This is not a lengthy analytical post; it is by way of quick update on the much overlooked younger sibling of the proposed General Data Protection Regulation: the Data Protection Directive for the police and criminal justice sector. Most practitioners are understandably focussing on the Regulation: that is the instrument which will affect most of us most of the time. But the EU is proposing to harmonise the rules across sectors and, at the same, implement a new Directive applicable to the police and criminal justice sectors. The existing Directive does not, of course, apply to that arena by virtue of article 3(2) (although the DPA 1998 is unlimited in its scope, so the point has rarely been of much relevance domestically).
A couple of weeks ago the Commission proudly announced that the Directive was full steam ahead following agreement in the Council, and that the drafting was moving into trilogue (dread term). The EDPS has now issued Opinion 6/2015, which is not quite so enthusiastic and sets out a number of areas that it believes should be taken into account, not least ensuring compliance with the CJEU’s evident dislike of blanket surveillance in Schrems (Panopticon passim) and the Charter rights of data subjects. It also stresses the need for there to be ‘joined up regulation’ between the Directive and the new Regulation to ensure a coherent and consistent system of data protection across the EU and across all fields of public and private sector data handling.
The final text of both legislative measures will inevitably give rise to plenty of questions (Who you gonna call? Counsel.) but it will be important for those working in the data protection and privacy field not to overlook the Directive in the headline grabbing of its more high-profile sibling. We shall see what trilogue brings us.