developments [Ph.D.
thesis]. Trieste University; 2008–09.
Korff D. EC study on implementation of data protection directive
– report on the findings of the study, July–September 2002.
Le Métayer D. Privacy by design: a matter of choice. In: Gutwirth
S, Poullet Y, De Hert P, editors. Data protection in a profiled
world. Dordrecht: Springer; 2010.
Ministry of Justice of the UK. Government response to Justice
Select Committee’s opinion on the European Data Protection
framework proposals, January 2013.
Nunzi A. Exchange of information and intelligence among law
enforcement authorities – a European Union perspective. Int
Rev Penal Law 2007;78:143–51.
Article 29 Data Protection Working Party (Working Party 29).
Opinion 01/2013 providing further input into the discussions
on the draft Police and Criminal Justice Data Protection
Directive, 26 February 2013.
Article 29 Data Protection Working Party (Working Party 29).
Opinion 03/2013 on purpose limitation, 2 April 2013.
Article 29 Data Protection Working Party (Working Party 29).
Opinion 01/2014 on the application of necessity and
proportionality concepts and data protection within the law
enforcement sector, 27 February 2014.
Article 29 Data Protection Working Party (Working Party 29),
Appendix to prior opinions and statements – core topics in
view of trilogue, 17 June 2015.
Article 29 Data Protection Working Party (Working Party 29).
Opinion 03/2015 on the draft directive on the protection of
individuals with regard to the processing of personal data by
competent authorities for the purposes of prevention,
investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, and the free movement
of such data, 1 December 2015.
Pagallo U. Online security and the protection of civil rights: a
legal overview. Philos Technol 2013;26(4):381–95.
Reding V. The upcoming data protection reform for the European
Union. Int Data Privacy Law 2011;1(1):3–5.
Reding V. The European data protection framework for the
twenty-first century. International Data Privacy Law
2012;2(3):119–29.
Taylor M. Conference report – ‘safeguarding the right to data
protection in the EU’, 30th and 31st October 2014, Paris,
France. Utrecht J Int Eur Law 2015;31(80):145–52.
Thomas R. Accountability – a modern approach to regulating the
21st century data environment. In: Hijmans H, Kranenborg H,
editors. Data protection anno 2014: how to restore trust?
Contributions in honour of Peter Hustinx, European data
protection supervisor 2004–2014. Cambridge: Intersentia;
2014.
Wong R. Data security breaches and privacy in Europe. London:
Springer; 2013. p. 31–5.
Zerdick T. Status and scope of implementation of FD 2008/977/
JHA. In: ERA conference: data protection in the area of
European criminal justice today – speakers’ contributions.
Trier: 2012 5–6 November.