Perspectives for the Protection of Personal Data in Criminal Proceedings in the European Union and Repercussions on the Italian Legal System

© Springer International Publishing Switzerland 2015
Stefano Ruggeri (ed.)Human Rights in European Criminal Law10.1007/978-3-319-12042-3_13

New Perspectives for the Protection of Personal Data in Criminal Proceedings in the European Union and Repercussions on the Italian Legal System

Federica Crupi 

Department of Law, University of Messina, Piazza Pugliatti n. 1, 98100 Messina, Italy



Federica Crupi


This paper seeks to examine, after a brief overview of current EU legislation on personal data protection in the field of judicial cooperation in criminal matters, the European Commission’s proposal for a directive on the protection of individuals with regard to the processing of personal data by competent authorities for the prevention, investigation, detection, and prosecution of criminal offenses or the execution of criminal penalties.

This proposal, if approved, will be the source of Community law governing the use and exchange of information relating to such data between the Member States as well as—and this is a significant change from the past—their use by individual national authorities.

The exchange of information is in fact becoming, more than ever, an indispensable tool in the prevention and suppression of crime.

The circulation of information, however, must be balanced against the need for privacy, a principle now enshrined in the EU’s Treaties and Charters.

Therefore, after having carried out an analysis of the Directive proposal, we highlight its critical aspects.

Finally, we look at the Italian legal system to understand how the new EU regulatory framework may be transposed into the legislation of a Member State and whether or not domestic legislation complies with EU regulations.

Judicial cooperationPrivacyRegulatory harmonizationSecurity

1 Introduction

The implementation of a comprehensive, coherent, modern, and robust framework for data protection in the European Union is an objective that the European Commission aims to achieve through the reform of data protection.1

The rapid evolution of the digital world has in fact led EU institutions to promote the creation of a regulatory system that, by transversally affecting all the policies of the union, can strengthen individuals’ rights to protect their personal data, also and especially in terms of the prevention, investigation, detection, or prosecution of criminal offenses and related judicial activities.

While the protection of personal data in the field of police and judicial cooperation in criminal matters has so far been governed by Framework Decision 2008/977/JHA, this legislation is destined to undergo a change by virtue of the adoption of the proposal for a directive 2012/0010 (COD),2 presented by the European Commission to replace existing legislation.

However, before examining the proposal in question, we need to understand whether and how the right to protection of personal data is significant in the EU legal system, above all following the recent approval of the Lisbon Treaty.

If, in fact, one of the objectives identified by the Treaty is the creation of an area of freedom, security, and justice (Art. 3 TEU), it should be noted that the development of solid cooperation in judicial and security matters must take into consideration the safeguard of the right to the protection of personal data.3 The Nice Charter4 elevated this right to the rank of a fundamental right of the person, with its own specificity and autonomy, not to be considered merely as an (implicit) aspect of the wider protection of privacy.5

The protection thus provided applies erga omnes, giving rise to a duty to respect it both by public organizations, whether they be EU institutions and bodies or domestic ones, and by individuals whose activity may affect the rights in question.6

The Lisbon Treaty itself also introduced in Article 16(2) TFEU a specific legal basis for the adoption of rules on the protection of personal data, also in the context of police and judicial cooperation in criminal matters. Moreover, paragraph 1 of that article already established that every person has the right to the protection of their personal data.

Article 16(2) TFEU establishes, therefore, the Union’s effective competence in the field, thus giving EU legislators such a wide margin of maneuver that they are able to establish a mandatory level of protection, even regardless of the need to ensure the movement of personal data.7

Precisely because of the regulatory framework set forth above, Declaration no. 21, annexed to the final proceedings of the conference for approval of the treaty, had recognized that in the field of judicial cooperation in criminal matters, specific rules on the protection of personal data could turn out to be necessary. This is because judicial cooperation between Member States is necessarily based on a constant exchange of information and data aimed at suppressing and preventing crimes.

A dual requirement is therefore apparent: to allow the filing and circulation of information necessary for the suppression of criminal behavior and at the same time to ensure an adequate level of protection for privacy.8

It will thus be necessary to find a balance between security and privacy.

