The LED’s right of access to one’s data: Loopholes on proper access, legality review and data protection authority Accountability
| Published date | 01 March 2024 |
| DOI | http://doi.org/10.1177/20322844231214484 |
| Author | Diana Dimitrova,Paul De Hert |
| Date | 01 March 2024 |
Article
New Journal of European Criminal Law
2024, Vol. 15(1) 12–32
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/20322844231214484
journals.sagepub.com/home/nje
The LED’s right of access to
one’s data: Loopholes on
proper access, legality review
and data protection authority
Accountability
Diana Dimitrova
FIZ Karlsruhe –Leibniz Institute, Germany
Vrije Universiteit Brussel, LSTS Group
Paul De Hert
Vrije Universiteit Brussel, Belgium
Tilburg University
Abstract
Directive 2016/680 (the Law Enforcement Directive (LED)) provides two procedures for the
exercise of the rights of access to one’s data: a direct one under Article 14 LED (directly addressed
to the law enforcement authority) and an ‘indirect’one under Article 17 (3) LED, i.e., via the
intermediary of the data protection authority (DPA). In the present paper we will argue that
the latter procedure should be the exception and the Article 14 LED procedure should be seen as
the default. We will analyse the weaknesses of the Article 17 (3) LED provision and then criticize its,
in our opinion, flawed implementation into the national laws of Belgium, France and Germany. We
will demonstrate that Article 17 (3) LED, as read in light of Article 15 LED on the restrictions to the
right of access, might be interpreted incorrectly to allow for the ‘indirect’access procedure to
be evoked abusively. We will argue that it lacks the explicit language to guarantee the decision-
making powers of DPAs when deciding what information to communicate to the concerned data
subjects when answering their request. We will demonstrate how the examined Member State laws
further restrict the powers of their DPAs, which endangers the effectiveness of the ‘indirect’access
procedure because they do not guarantee the accountability, transparency, and proper legality
check by the DPAs which are called on to exercise the right of access indirectly.
Corresponding author:
Diana Dimitrova, FIZ Karlsruhe –Leibniz Institute, Vrije Universiteit Brussel, LSTS Group, Hermann-Helmholtz-Platz 1,
Eggenstein-Leopoldshafen 76344, Germany.
Email: diana.dimitrova@fiz-Karlsruhe.de
Keywords
data protection, law enforcement directive, right of access, ‘indirect access’, transparency
Introduction
The need to discuss the right of access under the LED
The right of access to one’s personal data is understood to mean obtaining some form of access to
the data which a certain controller has been processing in relation to the individual requesting access
or at least getting a confirmation that data concerning the individual have been or are being
processed.
1
Not least because it enables the discovery of mistakes in the data processing and their
subsequent correction, does this right play a significant role, especially in a law enforcement
context, as we will demonstrate in more detail later in the paper. The right of access to one’s data as
processed by the law enforcement authorities has been guaranteed in the EU under the Law
Enforcement Directive (LED).
2
The main provisions of the LED have already been succinctly discussed in this journal.
3
Further
literature on the LED has elucidated a variety of different aspects under the LED.
4
One under-
explored aspect in literature, but also in legal practice, is the procedure for exercising data subjects’
rights, including the right of access to one’s personal data in a law enforcement context.
5
The LED envisages two procedures to exercise the right of access: a default access procedure and
an exceptional watered-down access procedure. The former is regulated by Article 14 LED, which
provides that the data subject may request access to their personal data by default directly to the
respective law enforcement authority (‘the controller’).
6
1.Such a disclosure enables corrective actions and is supposed to enhance the transparency towards concerned individuals
and society and to improve the information balance between these and the data processing entities. E.g. Rene Mahieu,
‘The Right of Access to Personal Data: a Genealogy’[2021] Technology and Regulation,https://doi.org/10.26116/tec
hreg.2021.005, pp. 62-75; Evelien Brouwer, Digital Borders and Real Rights Effective Remedies for Third-Country
Nationals in the Schengen Information System (Martinus Nijhoff 2008), p. 201; Diana Dimitrova, ‘Data Subject Rights:
The Rights of Access and Rectification in the Area of Freedom, Security and Justice’(PhD Dissertation, Vrije Universiteit
Brussel, 2021).
2.Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data,
and repealing Council Framework Decision 2008/977/JHA [2016] OJ L 119/89 (LED).
3.Paul De Hert and Vagelis Papakonstantinou, ‘The New Police and Criminal Justice Data Protection Directive: A First
Analysis’[2016] 7(1) New Journal of European Criminal Law 7.
4.Juraj Sajfert and TeresaQuintel, ‘Data Protection Directive (EU) 2016/680 for Police And Criminal Justice Authorities’in
Cole/Boehm, GDPR Commentary (forthcoming Edward Elgar Publishing).
5.See amongst the exceptions: Diana Dimitrova and Paul De Hert, ‘The Right of Access under the Police Directive: Small Steps
forward,’in Manuel Medina, Andreas Mitrakas, Kai Rannenberg, Erich Schweighofer, Nikolaos Tsouroulas (eds.), Privacy
Technologies and Policy: 6th Annual Privacy Forum, APF 2018, Barcelona (Springer 2018); Plixavra Vogiatzoglou,Ka th
erine Quezada Tav´
arez, Stefano Fantin, Pierre Dewitte, ‘From Theory To Practice: Exercising The Right Of Access Under
The Law Enforcement And PNR Directives’11 JIPITEC 2021.
6.Article 14 LED also contains the caveat that the controller may restrict the provision on the requested data under the
conditions set out in Article 15 LED. The motivation behind the restrictions is simple: sometimes granting data subjects to
their data might prejudice police work and a balance needs to be struck between individual rights and law enforcement
tasks such as investigating crimes.
Dimitrova and De Hert13
Get this document and AI-powered insights with a free trial of vLex and Vincent AI
Get Started for FreeUnlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations