Introduction

Since May 2018, the European Commission (Commission) has the exclusive competence not only to assess third countries for an adequacy decision authorizing the international transfer of personal data to third countries or international organizations in relation to the General Data Protection Regulation (GDPR)1 but also for law enforcement purposes under the Law Enforcement Directive (LED).2 So far, no LED adequacy decision has been adopted.

Key Points

The regulation of international personal data transfers to third countries or international organizations in a law enforcement context in the European Union (EU) is complex. This is partly due to the fact that already the EU treaties concede that data protection for law enforcement might require specialized rules outside of the ‘normal’ EU legal data protection framework.3 Within this specialized framework, the LED is just one piece of the puzzle.4 Actually, the LED explicitly allows rules from other instruments for data protection within law enforcement, including provisions on international data transfers, to apply instead of the LED.5 The fragmentation continues within the scope of the LED due to the fact that the LED is a minimum harmonization Directive,6 and therefore only setting a result to be achieved but not the ‘forms and methods’ to achieve it.7 Member States can go beyond the LED in the protection offered to data subjects when transposing the LED into national law, which is already leading to diverging transpositions across the EU hampering the effectiveness of the LED.8 It also translates into Member States law forming another piece of the puzzle that is personal data protection in a law enforcement context in the EU.

  • Since May 2018, the European Commission (Commission) has the exclusive competence not only to assess third countries for an adequacy decision authorizing the international transfer of personal data to third countries or international organizations in relation to the General Data Protection Regulation (GDPR) but also for law enforcement purposes under the Law Enforcement Directive (LED). So far, no LED adequacy decision has been adopted.

  • The complexity and the fragmentation of data protection within a law enforcement context complicate the task of the Commission to adopt a LED adequacy decision. Moreover, in light of the fact that due to existing international law enforcement cooperation mechanisms mainly based on international agreements such as ‘Mutual Legal Assistance Treaties’ (MLATs), international data flows for law enforcement appear to continue ‘as usual’, the Commission seems to feel no urgency to adopt them. This poses the question why LED adequacy decisions were introduced in the first place and if the existing framework suffices for the protection of fundamental rights in a manner essentially equivalent to the EU as mandated for data transfers by the Court of Justice of the European Union (CJEU) since Schrems.

  • My systematic analysis of these questions based on EU fundamental rights law shows that LED adequacy decisions are crucial within the EU data protection system for law enforcement both from a fundamental rights perspective and from a systematic and practical viewpoint and that their absence seriously undermines the protection of EU fundamental rights.

The complexity and the fragmentation of data protection within a law enforcement context complicate the task of the Commission to adopt a LED adequacy decision. Moreover, in light of the fact that due to existing international law enforcement cooperation mechanisms mainly based on international agreements such as ‘Mutual Legal Assistance Treaties’ (MLATs), international data flows for law enforcement appear to continue ‘as usual’,9 the Commission seems to feel no urgency to adopt them.10 This poses the question why LED adequacy decisions were introduced in the first place and if the existing framework suffices for the protection of fundamental rights in a manner essentially equivalent to the EU as mandated for data transfers by the Court of Justice of the European Union (CJEU) since Schrems.11

To answer this question, I first map the system for international personal data transfers envisioned in the LED. Against this systematic background with the help of EU fundamental rights law and case law of the CJEU, I evaluate the role LED adequacy decision play for the protection of fundamental rights for personal data transfers within a law enforcement context. My analysis shows that LED adequacy decisions are crucial within the EU data protection system for law enforcement both from a fundamental rights perspective and from a systematic and practical viewpoint and that their absence seriously undermines the protection of EU fundamental rights.

International personal data transfers under the LED

Definition and rationale of international personal data transfers

Before mapping the legal framework for international personal data transfers, it is important to understand the term ‘international personal data transfer’. There is no definition for it in the LED (or for that matter in the GDPR), despite there being a whole chapter dedicated to the regulation of such transfers.12 During the legislative process for the LED and the GDPR, the European Data Protection Supervisor (EDPS) had actually urged to include such a definition,13 but this plea was not taken up by the EU legislator. This is a problematic oversight, as it becomes increasingly difficult to determine whether a personal data processing operation (also) constitutes a transfer of personal data. As the EDPS points out: ‘the difference between actively transferring and making data available is becoming theoretic while the consequences in terms of applicable law are huge for data controllers and individuals.’14 For example, it is unclear whether the uploading of information on an internet page or the use of a cloud server in a third country always also constitutes an international transfer of that personal data.15

For the purposes of this article, international data transfer will be understood as any action that enables a law enforcement authority in a third country or a relevant international organization to access personal data that originated in the EU. This includes for example, if an EU law enforcement authority exchanges personal data via Interpol’s data systems16 or if an EU law enforcement authority requests information on a specific person from a law enforcement authority in a third country, transmitting for the purposes of this request the name of the person.

