Catherine Jasserand

European Data Protection Law Review, Volume 9 (2023), Issue 4, Page 430 - 443

This article discusses whether the deployment of facial recognition technologies for surveillance and policing purposes is necessary in democratic public spaces, taking into account the tests of necessity as established by the European Court of Human Rights and the European Court of Justice in interpreting the limits to the fundamental rights to privacy and data protection. The article focuses, in particular, on the rules proposed by the European Commission in the future AI Act aimed at regulating the use of Remote Biometric Identification systems (RBIs). This generic term ‘RBI’ covers multiple biometric applications, including facial recognition technologies. In its legislative proposal, the European Commission proposed banning the live use of the technologies, except in three situations. The Council agreed with the proposal, while the European Parliament proposed to ban all uses by all actors, except the retrospective use by law enforcement authorities to prosecute specific serious crimes after judicial authorisation. Using the tests developed by the two Courts and the guidance of the European Data Protection Supervisor on necessity, the article assesses whether the proposed rules on RBIs stand the legal test of necessity. Keywords: FRTs, AI Act, law enforcement, necessity, proportionality

Michael O’Flaherty

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 170 - 173

Thilo Gottschalk

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 21 - 40

Law enforcement increasingly relies on complex machine learning approaches to support investigations. With limited knowledge and funding LEAs often depend on opaque private-public collaborations. Failure to provide legal bases on the national level paired with shortcomings both in the GDPR and Directive EU-2016/680 (LED) result in severe risks for fundamental rights of EU citizens. To overcome these risks an interdisciplinary discussion is required. This paper hence sheds light on technical challenges and misconceptions as well as legal shortcomings to foster a common understanding of the challenges to find out how they might be addressed. To do so, the author searches for common ground of ‘public availability’ and reviews currently used technical approaches and common processing constellations. Based on the outcomes, the author proposes a change in the LED and discusses a centralised institution to govern access to novel data driven technology. Keywords: law enforcement; public-private partnership; data protection; GDPR; LED

Sara Roda

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 66 - 83

By 25 May 2020, the European Commission is obliged to conduct a full review of the Passenger Name Record (PNR) Directive and provide a comprehensive report to the European Parliament and the Council on seven key aspects of the said Directive. These range from an assessment of the necessity and proportionality for collecting and processing PNR data in relation to each of the Directive’s purposes, to the length of the data retention period, and even the effectiveness of exchanging information among Member States, including statistical information on the number of passengers whose PNR data has been collected, exchanged or identified for further examination. The review could lead the European Commission to present a legislative proposal to amend the PNR Directive which could either reinforce, maintain or dilute the EU PNR system. More recently, two not-for-profit associations have legally challenged the national PNR schemes based on the PNR Directive. This paper questions the validity of certain provisions of the Directive in light of Opinion 1/15 of the Court of Justice of the European Union of 26 July 2017 concerning the EU-Canada PNR Agreement. It also calls on the European Commission, as guardian of the EU Treaties and of EU law, to conform the PNR Directive to the Luxembourg Court case-law on mass data retention schemes, taking advantage of the review momentum. Keywords: CJEU; Opinion 1/15; Directive 2016/681; data protection; PNR; law enforcement; data retention; Articles 7 and 8 of the Charter of Fundamental Rights

Mark Leiser, Bart Custers

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 367 - 378

The Law Enforcement Directive (EU Directive 2016/680) has been heralded for its role in building a high level of data protection in criminal law. Data processed for ‘law enforcement purposes’ by ‘competent authorities’ must comply with principles of necessity, proportionality and legality, while ensuring appropriate safeguards in place for data subjects. However, there is ambiguity as to how the LED should work in practice due to several conceptual issues that the LED raises. This paper discusses three conceptual issues: consent, the categorisation of witnesses, suspects and victims, and the categorisation of facts versus opinions. Keywords: Law Enforcement Directive, Fundamental Rights, Consent, Law Enforcement Data, Directive 2016/680