To have or have not: Limiting the data available for subsequent use by the police
| Published date | 01 December 2023 |
| DOI | http://doi.org/10.1177/20322844231214486 |
| Author | Inger Marie Sunde |
| Date | 01 December 2023 |
Special Issue Article
New Journal of European Criminal Law
2023, Vol. 14(4) 495–511
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/20322844231214486
journals.sagepub.com/home/nje
To have or have not: Limiting
the data available for
subsequent use by the police
Inger Marie Sunde
Norwegian Police University College, Norway
Abstract
In search of evidence in criminal investigation police often collect data in bulk, and the question
addressed concerns whether the bulk data as a whole or only in part may be deemed available for
subsequent use. The article suggests that only data exposed to the police in the digital forensic
analysis performed as part of the investigation, should be deemed available for subsequent use. Such
data are termed digital assessed information and are contrasted to data whose content is not known
to the police. The latter should be deleted or made inaccessible for further use once the original
case is finalised. The position is anchored in the criminal procedural principles of purpose limitation
and purpose orientation, recognised in case-law related to Article 8 European Convention of
Human Rights (ECHR), further validated in considerations of fairness and coherence with the rules
for use of excess information in intercepted communications.
Keywords
Digital evidence, purpose limitation, purpose orientation, bulk data
Introduction
Police collection of big data in search of digital evidence in criminal investigation, raises concern
about the possible risks to the fundamental right of data protection.
1
This right is laid down in Article
8 European Charter of Fundamental Rights (“Charter”),
2
as well as in Article 8 ECHR. In the
Charter the right is laid down as a distinct right alongside the right to private life (Article 7), whereas
Corresponding author:
Inger Marie Sunde, Norwegian Police University College, Slemdalsveien 5, Oslo 0369, Norway.
Email: ingsun@phs.no
1. Charter of Fundamental Rights of the European Union [2000] C 364/01.
2. Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (1950 ETS 005).
in the ECHR as a dimension of the right to private life in so far as the processing is performed by or
on behalf of a public authority, such as the police.
3
This article analyses legal limitations flowing from the principles of purpose limitation and
purpose orientation in criminal procedural law concerning subsequent use of such data. The
problem at hand is caused by the police collecting data in bulk, thus taking much more data into
custody than needed for investigating the case that gave reason for collecting the data (“the original
case”). The question is whether the bulk data as a whole may be deemed to be available for
subsequent processing, or only the part that lawfully was exposed to the police in the investigation
of the case. The importance of the question is obvious: the more data available for search, the
stronger the information position of the police, a position that comes at a cost to data protection
rights and should be curtailed.
The principles of purpose limitation and purpose orientation are laid down in Norwegian
criminal procedural law, as well as in case-law concerning police use of coercive measures under
Article 8 ECHR. The principles are further underpinned by rules preventing use of unlawfully
obtained evidence, developed in relation to the right to a fair trial laid down in Article 95 Norwegian
Constitution
4
and Article 6 ECHR. The present analysis draws on these rules in Norwegian law,
where the primary legal source is the Criminal Procedural Code (“CPC”).
5
Article 4(1)(b) and (2) European Law Enforcement Directive (“LED”)
6
sets out the principle of
purpose limitation for personal data processing (Art. 4(1)(b)) and conditions for subsequent use
(Art. 4(2)).
7
The provisions read as follows:
(1) (b) Member states shall provide for personal data to be collected
8
for specified, explicit and
legitimate purposes and not processed in a manner that is incompatible with those purposes.
(2) Processing by the same or another controller for any of the purposes set out in Article 1(1)
other than that for which the personal data are collected
9
shall be permitted in so far as: (a)
the controller is authorised to process such personal data for such a purpose in accordance
with Union or Member State law; and (b) processing is necessary and proportionate to that
other purpose in accordance with Union or Member State law.
The notion collected data stands at the centrepiece of both paragraphs, implying that the issue
concerns subsequent use of the bulk data as such. This however must be a fallacy, as it overlooks that
two questions must be asked, firstly whether or not all of the bulk data may be available for
subsequent use, and secondly, for which purposes the available data may be used. As indicated, this
article addresses the first question. In doing this, it explains the Norwegian situation where the
“value chain”of the data processing begins with the collection of data in a criminal investigation in
search of evidence. Such data collection is regulated by rules of criminal procedural law governing
3. Karl Fridrik Kjølbro, Den Euoropæiske Menneskerettighedskonvention –for praktikere(6th edn, DJØFForlag 2023) ch
16.5.
4. The Norwegian Constitution 2014.
5. The Norwegian Criminal Procedural Code 1981.
7. In the context of law enforcement use of data for a purpose different from the original purpose is termed “subsequent use”,
see Juraj Sajfert and Teresa Quintel, ‘Data Protection Directive (EU) 2016/680 for Police and Criminal Justice
Authorities’, accessible via https://papers.ssrn.com/sol3/papers.cfm?abstract id=4016491.
8. Italics added.
9. Italics added.
496 New Journal of European Criminal Law 14(4)
To continue reading
Request your trial