To understand the provisions regulating international data transfers in the LED, it is important to recall their rationale.17 From an EU regulatory perspective, the regulation of international personal data transfers is necessary, since any protection for personal data achieved within the EU via diverse instruments including EU fundamental rights would be a failure if it would stop at the EU borders.18 In other words, the transfer of personal data risks undermining the EU’s fundamental right standard achieved via the Charter of Fundamental Rights of the EU (CFR)19 implemented by the various EU data protection instruments, therefore data protection transfer rules are meant to secure this standard. This objective was confirmed by the CJEU in Schrems, where the court established that a third country would need to ensure a standard of essential equivalence in terms of fundamental rights protection for a transfer to occur.20 Furthermore, in Opinion 1/15, the CJEU ruled that communication of personal data ‘to a third party such as a public authority’ always interfered with the right to private life (Article 7 CFR), ‘whatever the subsequent use of the information communicated’ (hence also if the information is used for law enforcement purposes).21 The LED expressly links its transfer provisions to the protection of fundamental rights in Article 35(3) and recital 67. As a consequence, the different instruments of the LED enabling international personal data transfers need to ensure a high standard of protection of EU fundamental rights.22

General conditions for international personal data transfers under the LED

The provisions concerning international personal data transfers are found in Chapter V LED titled ‘Transfers of personal data to third countries or international organisations’. The LED is regulating these transfers in the following manner: first, it sets out a number of general conditions that any transfer under the LED has to fulfil (Article 35). Second, it provides some additional specific rules for each of the different mechanisms enabling international personal data transfers under the LED (Articles 36–38).

The LED thus lists five conditions in Article 35(1) that every international personal data transfer has to respect before it can be conducted.23 These conditions are exhaustive. First, the transfer has to be necessary for the purposes of the LED (law enforcement purposes).24 Second, the receiver of the data must be a controller that is an authority competent for these law enforcement purposes (law enforcement authority).25 Third, if personal data originated from another Member State in the EU, that Member State must have given prior authorization for the transfer.26 Fourth, there needs to be either an adequacy decision, appropriate safeguards or a derogation as a legal basis for the transfer.27 Finally, any onward transfers by the receiving Non-EU entity must be secured by conditioning it on the authorization of the EU law enforcement authority.28 An overview of all conditions and mechanism can be found in Figure 1.

The system for personal data transfers under the LED.
Figure 1.

The system for personal data transfers under the LED.

The fact that these conditions rely on both the LED concepts of ‘law enforcement purposes’ and ‘law enforcement authorities’ has the consequence that the differences in national transpositions of these concepts also ‘spill’ over to the area of international personal data transfers under the LED. The concept ‘law enforcement purpose’ is defined in Article 1(1) LED as ‘prevention, investigation, detection or prosecution of criminal offences’ or ‘the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’. This definition operates with a presumed common understanding in the EU of what constitutes a criminal offence, which according to recital 13 LED is to be understood in the context of the LED as an autonomous concept of Union law. In practice however, Member States have very different ideas on what constitutes a criminal offence, with some Member States understanding this concept as including also administrative violations that eventually can lead to a criminal charge.29

Regarding, the concept of law enforcement authority, it is notable that the definition in Article 3(7) LED is very wide.30 It does not only encompass traditional law enforcement authorities, but also customs and border guards, financial intelligence units and any other private actors having a law enforcement task.31 Problematically, Member States are also interpreting this provision differently, leading to some of these authorities processing personal data under the rules of the LED, while the same authorities in other Member States process personal data in line with the GDPR.32 Such different understandings of law enforcement authority can make it difficult to find out which EU law enforcement authorities would actually have to apply the rules of international personal data transfers of the LED.

Even though all five conditions outlined above are exhaustive, there are two exceptions for situations when not all of them have to be present before an international personal data transfer can occur under the LED. The first exception states that transfers can occur to an individual or non-law enforcement entity instead of a law enforcement authority if the conditions of Article 39(1) are followed. Under the conditions of Article 39(1) such transfers can occur if all other provisions of the LED are complied with in circumstances where a transfer to the competent authority in the third country or international organization would be ‘ineffective or inappropriate’ and the ‘fundamental rights and freedoms of the data subject concerned’ are overridden by the ‘public interest necessitating the transfer’.33 This exception is also relevant for international personal data transfers to processors outside of the EU, as Article 35(1)(b) principally only foresees transfers to controllers.34 The second exception concerns the condition in Article 35(1)(c), thus cases where the personal data were not originally from the transferring Member State. The exception allows for transfers to occur without any authorization of the original Member State (which would otherwise be the general rule), if there was an emergency (e.g. prevention of an immediate and serious threat to public security of a Member State or a third country or to essential interests of a Member State) and if prior authorization cannot be obtained in due time.35

Adequacy decisions under the LED

Once these general conditions of the LED for international personal data transfers are fulfilled, one option for transferring personal data to a law enforcement authority in a third country or an international organization are LED adequacy decisions.36 Like their GDPR cousin, LED adequacy decisions would need no further authorization for the transfer to take place as the third country, territory or international organization is considered to provide an adequate level of protection for EU fundamental rights (though the general principles outlined above apply).37 Such decisions can be taken only by the Commission via an implementing act.38 They can concern a whole country, a territory or an international organization. Criteria for assessing adequacy are the rule of law, human rights, effective data subject rights including judicial redress opportunities and an independent supervisory authority. These criteria should be established via assessing the domestic legislation, practice and international commitments of a third country, territory or international organization.39

A LED adequacy decision therefore confirms that a third country, territory or international organization ensures ‘an adequate level of protection essentially equivalent to that ensured within the Union’ for fundamental rights (standard of essential equivalence).40 To guarantee the validity of the assessment, the Commission has to monitor adopted adequacy decisions41 and repeal, amend or suspend those where the assessed third country, territory or international organization stopped offering ‘an adequate level of protection’42 after it tried in consultation to remedy the situation.43 If an adequacy decision is subsequently changed, this does not affect other transfer mechanisms under the Directive.44

There are no written rules on who starts the adequacy process, meaning that it is not regulated in the LED whether the Commission approaches third countries or international organizations, or whether interested parties come to the Commission to ‘apply’ for a LED adequacy decision. In an expert group meeting, the Commission explained that it will start an adequacy assessment under the LED if there is either a request by a third country or if there is a need (e.g. ‘for important partners in the area of law enforcement, or where the third country will host a major event, e.g. Olympic Games, that will likely create real need for such cooperation in the future’).45 It seems therefore that in practice LED adequacy decisions could come from a pro-active approach of the Commission or from active interest from third countries or international organizations.

