“Law enforcement Directive”: What Are We Talking About?
The French Data Protection Act and its implementing decree have been amended to bring national law into line with the “European personal data protection package”, consisting of Regulation 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Directive 2016/680 of April 27, 2016, the so-called Law Enforcement Directive (“LED”). The LED has been transposed into French law by the French Data Protection Act, in its Chapter XIII.
What Is the Scope of the Law enforcement Directive (LED)?
The LED provides rules on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against threats to public security and its prevention.
To fall within the scope of the LED, a data processing must therefore meet two cumulative conditions.
First, it must pursue one of the purposes mentioned in Article 1 of the LED. The LED is thus largely intended to apply to "criminal matters" and, in particular, to activities carried out by the police, for instance in the context of preventing and recording certain offences during passenger travel ("API-PNR France" processing), or to processing operations set up for the management of enforcement actions linked to sentences ordered by judicial authorities.
The provisions of this directive may also be intended to govern processing carried out in the context of activities that do not specifically fall within the criminal sphere but which relate to police activities carried out prior to the commission of a criminal offence. The purposes covered by the LED may thus include preventive police activities for the purpose of protecting against threats to public security that could lead to a criminal charge (police activities at demonstrations, sporting events, maintaining public order, etc.) and processing operations carried out for these purposes.
On the other hand, the processing whatever its purpose only falls within the scope of the LED if it is carried out by a "competent authority". This term refers, according to the LED, to:
- any public authority competent for the prevention and detection of criminal offences, the investigation and prosecution of criminal offences or the execution of criminal penalties (judicial authorities, the police, any other law enforcement authorities, etc.);
- any other body or entity to which the law of a Member State entrusts the exercise of public authority and prerogatives of public power for the purpose of implementing processing covered by this Directive (for example, the internal security services of the public transport networks, sports federations approved for the purpose of providing security at sporting events, etc.).
A separate scope from the GDPR
The GDPR and the LED are both part of the European data protection package. They have distinct and complementary scopes.
The GDPR is intended to apply to all processings of personal data in the Member States, both in the public and private sectors, although it does not apply to processing carried out in the exercise of activities that do not fall within the scope of European Union law, such as state security or national defense activities, and those carried out for the purposes of the LED.
A scope excluding processing carried out to ensure State security or national defense
Processing carried out to ensure state security or national defense does not fall within the scope of the European Union and remains governed by the provisions of the French Data Protection Act alone.
What are the obligations of data controllers acting within the framework of the LED?
The data controller has various obligations, bearing in mind that where two or more controllers jointly determine the purposes and means of processing, they are considered to be joint controllers (article 21).
Some obligations under the Directive are identical to those under the GDPR:
- implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Directive (Article 19);
- implement data protection by design and by default (Article 20);
- use processors that provide sufficient guarantees and act only on instructions from the controller (Article 22);
- maintain a record of processing activities (Article 24);
- implement logging measures (Article 25);
- cooperate with the supervisory authority in the performance of its tasks on request (Article 26);
- carry out a data protection impact assessment when the processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 27);
- consult the supervisory authority in advance in the cases listed in Article 28 of the Directive;
- implement appropriate measures to ensure a level of security appropriate to the risk, in particular as regards the processing of special categories of personal data referred to in Article 10 (Article 29);
- notify the supervisory authority of a personal data breach without undue delay, and, where feasible, not later than 72 hours after having become aware of it, when the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 30);
- communicate the personal data breach to the data subject without undue delay where the personal data breach is likely to result in a high risk to his/her rights and freedoms (Article 31);
- designate a data protection officer under the conditions set out in Article 32 of the Directive;
- respect the conditions defined for the transfer of personal data to third countries or to international organizations (Article 35 and following).
Other obligations are specific to the LED:
- where applicable and as far as possible, to make a clear distinction between personal data of different categories of data subjects, such as persons convicted of a criminal offence, victims of a criminal offence, other parties to a criminal offence etc. (Article 6);
- distinguish between personal data (personal data based on facts/personal data based on personal assessments) and ensure the quality of personal data (Article 7);
- processing must be lawful, i.e. necessary for the performance of a task carried out by a competent authority, for the purposes of this Directive, and based on Union law or Member State law (Article 8);
- processing of special categories of data is allowed only where strictly necessary (Article 10).
What rights for data subjects?
Due to the specificity of the scope of the LED, some rights included in the GDPR are not found in the Directive (e.g. the right to portability) or may be subject to limitations. The rights of natural persons recognized in the Directive are as follows:
- information to be made available to the data subject, subject to possible limitations (Article 13);
- the right of access (Article 14), subject to limitations in whole or in part, in particular in order not to obstruct investigations, or to avoid prejudicing the prevention or detection of criminal offences, etc. (Article 15). In practice, the limitation of the right of access may lead to the implementation of an "indirect right of access", i.e., exercised through the intermediary of the competent supervisory authority (Article 17);
- the right to rectification or erasure of personal data (Article 16).
Official texts
- The “Law Enforcement Directive” (Directive (EU) 2016/680)
- The French Data Protection Act - Title III (in French)
- The French Data Protection Act implementing decree n° 2005-1309 of 20 October 2015 amended (in French)
- Opinion n° 393836 of the French Supreme Administrative Court (Conseil d’Etat) on a bill to adapt the Data Protection Act to EU law (in French)
- Article 29 Data Protection Working Party (WP29), Opinion on some key issues of the Law Enforcement Directive (EU 2016/680), wp258
- Decision of the French Constitutional Court n° 2018-765 DC, 12 June 2018 (in French)