Digital criminal investigations in Italy. The intersection between data protection and cybersecurity
Published date | 01 December 2023 |
DOI | http://doi.org/10.1177/20322844231212836 |
Author | Roberto Flor,Beatrice Panattoni |
Date | 01 December 2023 |
Special Issue Article
New Journal of European Criminal Law
2023, Vol. 14(4) 479–494
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/20322844231212836
journals.sagepub.com/home/nje
Digital criminal investigations
in Italy. The intersection
between data protection and
cybersecurity
Roberto Florand Beatrice Panattoni
University of Verona, Italy
Abstract
The scope of digital criminal investigations is rapidly expanding, as they have become indispensable
in prosecuting not only cybercrime but all kinds of crimes involving digital evidence. Digital in-
vestigations often involve a high degree of intrusiveness, granting law enforcement authorities large-
scale access to personal data, programs, and systems. As a result, it is essential to critically assess the
legitimacy of digital investigations to prevent potential abuses. When balancing the social need for
crime control with the protection of citizens’rights and interests, we find, on one side of the scale,
the public interest of countering and preventing serious crime in a digital world. But which pa-
rameters must be incorporated on the other side of the scale? While most attention is given to
privacy and data protection in European law to regulate the collection and processing of personal
data by law enforcement in criminal proceedings, we propose that another increasingly vital interest
needs to be factored in as well: the protection of cybersecurity.
Keywords
digital criminal investigations, data retention, data collection, data protection, cybersecurity, lawful
hacking
Setting the scene
In today’s information-driven era, every facet of our public and private lives is undergoing dig-
itization, transforming everything into data. As a consequence, access to data and information has
become a crucial element in the criminal justice system, where investigative activities must evolve
digitally to remain effective. While the digitization of criminal investigations enhances crime-
fighting and strengthens public security, it also widens the technological vulnerabilities of modern
Corresponding author:
Roberto Flor, Department of Legal Science, University of Verona, Via C. Montanari, Verona 37129, Italy.
Email: roberto.flor@univr.it
society. Cyber-intrusions into fundamental rights can now potentially also originate from Law
Enforcement Authorities (LEAs) within the criminal justice system. Indeed, digital investigations
have the potential to lead to technology-facilitated abuses of power, driven by an unchecked pursuit
of public security.
1
To prevent misuse in this direction, it is essential to strike a balance between conflicting interests,
while upholding the principle of proportionality as provided for in Article 52 of the EU Charter of
Fundamental Rights.
2
Limitations on the exercise of rights and freedoms can be legitimate if they
are well-grounded on both substantive and procedural levels. Substantively, the level of in-
trusiveness into citizens’rights must be proportionate to the seriousness of the crime under in-
vestigation. Procedurally, the modes of data collection and analysis must be expressly regulated
with procedures and guarantees provided for by law.
Digital criminal investigations can tread on a slippery slope when it comes to safeguarding
fundamental rights, especially the right to protection of personal data. To address this concern, the
EU developed a set of legal instruments that regulate personal data collection and processing by
criminal justice authorities. The most relevant one is Directive EU/2016/680, the so-called Law
Enforcement Directive (LED).
3
However, digital investigative activities keep widening their scope,
and new digital tools can perform very intrusive operations and process various types of data besid es
personal data. Given this evolution, the regulation of digital investigations must encompass not only
the procedural guarantees provided by criminal procedural law, but also the protection of other
conflicting interests beside the right to the protection of personal data.
4
We need to consider the potential of new digital investigations to intrude into private systems,
programs and devices, which lowers their security and compromises their confidentiality and
integrity. Hence, there is a wider balance to consider besides public security vs individuals’data
protection. The regulation of digital investigative techniques must consider the citizens’legitimate
interest in performing personal activities securely and confidentially on their digital devices. We can
frame this interest by the term “cybersecurity”, which will be developed in the following sections.
This paper suggests that we need to start considering cybersecurity as another interest to weigh in
1. On the increasing use of criminal law to prevent crime (i.e., “preventive criminal law”) see Ulrich Sieber, ‘The new
architecture in Security Law: Crime control in the global risk society’, in Ulrich Sieber and others (eds), Alternative
Systems of Crime Control: National, Transnational, and International Dimensions (Duncker & Humblot 2018) 5 ff.
2. Richard Vogler,‘Big Data and Criminal Justice. Proportionality, Efficiency and Risk in a Global Context’, in Emmanouil
Billis, Nandor Knust and Jon Petter Rui (eds), Proportionality in Crime Control and Criminal Justice (Hart Publishing
2021) 165 ff.
3. Directive EU/2016/680 on the protection of natural persons with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offencesor the execution
of criminal penalties, and on the free movement of such data. Other relevant sources are the General Data Protection
Regulation (GDPR) and Regulation EU/2017/1725 on the protection of natural persons with regard to the processing of
personal data by the Union institutions, bodies offices and agencies and on the free movement of such data. On the impact
of invoking crime-fighting and prevention to legitimize exceptions to the principles of data protection law, see Athina
Giannakoula, Dafni Lima and Maria Kaiafa Gbandi, Combating Crime in the Digital Age: a Critical Review of EU
Information Systems in the Area of Freedom, Security and Justice in the Post-Interoperability Era (Brill 2020) 38 ff. On
data protection related to information sharing in criminal cooperation see Angeles Guti´
errez Zarza, Exchange of
Information and Data Protection in Cross-border Criminal Proceedings in Europe (Springer 2015).
4. Roberto Flor and Stefano Marcolini, Dalla data retention alle indagini ad alto contenuto tecnologico. La tutela dei diritti
fondamentali quale limite al potere coercitivodello Stato. Aspetti di diritto penale processuale e sostanziale (Giappichelli
2022).
480 New Journal of European Criminal Law 14(4)
To continue reading
Request your trial