Appropriate safeguards and derogations under the LED

Before furthering the analysis into the relevance of LED adequacy decisions, it is important to briefly outline the other transfer mechanisms under the LED as these are different in the way they offer protection of fundamental rights providing reasons to argue a need for LED adequacy decisions from an EU fundamental rights perspective.46

The first alternative the LED provides for adequacy decisions are appropriate safeguards,47 of which there are two options, either a ‘legally binding instruments’ such as ‘legally binding bilateral agreements’48 or a self-assessment by the law enforcement authorities that there are appropriate safeguards for personal data at their destination (a third country, territory or international organization).49 For the latter option, recital 71 LED explains that when controllers make use of this option, they should take into account the confidentiality of the data and general data protection principles. It further indicates that there are no appropriate safeguards, if data processing could lead to the execution of ‘a death penalty or any form of cruel and inhuman treatment’.50 Moreover, if this latter option is used, the data protection authority (DPA) of the Member State of the law enforcement authority conducting the transfer(s) has to be informed. The DPA however does not have a veto right to the transfers, though in theory the DPA could use its powers under Article 47 to for example warn the controller about potential issues or even impose a temporary ban of the transfer.51

Compared to the GDPR, the LED offers surprisingly little detail on these two options for appropriate safeguards.52 It is also notable that while in the GDPR nearly every option for appropriate safeguards involves either the authorization of the Commission or of the DPA ex ante,53 both LED options come without such a safeguard.

As a second alternative to LED adequacy decisions, Article 38 LED lays down a set of five derogations that can only be used when neither a LED adequacy decision or one of the options for appropriate safeguards are available.54 These five derogations concern transfers for ‘vital interests of the data subject or another person’, a transfer to safeguard ‘legitimate interests of the data subject’, transfers to prevent ‘an immediate and serious threat to public security in a Member State or a third country’, a transfer in individual cases for law enforcement purposes, and if a transfer is necessary for ‘the establishment, exercise or defence of legal claims’.55 The last two derogations are conditional on the public interest overriding the fundamental rights of the individual concerned.56 Any use of a derogation has to be documented by the law enforcement authority, and this documentation can be consulted by the DPA upon request.57 The derogation options of the LED have been criticized for being too flexible. Especially the EDPS found concerning that there was no limitation on the use of these derogations so that their application is excluded in case of ‘frequent, massive and structural’ transfers.58

Relevance of LED adequacy decision within the EU legal system for data protection in the law enforcement sector

As mentioned above, there are currently no adopted LED adequacy decisions. Though, the Commission keeps hinting at plans to bring one into existence since 2017.59 In its latest public statement on LED adequacy in July 2019, the Commission repeated this intent to adopt LED adequacy decisions, by stating that it ‘considers to make use of the possibility to adopt adequacy decisions under the Data Protection Law Enforcement Directive to deepen its cooperation with key partners in the fight against crime and terrorism’.60 However, it is unclear which concrete countries or international organizations are currently considered for a LED adequacy decision, or if any third country or international organization would even be interested in obtaining one.

Despite the absence of LED adequacy decisions, law enforcement authorities in the EU still cooperate with law enforcement authorities in third countries or with international organizations in a manner that includes the exchange of personal data. This invites an existential question about LED adequacy decisions: do they legally matter? The following sections assesses arguments why LED adequacy decisions do matters, especially from an EU fundamental rights perspective.

Appropriate safeguards under the LED offer insufficient fundamental rights protection

In absence of LED adequacy decisions, law enforcement authorities are mainly dependent on appropriate safeguards as regulated in Article 37 LED, as derogations are not always applicable. Technically this should not reduce the protection of EU fundamental rights since as was recently declared by the CJEU in Schrems II all different transfer mechanisms aim to ensure the standard of essential equivalence for EU fundamental rights (one standard view) in transfer situations.61 However, both options for appropriate safeguards, ‘legally binding instruments’ (mainly international agreements)62 and self-assessment of a third country or international organisation,63 reveal significant drawbacks when compared to a potential LED adequacy decision in terms of the fundamental rights protection offered.

Legally binding instruments

The most common legally binding instrument for the exchange of personal data in a law enforcement context are international agreements.64 For such exchanges, there are a myriad of already existing international agreements by the EU with third countries (e.g. Mutual Legal Assistance Treaty (MLAT)65 with the United States (US) or Japan).66 In addition to these, Member States have partly their own arrangements since this was possible under the Framework Decision.67 Like LED adequacy decisions, international agreements enabling transfers under the LED would have to secure the standard of essential equivalence for the protection of fundamental rights following the one standard view.68 However, many of these existing international agreements concluded by the EU and its Member State offer little in terms of fundamental rights and personal data protection having been adopted before the standard of essential equivalence was pronounced in Schrems. In a Commission expert group meeting, several Member States actually noted that ‘they have quite a high number of agreements on transfers of data for law enforcement purposes dating back to the 60's and 70's’ and that these ‘are deemed to be non-compliant either with Union law applicable before May 2016 or with the Directive’.69

A good illustration for the difficulties of using existing international agreements for law enforcement exchanges for the purposes of the LED are the arrangements the EU concluded with US for the area of law enforcement. Originally, the EU and the US had concluded a MLAT to enable exchanges of personal data by law enforcement authorities.70 However, this agreement did not include enough safeguards for EU fundamental rights (a problem that became urgent with the CJEU decision in Schrems), therefore the EU and the US concluded the Umbrella Agreement to offer additionally data protection safeguards.71 According to the Commission, the Umbrella Agreement ‘retroactively’ solved all data protection issues, that law enforcement transfers had to the US,72 and should even serve as a model for future agreements on law enforcement exchanges.73

In the system of the LED, the Umbrella Agreement would now be considered an appropriate safeguard under Article 37(1)(a) LED, as a binding and enforceable instrument and could thus continue to serve as an authorization for law enforcement transfers between the EU and the US.74 However, a quick analysis of the Umbrella Agreement reveals that it most likely would not pass the scrutiny of the CJEU applied in Schrems and Schrems II.75 The main issue being that there is no fundamental rights assessment because the Umbrella Agreement does not discuss any provisions in US law. At the same time however, the Agreement assumes US law to be in line with the principles set within in. Based on this assumption, the Agreement then allows for personal data transfers to the US.76 Without knowledge on how the different principles of the Umbrella agreement are actually implemented,77 it becomes impossible to assess crucial fundamental rights safeguards such as effective data subject rights78 or independent supervision.79 Actually, findings of the CJEU in Schrems80 and Schrems II question the standard of protection for personal data in relation to public authorities such as law enforcement authorities in the US, especially concerning redress options.81 These findings lead me to the conclusion, that for international personal data transfers to the US under the Umbrella Agreement EU fundamental rights are not safeguarded in a manner ‘essentially equivalent’ to that in the EU.82

The issue that existing international agreements in the area of law enforcement fail to meet the standard of essential equivalence is further aggravated by the fact that an update of many of these international agreements seems unlikely. According to Article 61 LED, all of the international agreements enabling international personal data transfers now remain in force ‘until amended, replaced or revoked’. The LED however lacks a provision requiring the EU or Member States to actually update these agreements.83 Therefore, unless the EU or the Member States proactively engage with these agreements out of their own initiative, so that they lose their validity, these ‘old’ international agreements continue to determine the fundamental rights protection for personal data in a law enforcement context.84 While there is an obligation on Member States in the Treaty on the Functioning of the EU (TFEU) to amend existing international agreements in line with the EU treaties,85 strict enforcement of such an obligation seems unlikely as the Commission has indicated that for them interpretative solutions are sufficient for most issues.86

In light of these difficulties with existing international agreements, LED adequacy decisions represent an opportunity for improvement. LED adequacy decisions would have to implement an adequate level of EU fundamental rights protection from the start, and as such would trump existing agreements that where not envisioned with that standard in mind in terms of fundamental rights. Even for agreements that were concluded when the standard of essential equivalence was already pronounced by the CJEU, such as the Umbrella Agreement, LED adequacy decisions present an opportunity to address issues that have since then become (even more) apparent. Admittingly, the same improvements could also be achieved if existing international agreements would be updated to better protect EU fundamental rights.

Self-assessed appropriate safeguards

An even more pressing argument for the importance of LED adequacy decision can be found when analysing the second alternative to LED adequacy decisions—self-assessed appropriate safeguards.

Even though, following the ‘one standard view’, all LED transfer mechanisms have to in theory obtain the same standard of fundamental rights protection, the LED adequacy assessment process is designed in a way that offers more thorough scrutiny of the fundamental rights assessment than self-assessed appropriate safeguards. As noted, LED adequacy decisions are adopted by the Commission as implementing decisions.87 The process of adopting such a decision includes a mandatory opinion by the European Data Protection Board (EDPB) to comment on the envisioned decision (though the Commission is not bound by these comments) providing ex ante scrutiny.88 More importantly however, the scrutiny of LED adequacy decision does not end once it is adopted: The Commission is required to regularly review and report on the implementation of the adequacy decision89 and in case the third country, territory or international organization is no longer adequate, repeal the decision.90 Since adequacy decision form part of EU law they also fall under the scrutiny of the CJEU for their compliance with EU law including EU fundamental rights law, ensuring ex post scrutiny.91 Even though the whole adequacy process could also be improved (for example there could be more transparency during the negotiations),92 it still offers a robust level of scrutiny that helps secure an adequate level of EU fundamental rights protection.

With such a high level of scrutiny regarding the assessment of fundamental rights, LED adequacy decisions clearly differ from self-assessed appropriate safeguards under Article 37(1)(b) LED. While the DPA has to be informed when a transfer occurs using Article 37(1)(b) LED and such transfers need to be documented,93 DPAs do not have any authorizing powers.94 This leaves the fundamental rights assessment completely in the hands of the law enforcement authorities wanting to transfer personal data to a third country. However, law enforcement authorities are not exactly in a position to neutrally judge the fundamental rights protection offered by a third country or an international organization, when they think themselves heavily dependent in their investigations on the personal data requested. The ex ante scrutiny will hence not be the same as for LED adequacy decisions, also because input of the EDPB or the European Parliament would be lacking.95 Additionally, the LED does not foresee any rules on how such appropriate safeguards can be assessed ex post after the initial information of the DPA. The only ex post scrutiny would be conducted by the CJEU, dependent on whether issues reach the national courts and are subsequently submitted for a preliminary ruling.96

Moreover, despite the legal complexity of assessing a third country, territory or international organization for their standard of protection in terms of EU fundamental rights, there currently exists no guidance by either the EDPB or national DPAs on how law enforcement authorities should conduct such an assessment. The only indications on what a law enforcement authority should take into account can be found in recital 71 LED, which advises to consider cooperation agreements of Europol and Eurojust (which as explained below have their own fundamental rights problems and are therefore not necessarily useful guidance) and to insist on provisions ensuring ‘confidentiality obligations and the principle of specificity’. While the latter is definitely a step towards ensuring a standard of essential equivalence in term of fundamental rights protection, it is in itself not enough. Recital 71 also mentions that there should be no transfer of personal data if this could lead to a death penalty or cruel and inhuman treatment of the data subject. Again, while this is a useful consideration, it does not provide much guidance to law enforcement authorities how to undertake the whole assessment. Judging from Schrems II, where the CJEU found that the criteria listed in the GDPR for assessing adequacy, are equally relevant for the controller when assessing whether there is an equivalent level of protection regarding access by public authorities for a transfer under Standard Contractual Clauses (SCC),97 a law enforcement authority will probably have to consider the elements listed for adequacy decisions in the LED.98 In light of the fact, that the CJEU has already twice found an assessment made by the Commission insufficient,99 an institution more experienced in this matter, it seems as if EU law enforcement authorities are asked the nearly impossible in Article 31(1)(b) LED as they are left to their own devices in assessing their partners in personal data exchanges for essential equivalence.100

To conclude, self-assessed appropriate safeguards under Article 37(1)(b) LED severely lack in scrutiny when compared to LED adequacy decisions because of little ex ante or ex post evaluations. Without such scrutiny, it is to be feared that law enforcement authorities will be put under pressure to authorize transfers to third countries based on insufficient safeguards to not hamper ongoing investigation. The fact that there is currently no official guidance for such an assessment on any level further aggravates the pressure a law enforcement authority is under.

The important role of LED adequacy decisions for Europol, Eurojust and EPPO

The importance of LED adequacy decisions for the EU system of protection of personal data in the law enforcement context becomes even more pronounced within a systematic analysis of said system. This is because the EU legislator has since the adoption of the LED designated LED adequacy decision as a transfer mechanism also for international personal data transfers by Europol,101 Eurojust,102 and EPPO.103 While the regulations governing these bodies all include their own rules for international personal data transfers to third countries and international organizations,104 they therefore also rely on LED adequacy decisions as one mechanism to authorize such transfers.105 Due to the lack of LED adequacy decisions, Europol, Eurojust, and EPPO are like ‘general’ EU law enforcement authorities exclusively reliant on the other transfer mechanisms foreseen. However, just as within the LED, these other mechanisms often severely lack in the protection of EU fundamental rights.

In the absence of a LED adequacy decision, Europol heavily depends on existing arrangements made under their previous legal regime.106 Under this regime, Europol concluded so-called operational agreements with third countries for the exchange of personal data107 and can according to the Europol Regulation continue to use them to authorize international personal data transfers.108 Problematically, these existing arrangements of Europol would not pass the scrutiny by the CJEU.109 Taking for example the arrangements with the US:110 The Europol agreement with the US is lacking any judicial remedies or any concrete bodies to address remedies too, which at the very least constitutes the same problem noticed by the CJEU in Schrems and Schrems II with Article 47 CFR (right to an effective remedy).111 While these agreements have to be reviewed by the Commission in 2021, there is no obligation to amend them to bring them in line with EU fundamental rights.112 In absence of any action by the Commission or a LED adequacy decision, Europol is significantly lacking in their protection of fundamental rights in international personal data transfers based on their existing arrangements.

For Eurojust the situation is even worse as the Eurojust Regulation offers the possibility for Eurojust to self-assess without external involvement whether another country or international organization has an adequate level of fundamental rights protection. Hence, in the absence of a LED adequacy decision, Eurojust can continue concluding arrangements for cooperation with third countries or international organizations that might not be in line with the standard of essential equivalence and without much scrutiny.113 Moreover, existing arrangements of Eurojust are like their Europol counterparts not in line with the standard of essential equivalence.114 The Eurojust agreement with the US for example shows the same issues as the Europol decisions discussed above: lack of any remedies or bodies to address these remedies to.115 Like for Europol, protection of fundamental rights in international personal data transfers by Eurojust hence suffers from the absence of any LED adequacy decisions ensuring their protection.

Similar problems exist also for EPPO, where legal uncertainty is further fostered by the fact that there are no previous arrangements a transfer could be based on, so EPPO will have to rely solely on self-assessed appropriate safeguards in line with Article 82(1)(b) EPPO Regulation until LED adequacy decisions or international binding agreements are concluded. This is a cause of concern in terms of scrutiny of the fundamental rights assessment as described above for the self-assessment under the LED. Since EPPO will only become fully operational by the end of 2020,116 it remains to be seen how these different transfer mechanisms will be used in practice. The issue that not all Member States of the EU participate in EPPO (EPPO currently involves 22 Member States) could further complicate the situation.

To conclude, due to the fact that LED adequacy decisions play an important role in the protection of personal data within an international personal data transfer for Europol, Eurojust and EPPO especially in the absence of any changes to existing arrangements, their non-existence lowers the protection of EU fundamental rights.

