Private Companies and the Transfer of Data to Law Enforcement Authorities

AuthorEls De Busser
Publication Date01 Jun 2016
478 23 MJ 3 (2016)
Challenges for Data Protection
E D B*
e need for law enforcement authorities cooperating with private companies is not new.
Personal data retained by private companies can be nece ssary for the purpose of preventing,
detecting, investigating and prosecuting cr iminal o ences.
Besides issues w ith purpose limitation and retention periods, companies are devel oping
products that aim to protect citizens’ privacy and data by using encrypted so ware and
building personal servers. Such products are good news for law-abiding citizens who are
concerned with the protection of the ir personal data and privacy.
Such p roduct s howev er also protec t data th at are pa rt of cr iminal o ences such as child
sexual exploitation and terrorism, making it di cult for law enforcement authorities to
access these data for the pur pose of preventing, investigating or prosecuting these criminal
o ences.  us, essential questions are how law enforcement authorities should approach
this additional challenge on the one hand and how legislators should react to this on the
other hand.
Keywords: criminal investigations; data protection; encryption; law enforcement
cooperation; pu rpose limitat ion
O enders prepare their criminal acts carefully, especially for complex o ences such as
organized cri me or terrorism. Preparation can i nclude communicating with accomplice s,
* Senior lecture r and senior researcher at  e Hagu e University of Applied Sciences, t he Netherlands.
Private Compan ies and the Transfer ofData to Law En forcement Authorities
23 MJ 3 (2016) 479
gathering information on speci c websites, purchasing certain products, tr avelling, and
booking hotel rooms or rental cars. In other words, activities that leave traces in the
form of persona l data:  nancia l data, telecommunications data, location data , and so on.
e fact that these data are valuable for law enforcement authorities when preventing,
detecting, invest igating and prosecuting crime is clear, at least withi n the limits of what
is allowed by the Council of Europe Data Protection Convention:1 the collecting and
processing of these data should be legal, necessary and proportionate.  is limitation
underlines the distinction between ‘must have’ and ‘nice to have’ or the fact that law
enforcement authorities should gather personal dat a for a speci c criminal investigation
rather than for an undetermined purpose. e fact that this requires cooperation with
private companies that process a nd control this data is also clea r as they collect and store
it for the purpose of their commercia l activities.
Still, issues regarding data protection remain. Some of these were given a new
dimension due to recent developments such as the increased u se of encryption technolog y,
although the quest ion whether they are really new is debat able.  e cooperation between
law enforcement authorities and private companies is not new2 though it seems to
have increased considerably in recent years, triggered by the growing amount of data
individuals a re sharing either online or th rough other means and trig gered by expanding
possibilities to colle ct and retain such data.3
In addition, public awareness to these developments has been raised following
revelations of law enforcement authorities engaging in programmes collecting massive
amounts of data and build ing so-called information positions.
What is fairly new is that the greater awareness for privacy and data protection has
thrust the public-private cooperation into the public eye. As is usually the case with a
higher level of awareness for any subject, this leads to initiatives.  ese are initiatives
in the shape of individuals taking legal action, such as in the Schrems case before the
CJEU4 or the more entrepreneurial type of initiatives based on privacy and data
protection as a competitive advantage.  e latter refers to privacy and data protection
being incorporated into hardware and so ware as a growing number of consumers are
making a deliberate choice for the most priv acy safeguarding technology on t he market.
1 Council of Europ e Convention for the Protection of Ind ividuals with rega rd to Automatic Processing
of Personal Data, 2 8January 1981, CETS No. 108.
2 For the purpose of t his paper a private compa ny or entity is a legal person t hat processes persona l data
in the course of a n activity that fall s within the scope of EU law – commerci al activities – and who
alone or jointly wit h others determines t he purposes, condit ions and means of the processi ng of those
personal data . When referring to c ollecting a nd analysing of dat a, the term law enforce ment authorities
refers to intelligenc e and police authorities .
3 See for example: E27 New s, ‘World‘s data volume to grow 40% per year & 50 t imes by 2020: Aureus’,
15Januar y 2015. Other examples include courts ord ering private companies to hand over d ata from
users investigated by law enforcement: New York Times, ‘Brazi l Arrests Facebook Executive in
WhatsApp Data Acc ess Case’, 1March 2016; and Washing ton Post, ‘Why Apple is in a historic  ght
with the govern ment over one iPhone’, 17February 2016.
4 Case C-362/14 Schrems v. Data Protection Co mmissioner, EU:C:2015:650.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT