Report : recommendation R (87) 15 – twenty-five years down the line

Abstract

Between the period 2011‐2012, within the framework of the PUPIE project, the authors carried out a survey of the state of legislation in 30 out of the Council of Europe’s 47 member States in an effort to determine the impact of the Council of Europe’s Recommendation R(87)15 on data protection in the police sector over the 25 years since the adoption of the Recommendation in 1987. This final report from the PUPIE project finds that by and large the Recommendation has been widely adopted across Europe to an extent that many European states prima facie already regulate police use of personal data in a way comparable but not necessarily identical to that envisaged in the current draft of the European Commission’s proposal 25.1.2012 COM(2012) 10 final 2012/0010 (COD) for a “Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”. This general finding in no way obviates the need for urgent action on this sector. The Report identifies two overall findings and thirty‐one provision‐specific findings in relation to the provisions of R(87)15 and places these in the context of eight realities as at September 2013. In response to the overall findings of disparity of provisions and lack of harmonisation, the Report advocates that the time has come for a binding legal instrument which is capable of being deployed across sectors which have hitherto often been parallel worlds: that of law enforcement agencies (LEAs) and the other of Security & Intelligence Agencies (SIS). The Report takes into account the available evidence of utility of the EU’s 2006 Data Retention Directive as well as the significance of the Snowden revelations for privacy & data protection. These considerations reinforce the Report’s recommendations that the Council of Europe offers the right forum for one or more of at least three options which could produce a suitable new binding legal instrument: (1) an entirely new multi‐lateral treaty or Convention which would contain mandatory provisions applicable to the LEA and SIS handling of personal data; (2) an additional protocol to the CoE’s Data Protection Convention (ETS 108) encapsulating the provisions envisaged in Option 1 and/or (3) an additional protocol to the CoE’s Cybercrime Convention (ETS 185) incorporating some of the provisions envisaged in Options 1 and 2. The Report finds that the urgency for and the onus upon the Council of Europe to take immediate action to produce a new binding instrument is compounded by the Snowden revelations and the possible chronic inadequacy of EU responses in the sphere of national security on account of exclusions of competence by Art 4 Section 2 of the EU Treaty.