Potentially higher efficiency of LED adequacy decisions

A final practical argument in favour of LED adequacy decisions lays in their higher efficiency. This can be argued in two ways. First, it can be said that LED adequacy decisions appear more efficient compared to the tool that is now often used for law enforcement cooperation: MLATs. MLATs are criticized for taking a long time, because of the many administrative steps to be completed by law enforcement authorities to receive personal data under it117 and are therefore considered by some as inefficient.118 Since a LED adequacy decision would not require any further authorization steps, if all the general conditions for transfers under the LED are fulfilled, it could enable a speedier process compared to the MLAT proceedings. However, MLATs concern the exchange of (electronic) evidence more generally, and thus not everything that can be exchanged under a MLAT will be personal data and as such available for a transfer under a LED adequacy decision.

Critiques about the slowness of MLATs are not without counter-critiques though. Both the EDPS and the EDPB caution against bypassing MLATs as the traditional mechanism for evidence exchanges, as they have developed a series of safeguards to protect individuals.119 As the quickness of a procedure should not come at the expense of the protection of EU fundamental rights, this argument about higher efficiency of LED adequacy decisions can only hold, if the LED adequacy decision authorizing the transfers offers also more fundamental rights protection for individuals than the traditional MLAT in place.

A more convincing argument about the higher efficiency of LED adequacy decisions can be made if efficiency is considered as a comparison with how law enforcement personal data exchanges have been handled before the LED. Concretely, when one considers the issue that Member States used to set their own fundamental right standards for assessing third countries and international organizations for international personal data transfers in a law enforcement context.120 Should a LED adequacy decision exist for a third country, territory or international organization, it would be based on a EU fundamental rights standard. This is more ‘efficient’ than having to handle 27 different fundamental right standards of each Member State for this area, especially from the perspective of the third country, territory or international organization. It must however be noted, that the relationship between EU fundamental rights protection and national constitutional fundamental rights protection is still under development,121 so that national rules might still play an important role when negotiating for LED adequacy.

Conclusions

As my research shows, LED adequacy decisions are necessary to improve the protection of EU fundamental rights in the context of international personal data transfers conducted for law enforcement purposes. It is worrisome that the LED sets up a system that in practice makes international data transfers for law enforcement purposes occur either under pre-existing international agreements that lack in the protection of fundamental rights or on the basis of a self-assessment for fundamental rights by the law enforcement authority conducting the transfer. Especially the latter option is concerning from the perspective of fundamental rights due to a lack of any in-built ex ante or ex post scrutiny of the assessment. On top of that, law enforcement authorities cannot rely on any guidance by EU data protection institutions for an assessment that has puzzled the Commission and academics ever since its pronouncement in Schrems. Can we really expect law enforcement authorities to solve such a complex legal issue on the spot in the high-pressure environment of daily police work? I fear that the combination of these factors creates a situation where it is nearly impossible for a law enforcement authority to correctly assess their partner in a law enforcement exchange for EU fundamental rights.

It has to be admitted however, that the introduction of LED adequacy decisions is not the only solution to the problems pointed out in this article. As noted, many personal data exchanges for law enforcement purposes rely on outdated arrangements in terms of fundamental rights. These arrangements could be revised and reformed to better protect EU fundamental rights. However, considering that such reform or revision would have been possible ever since the CJEU pointed out the high standard of protection for fundamental rights needed for international personal data transfers in Schrems, I conclude that there is a general lack of willingness to conduct such reforms and revisions. The only law enforcement arrangement for international personal data transfers that has been reformed since Schrems is the one for exchanges with the US, the Umbrella Agreement, and as argued above that arrangement is far from being an adequate protection for EU fundamental rights. Moreover, the introduction of provisions in many recent EU law enforcement instruments expressly allowing the continuing application of previous arrangements without any deadline for bringing them in line with the modern data protection regime, indicates that there is especially a lack of willingness (or lack of understanding) on the side of the EU legislator to address this issue.

It follows that LED adequacy decisions might not be the only solutions to improve the protection of EU fundamental rights, but they do present a new chance to get this protection right. Additionally, they present a relatively easy way to update the existing complicated framework at EU level. Instead of having to rely on outdated international agreements, where each EU law enforcement agency has their own, there could be one LED adequacy decision applicable to all, also helping uniformity of EU law. An obvious candidate for such a LED adequacy decision would be Interpol, an international organization, whose regime for personal data protection is currently questioned in a reference to the CJEU.

In the end, LED adequacy decisions have the potential to be an opportunity to exchange personal data internationally between law enforcement authority in an efficient manner with enhanced scrutiny on the protection for fundamental rights they offer. In light of the presented research, it is likely that the presence of LED adequacy decisions would significantly improve the protection of fundamental rights and the efficiency of international personal data transfers for the law enforcement sector compared to the current situation.

I want to thank Professor Gloria Gonzaléz Fuster, Professor Christopher Kuner and Svetlana Yakovleva for their comments, and Juraj Sajfert, Christian Wiese Svanberg and Julia Ballaschk for their valuable feedback and explanations. This research forms part of the Ph.D thesis of the author, for which she receives funding from the Research Foundation—Flanders (FWO) (grant number 1165319N).

Footnotes

1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

2

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ 2016 L 119/89.

3

See Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, OJ 2012 C 326/337: ‘The Conference acknowledges that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields.’

4

See inter alia Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ 2018 L 295/39 (EUDPR), Arts 46–51; Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ 2016 L 119/132 (PNR Directive), Art 11; Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/035/JHA, 2009/936/JHA, OJ 2016 L 135/53 (Europol Regulation), Art 25; Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA, OJ 2018 L 295/138 (Eurojust Regulation), Art 56; and Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’), OJ 2017 L 283/1 (EPPO Regulation), Arts. 80-84.

5

See Arts 60 LED and 61. Art 62(6) LED foresees that the Commission undertakes an assessment of existing EU legislation in the law enforcement area and assesses their compatibility with the LED (with the deadline of 6 May 2019). In an expert group meeting in 2018, the Commission announced that the results of this analysis would be published as part of the European Parliament’s Pilot Project ‘Fundamental Rights review of EU data collection instruments and programmes’. See Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, ‘Minutes of the fifteenth meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680’ (20 February 2018), 2. The academic report underlying this project was published in December 2019 and revealed the need for more coherence within the EU data protection framework for law enforcement. See Fondazione Giacomo Brodolini, ‘Fundamental rights review of EU data collection instruments and programmes’ (2019), <http://brodolini.mbs.it> accessed 29 September 2020, 92–106. The final report of the Commission published one year and one month after the deadline (on 24 June 2020), reveals further the extent of fragmentation for personal data protection in a law enforcement context. The Commission found 26 EU instruments which touched upon personal data processing in a law enforcement context, of which 10 will need amendments to align with the LED. Two of those expressly will need alignment in the area of international personal data transfers, namely legal instruments implementing the Prüm Decision and the Mutual Legal Assistance Treaty with Japan. See European Commission, ‘Communication from the Commission to the European Parliament and the Council: Way forward on aligning the former third pillar acquis with data protection rules’ COM(2020) 262 final, 3, 8, and 10.

6

See Art 1(3) and rec 15 LED. The fact that the instrument of a Directive was chosen for the law enforcement context, shows according to De Hert and Papakonstantinou that there is a ‘two-speed process’ for data protection in the EU, with the area of data protection in law enforcement still requiring more flexibility for the Member States. See Paul de Hert and Vagelis Papakonstantinou, ‘The New Police and Criminal Justice Data Protection Directive: A First Analysis’ (2016) 7(1) NJECL 7, 9.

7

See Treaty on the Functioning of the European Union, OJ 2012 C 326/47, Art 288 TFEU. See further Paul Craig and Gráinne de Búrca, EU Law - Texts, Cases and Materials (6th edn, OUP 2015) 108.

8

For example, there are diverging national transposition regarding the question of what constitutes a criminal offence, which according to rec 13 LED is an autonomous concept of Union law for the context of the LED. See Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, ‘Minutes of the third meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680’ (7 November 2016), 1; and Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, ‘Minutes of the seventh meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680’ (7 March 2017), 1. See further Juraj Sajfert and Teresa Quintel, ‘Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities’ in Cole and Boehm (eds), GDPR Commentary (Edward Elgar Publishing 2020, forthcoming), <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3285873> accessed 29 September 2020, 4.

9

The Commission states that in 85% of all investigation electronic evidence, including personal data, is involved, whereby in two third of those investigation, the evidence is stored with a service provider outside of the EU. See Commission, ‘Recommendation for a Council Decision authorising the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters’ COM(2019) 70 final, 1.

10

The Commission could have started negotiating a LED adequacy decision before the end of the national implementation period in May 2019, as the provision on adequacy in the LED (Art 36) does not leave room for the Member States to transpose differently on a national level. The Commission took this approach for the GDPR, where it had started negotiating the adequacy decision for Japan before the GDPR became fully applicable. See Commission Implementing Decision of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information (Text with EEA relevance), OJ 2019 L 76/1.

11

Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, para 73. The importance of the standard of essential equivalence for international personal data transfers has been reaffirmed in Schrems II. See Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems (‘Schrems II’) [2020] ECLI:EU:C:2020:559, para 94.

12

See Chapter V LED and Chapter V GDPR. There exists a definition of ‘transfer of personal data’ in in the Europol Regulation (n 4), Art 2(m), which defines international personal data transfers as ‘actively’ making personal data available with ‘intention or knowledge’ of doing so. As the CJEU has never included any element of intent or knowledge when discussing international personal data transfers, this definition seems irrelevant for the purposes of the LED and the GDPR. It is furthermore unclear how it operates within the Europol legal framework.

13

See European Data Protection Supervisor, ‘Opinion of the European Data Protection Supervisor on the data protection reform package’ (7 March 2012), 18–19.

14

Ibid.

15

The question whether the mere act of putting information online constitutes an international personal data transfer was put before the CJEU in Lindqvist. In its answer, the CJEU remained vague, though it decided that for the concrete case, the uploading of information on a website was not enough to make it a transfer. See Case C-101/01 Criminal proceedings against Bodil Lindqvist [2003] ECLI:EU:C:2003:596, paras 56–57. See for a critique on that approach, Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18(4) German Law J 881, 893.

16

Such transfers are currently being investigated by the CJEU. See Case C-505/19, Bundesrepublik Deutschland (pending).

17

See Christopher Kuner, Transborder Data Flows and Data Privacy Laws (OUP 2013) 61–79.

18

See William L Fishman, ‘Introduction to Transborder Data Flows’ (1980) 16(1) Stanford J Int Law 1, 11; Paul M Schwartz, ‘European Data Protection Law and Restrictions on International Data Flows’ (1995) 80 Iowa Law Rev 471, 472; Dan Jerker B Svantesson, ‘Protecting Privacy on the Borderless Internet – Some Thoughts on Extraterritoriality and Transborder Data Flows’ (2007) 19(1) Bond Law Rev 168, 180; and Dan Jerker B Svantesson, ‘The Extraterritoriality of EU Data Privacy Law – Its Theoretical Justification and Its Practical Effect on U.S. Businesses’ (2014) 50(1) Stanford J Int Law 53, 55.

