On 19 September 2023 the European Data Protection Board (“EDPB”) adopted Guidelines on Article 37 Law Enforcement Directive (“Guidelines”).? The deadline for comments is 8 November 2023.
The Guidelines are primarily intended to assist EU Member States, and competent authorities in scope of the national implementing legislation of the Law Enforcement Directive (“LED”), with the ever thorny topic of international data transfers.?
That said, they do have some broader points of interest explained below for some commercial organisations - for example, if a vendor was engaged by a competent authority to assist with data handling under the LED’s relatively wide scope.
The LED is EU legislation which governs the processing of personal data for criminal law enforcement purposes and came into effect in May 2018.? As a Directive, it was required to be transposed into local Member State law and so national requirements can diverge slightly.
In terms of its scope, the LED is focussed on criminal matters and applies to competent authorities and their processors.? Typical matters subject to the Directive would be the police investigating suspected criminal offences by an individual or a court imposing sanctions on a group of offenders.?
Competent authorities are often listed in the local implementing law but a case by case assessment may still be required as to whether non-listed bodies, and their processors, are subject to requirements.
Crucially, law enforcement matters are not widely covered by the EU General Data Protection Regulation – though many of the Directive’s provisions are similar in style and substance (e.g. implement data protection by design and default measures, maintain a record of processing activities etc.).
What is covered by Article 37 LED?
Article 37 LED covers the transfer of personal data for law enforcement purposes from competent authorities to competent authorities or international organisations located in a country which is not subject to a European Commission adequacy decision.?
Therefore, in much the same way as Article 46 of the EU GDPR, Article 37 requires transfers to be subject to appropriate safeguards to ensure that the transferred data remains subject to an essentially equivalent level of protection as it would enjoy in the EU.?
Specifically, a transfer may take place if “appropriate safeguards” are provided for in one of two ways:
- a legal instrument providing appropriate safeguards which binds the intended recipient.? Examples of an instrument include a Mutual Legal Assistance Treaty with suitable data protection provisions including around redress and enforceable rights to data subjects; or
- a self-assessment by the controller which concludes that appropriate safeguards exist. This also involves informing the competent data protection authority with some prescribed details about the data transfer and safeguards e.g. a description of the data, the recipient’s name etc.
At the risk of stating the obvious, the application of this Article is not simply theoretical given the importance of information exchange for international cooperation in criminal matters and the role of vendors in supporting these activities.
What are the key commercial-related elements of the Guidelines?
Although the Guidelines touch upon a variety of interesting issues like the role of DPAs in assessing safeguards, this post focuses on some key commercial issues arising from the document.
- Appropriate safeguards – the Guidelines remind us that the European Commission has only adopted one LED Adequacy Decision so far, in respect of the UK, and that derogations should be used sparingly.? Therefore, Article 37 appropriate safeguards are the most common transfer mechanism for LED transfer purposes.
- Case by case assessment – the EDPB notes that essentially equivalent protection should be ensured for the particular transfer or category of transfers and not necessarily with regard to the third country or international organisation’s entire legal regime.? This seems a sensible acknowledgement that the context / type of transfer is key to determining appropriate safeguards but, equally, could impose a significant burden on competent authorities to produce bespoke, case-by-case assessments that they may struggle to resource in practice.
- Legal instrument – a legal instrument’s mere existence is insufficient since it must also regulate the processing of personal data and adduce the necessary safeguards.? The EDPB provides fairly detailed guidance on the provisions required in a legal instrument – most of which are expected, such as Article 28 GDPR style provisions, and terms reflecting recent CJEU case law on data transfers and the need to ensure redress mechanisms and enforceable data subject rights.
- Self-assessment – the EDPB reiterates that this is only required in the absence of a legal instrument and indicates such an instrument is preferable (and implementing a legal instrument avoids the need to notify the DPA).? The Guidelines suggest a three step process – first, factoring the risk to data subjects, second, categorising and assessing the transfers based on their risks to data subjects and third determining if existing safeguards are appropriate. This is similar to the process outlined in EDPB Recommendations on Supplementary Measures. On the first step, data protection is obviously key and other factors set out include the importance of the data sharing for the law enforcement purposes, criminal law requirements and political/diplomatic considerations.? On the second step, these are mostly as expected (e.g. type of data, recipients etc.) but also include some law enforcement specific factors like the seriousness of the criminal offence and the authority at the origin of the transfer.? On the third step, this is largely similar to the assessment required for GDPR transfers of personal data.? Common sense example measures are highlighted such as data retention requirements with some sample safeguards (e.g. demanding commitments on the non-application of death penalty or any form of cruel or inhuman treatment) illustrating the deeply sensitive nature of international data exchange for law enforcement.
- Role of the processor – the Guidelines do not address this issue in detail but it’s worth remembering that processors engaging in activities in scope of the LED will likely need to assist controllers with Article 37 compliance (e.g. potentially helping to identify a suitable legal instrument and/or by being aware of their obligations under such an instrument).
- Hierarchy of transfer protections - finally, the Guidelines (para 11 for the keen reader!) reiterate the “hierarchy” of international transfer protections i.e. an adequacy decision as the gold standard followed by an appropriate safeguard and then derogations.? This reference might be useful in the context of commercial negotiations where parties can occasionally misunderstand the protections available (e.g. equating a derogation like consent to a safeguard like Standard Contractual Clauses).