Moreover, European law has always required that the principles of relevance, nonexcessiveness, and proportionality function as guidelines for the manner of collecting personal data in the context of judicial cooperation so that only the collection of relevant data and those strictly necessary for the investigations is permitted, using means proportionate to the aim pursued by the prosecuting authorities.9

Having established our general premises, and before examining the proposed directive, we need briefly to look at the existing regulatory framework.

2 The Current Regulations: Decision 2008/615/JHA and Decision 2008/977/JHA

In the field of judicial cooperation in criminal matters, particularly in combating terrorism and cross-border crime, Decision 2008/615/JHA highlights the importance and need to exchange information quickly and effectively.

The accuracy, timeliness, and sufficiency of the duration of data storage (Art. 28); the need for measures to prevent intrusion or manipulation of the data (Art. 29); and the right to be informed of the use of one’s personal data (Art. 31) are just some of the rights recognized by these regulations.

But it is Decision 2008/977/JHA that has been, until now, the regulatory framework of reference for the protection of personal data processed in the scope of police and judicial cooperation.

Although the decision was aimed at ensuring an adequate level of protection for fundamental human rights, in particular the right to privacy, with a view to balancing the need to protect public security, this balance does not seem to have been achieved, since so far security has always prevailed over privacy.10

But the greatest limitation of Decision 2008/977/JHA is probably its highly circumscribed scope, since it is applicable only to cross-border data but not to processing carried out by the police and judicial authorities at a strictly national level.11

This has led to further difficulties for authorities operating in the field of judicial cooperation in understanding the exact distinction between strictly national and cross-border processing of data. It is also problematic for those authorities to make a prior assessment as to whether “national” data will subsequently be subject to cross-border exchange.

Moreover, the decision leaves an excessively wide margin of interpretative discretion to Member States in the implementation phase, and no advisory group to promote uniform interpretation of the provisions in question has been envisaged.

In view of the regulatory framework described above, the European Data Protection Supervisor, in an opinion issued in January 2011, expressed the need to strengthen the regulation mentioned above to increase the protection of both private and public interests.12

What is needed, clarified the EPDS, is stronger and more effective regulatory intervention, which does not leave much room for the discretion of Member States in the implementation phase, without, however, precluding the possibility of adopting additional rules to provide a higher level of protection.

3 The Proposed Directive

There was an attempt to respond to criticisms of existing legislation in the proposal for a directive of 25 January 2012, on which we need to focus our attention.

This proposal, aimed at replacing the above-mentioned decision 2008/977/JHA, is part of a broader framework of regulatory reform suggested by the Commission, which also includes a proposal for a Regulation to replace the current Directive, 1995/46/EC. The latter is the cornerstone in the system of existing EU legislation on the protection of personal data and is intended to ensure both the protection of the fundamental right to the protection of personal data and the free movement of data between Member States.

It has been observed that the proposal for a Directive in question has its legal basis in Article 16 TFEU and seems to be compatible with the principles of subsidiarity and proportionality that circumscribe the scope of EU action in the matters under consideration.

It is in fact precisely the need for uniform intervention in a sector, such as that of the protection of personal data, in which we find significant fragmentation of the legislation of the Member States, as well as a growing need for rapid data exchange in order to prevent and combat crime, that justifies intervention by the Union. The satisfaction of this requirement of uniformity, among other things, was announced as an objective of the Stockholm Programme in 2009.13

On this point, however, there does not seem to be a consensus from the Italian Camera dei Deputati, the French Senate, the German Bundesrat, the Chambre des rapresentantys of Belgium, and the Swedish Riksdagen, fearful of an excessive invasion of national prerogatives.14

As to proportionality, the Directive appears to be the most appropriate tool for achieving the aims described above, ensuring at the same time the long-awaited harmonization as well as a great deal of flexibility in terms of implementation at a national level.

But it is the scope of the proposed directive that deserves particular attention, since, unlike the provisions of the 2008 decision, it is not limited to cross-border data. The rules in question would in fact be implemented with reference to all data-processing activities carried out by the competent authorities even at a strictly national level (Art. 2) for purposes of an “institutional” nature.15

This aspect marks the beginning of a path taken by EU legislation aimed at achieving conformity with supranational law also in the field of domestic procedures.

