On 25 January 2012 the European Commission proposed a uniform legal framework for providing legal certainty on data protection. This includes a Regulation (the Proposed Regulation) with general rules on data protection that would modernise and further harmonise the data protection regime created by the Data Protection Directive (95/46/EC) and a Directive (the Proposed Directive) with specific data protection rules for the law enforcement sector.

The Proposed Directive has been met with critical reviews, with the European Data Protection Supervisor (EDPS) taking the view that the Proposed Directive does not meet the requirement of a consistent and high level of data protection and the Article 29 Data Protection Working Party (WP29) stating that it was “disappointed by the Commission’s level of ambition and [the WP29] underlines the need for stronger provisions.” This lack of high level data protection is troubling because in the context of law enforcement citizens may be put at particular risk due to the likely processing of sensitive personal data.

In its analysis of the Proposed Directive, Privacy International is principally concerned that (i) the rights of data subjects are significantly weaker than they would be under the Proposed Regulation; (ii) data controllers are subject to fewer and vaguer obligations than they would be under the Proposed Regulation; (iii) there is no mention of preventing transfers of data to non-competent authority recipients; and (iv) supervisory authorities have disproportionately limited powers in comparison to their peers under the Proposed Regulation.

In many instances there does not appear to be any justification for departing from the rules provided in the proposed Regulation. Privacy International has therefore called for improvements to the articles of the Proposed Directive to rectify their concerns and to ensure that it is more comprehensive and in tune with the Proposed Regulation in the Commission’s proposal.