Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

2.3 Police and Judicial Co-operation In Criminal Matters

2.3 POLICE AND JUDICIAL CO-OPERATION IN CRIMINAL MATTERS

We strongly support the proposed consideration of extending general data protection rules to the areas of police and judicial activity, and of harmonisation of any specific provisions considered necessary in this area. We suggest that ‘blanket’ across-the-board exemptions from data protection rules can rarely be justified for entire agencies or sectors – instead, specific exceptions or provisions can address particular difficulties that the normal application of data protection rules may pose for other important public interests such as law enforcement and national security.

A recent judgment from the UK National Security Tribunal (with Privacy International) concluded that the Tribunal only had jurisdiction if the complainant was “a person directly affected” by the processing. By this, the Tribunal meant somebody like a data subject undertaking a subject access request and who was refused access to his personal data. By contrast, Privacy International was raising an issue not concerned with about subject access but about the general application of the 2nd and 8th Data Protection Principles (dealing with incompatibility of purpose and transfers outside the Europe) applying to the privacy of thousands and thousands of data subjects. The result was that, because of a technicality, Privacy International could not progress their appeal.

The revised Directive must ensure that a regulator in the area of national security can take effective action whenever he raises a matter of substantial public interest concerning the application of the national security exemption. The safeguard has not got to be limited to action by the “person directly affected” but should be extended to the regulator so that the regulator can intervene in cases when there is a serious data protection issue to resolve. The problem in the UK framework is that there is often “no person directly affected” available because national security actions are, by their nature, covert. Any person who is “directly affected” is very unlikely to become aware of such covert action unless the national security agencies make a blunder. And that is why the UK privacy protection in this national security area is so inadequate.