3.1 The Main Provisions of the Proposed Directive

Moving on, then, to a more detailed examination of the proposal, we see that it has as its primary objective the balance between security and privacy that the EPDS had defined necessary in the field of judicial cooperation (Art. 1).

The proposed law, like the definitions it contains, reproduces the provisions of Decision 2008/977/JHA but provides new definitions of the concept of “biometric data,” “genetic data,” and “competent authorities” (Art. 3) on the basis of the provisions of Article 87 TFEU,16 as well as a definition of “child” taken from the Convention on the Rights of the Child.

As far as regards the criteria of lawfulness of the processing of personal data (Art. 7), the proposed directive restricts them, highlighting that those for lawful processing, as identified in Article 7 of Directive 95/46/EC, cannot be applied in the field of judicial cooperation in criminal matters. Legal use is where the data is necessary for the performance of a task by a competent judicial authority on the basis of national legislation, for the fulfillment of a legal obligation to which the data controller is subject, for the protection of vital interests of the interested party or of a third party, and for the prevention of an immediate and serious threat to public safety.

As far as regards, however, the prohibition on processing certain categories of data, Article 8 of the proposed directive adds to the existing provisions of Directive 95/46 EC the prohibition of processing genetic data in accordance with the provisions of the case law of the European Court.17 This prohibition, in any case, is not applicable if the processing is authorized by national legislation aimed at establishing appropriate safeguards, functional to the preservation of a vital interest of the person concerned or of a third party, and if the processing relates to data made public by the person concerned himself.

Perfect compatibility with the resolution of Madrid,18 moreover, can be seen in the provisions (Arts. 10–17) aimed at listing the rights granted to the person concerned. First among these is the right of access, consisting of the right to receive confirmation from the person in charge of the processing data procedure concerning him. This right may however be removed, if necessary and in a proportionate manner, in a democratic state, for the achievement of higher interests such as not compromising investigations and protecting public security.

A new feature in the provisions of Decision 2008/977/JHA is the introduction of specific provisions (Arts. 30–32) on the obligations and responsibilities of data controllers, especially concerning the guarantee of transparency and access.19

As far as regards, however, the transfer of personal data to third countries or to international organizations, the proposed Directive permits such a transfer only where necessary for the purposes of prevention, investigation, detection, or prosecution of criminal offenses (Art. 33).

In addition, such transfers may occur only after an assessment of adequacy carried out by the European Commission (Art. 34), and pending this evaluation the flow of data will be possible only if their protection is in any case guaranteed by a legal instrument applicable to the case in point, which could be an international agreement, or if the data supervisor considers that in the case submitted for his opinion there are adequate safeguards for the protection of privacy.

Member States do, however, have a margin of discretion with regard to the legislation mentioned above (Art. 36), but only when this is strictly necessary for the protection of the concerned person or a third party or where the data processing is essential to prevent a threat to public security, to prevent or to punish a crime, or to exercise or defend a right in court.

Compared to the provisions of the JHA decision, moreover, the duties of supervisory authorities should also be extended to ensure that they contribute to the achievement of a consistent application of the law throughout the Union; Member States will have the task of establishing the duties of these authorities (Art. 45), major players in a campaign to raise public awareness on rights relating to the protection of personal data.

If, in addition, Directive 95/46/EC provides for a general obligation of cooperation, Article 48 of the proposal being examined instead lays down a real obligation of mutual assistance between Member States in the field of judicial cooperation.

Finally, it should be noted that the proposed directive provides a mechanism for jurisdictional appeals (Arts. 50–55) that the person concerned may bring against the data supervisor or against the supervisory authority. It will also be possible to submit a preemptive appeal to the latter. The proposal also introduces common rules for court actions and obliges Member States to acknowledge that the person concerned is entitled to compensation for any damage caused to him by the use of his personal data.

Member States will therefore have to introduce into their legal systems penalties applicable to infringements of the Directive and ensure their enforcement (Art. 55).

3.2 Critical Comments on the Proposed Directive

Although the proposed directive is worthy of praise, becoming part of a comprehensive set of rules for the protection of personal data that will be applied across the EU, one cannot avoid also levelling some criticisms at it.

Only gold members can continue reading. Log In or Register to continue