It is very strange that the Working Group has decided to put into one law the matter which is regulated within the GDPR at the level of the EU, on the one hand, and the Police Directive, on the other. Anyone who has just tried to skim the GDPR (even without trying to understand the complexity and breadth of the entire regulation) could see it as an extremely extensive legal act. On the other hand, the Police Directive, as a lex specialis, regulates solely the issue of the authority of state authorities in the collection and processing of personal data in the process of detecting criminal offenses.
In the EU, these are two regimes that have always been separated. While before GDPR entered into force, the first regime was within the scope of Directive 95/46 EC, the powers of the police and other authorities were previously prescribed by General Decision 2008/977/JHA. There is also a logical rationale behind this: the need to recognize the specific needs of state authorities in the prevention, investigation, and prosecution of crime perpetrators.
The set of changes that came into force in May 2018 within the EU has maintained a dual regime. While GDPR relates to the protection of personal data in general, the Police Directive refers to the collection of data for the purpose of prevention, investigation, detection, and prosecution of criminal offense perpetrators. Generally speaking, general data processing (the subject of GDPR) implies higher limitations on controllers but envisages more legal bases for such processing. The controller can choose one of the six legal bases for lawful data processing.
The Police Directive provides broader powers for certain state authorities, but only on one legal ground – when there is a need to “carry out a task by a competent authority when such a task is based on national or EU law”. Broader police powers sometimes interfere with the basic rights of the persons whose data are collected, which are otherwise provided under GDPR. For example, when collecting data to investigate a criminal offense, authorities are not obliged to notify the persons whose data they collect, which is otherwise one of the fundamental GDPR rules.
Bearing in mind this explanation, it remains completely unclear why the working group decided to regulate the areas in one law, which the EU could not unify in a single legal instrument.
The EC criticizes the Draft Law for this structure, as it finds it inconsistent. The EC states that so many exceptions provided in the Draft (which should have been the subject of a completely different lex specialis law) represent a potential problem for legal certainty and leave a wide space for potential abuse. As an example, it is stated that the Draft foresees over 40 exceptions to the rule.
The conclusion stemming from such criticism is that the EU agrees with the Commissioner’s remarks to some extent, remarks which he has so far pointed out in a fierce debate with the Ministry of Justice, ongoing since the publication of the first Draft.
The Commissioner rightfully, in our opinion, emphasized:
“this inevitably leaves the impression that the Draft Law is written more in the interest of “security structures” than in the interests of citizens’ rights”.
This is truly alarming because the main goal of GDPR is to put an individual and his rights to the core.