19

Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389.

20

See Case C-362/14, Schrems (n 11) para 73.

21

See Opinion 1/15 [2017] ECLI:EU:C:2017:592, para 124.

22

Whether all transfer instruments/transfer mechanisms need to ensure the ‘standard of essential equivalence’ as set in Schrems was long debated. The Advocate General (AG) in Schrems II argued for the standard of essential equivalence being of relevance for both adequacy decisions and appropriate safeguards. See Case C-311/18, Facebook Ireland and Schrems (‘Schrems II’) [2019] ECLI:EU:C:2019:1145, Opinion of AG Saugmandsgaard Øe, para 117. In its judgment on Schrems II, the CJEU confirms this interpretation. See Case C-311/18, Schrems II (n 11) para 96.

23

The general principles of the LED for international personal data transfers expanded substantially from its original proposed version. Compare to Commission, ‘Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties’ COM/2012/010 final, Art 33 LED. However, nearly the same conditions could already be found in the predecessor of the LED, the Framework Decision. Compare to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ 2008 L 350/60 (no longer in force), Art 13(1)(d).

24

Art 35(1)(a) LED. These law enforcement purposes are listed in Art 1(1) LED.

25

Art 35(1)(b) LED. These law enforcement authorities are defined for the EU in Art 3(7) LED, they include ‘(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or (b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’.

26

Art 35(1)(c) LED. The condition of prior consent of the Member State where personal data originated in, can be explained, according to Sajfert and Quintel, by the EU legislator's wish to ensure that the original controller (Member State) keeps control over the personal data. See Sajfert and Quintel (n 8) 7. According to the Commission, this criterion also means that only ‘official channels’ can be used for transfers. See Commission Expert Group March 2017 (n 8) 1.

27

Art 35(1)(d) LED.

28

Art 35(1)(e) LED. See also rec 65 LED.

29

See Commission Expert Group November 2016 (n 8) 1; Commission Expert Group March 2017 (n 8) 1; and Sajfert and Quintel (n 8) 4.

30

This was criticized by the EDPS. See European Data Protection Supervisor, ‘Opinion 6/2015: A further step towards comprehensive EU data protection - EDPS recommendations on the Directive for data protection in the police and justice sector’ (28 October 2015) 6.

31

See also Mireille M Caruana, ‘The reform of the EU data protection framework in the context of the police and criminal justice sector: harmonisation, scope, oversight and enforcement’ (2017) 33 Int Rev Law Computers & Technol 1, 6; Nadezhda Purtova, ‘Between the GDPR and the Police Directive: navigating through the maze of information sharing in public-private partnerships’ (2018) 8(1) Int Data Privacy Law 52, 61–62.

32

Caruana (n 31) 5–6; Sajfert and Quintel (n 8) 3–4.

33

Art 39(1) seems to be tailored for some sort of ‘emergency situations’ where cooperation with competent authorities in the third country or international organisation is not appropriate or effective and is overall a complex provision to understand. For a more detailed analysis, see Sajfert and Quintel (n 8) 19–20; EDPS 2015 (n 30), 9; Article 29 Working Party, ‘Opinion 03/2015 on the draft directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data’ (WP 233, 1 December 2015) 14; and Commission Expert Group November 2016 (n 8) 2.

34

While the condition in Art 35(1)(b) clearly only mentions transfers to controllers, rec 64 LED seems to imply that international personal data transfers can also occur to processors, at least it makes clear that for such transfer the same standard regarding fundamental rights protection in the EU are applicable. Due to the strict conditions of Art 39(1) outlined above, it is questionable how useful Art 39(1) can be to enable personal data exchanges between competent authorities and processors located outside of the EU.

35

Art 35(2) LED.

36

Art 35(1)(d) LED.

37

Art 36(1) LED. For a more detailed discussion of the differences between LED and GDPR adequacy, see Laura Drechsler, 'Comparing LED and GDPR Adequacy: One Standard Two Systems' (2020) 1(2) Global Privacy Law Review 93.

38

Art 36(1) and 36(3) LED.

39

Art 36(2) LED.

40

See rec 67 LED. Rec 67 LED paraphrases the wording of the CJEU in Schrems. See Case C-326/14, Schrems (n 11) para 73.

41

Art 36(3) and (4) LED.

42

Art 36(5) LED.

43

Art 36(6) LED.

44

Art 36(7) LED.

45

See Commission Expert Group March 2017 (n 8) 2.

46

These differences will be discussed in detail below.

47

Art 37(1) LED.

48

Arts 37(1)(a) LED and rec 72 LED.

49

Art 37(1)(b) LED. The Commission considers that this self-assessment would for example enable Member States to transfer personal data to Interpol based on an assessment of their data protection framework. See Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, ‘Minutes of the twelfth meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680’ (2 October 2017), 2. Whether Interpol offers enough protection for international personal data transfers under the LED is currently being discussed at the CJEU. See Case C-505/19, Bundesrepublik (n 16).

50

Rec 71 LED.

51

Art 47(2)(a) and (c) LED.

52

Compare Art 37 LED to Arts 46 and 47 GDPR. See further Matthias Bäcker and Gerrit Hornung, ‘Data processing by police and criminal justice authorities in Europe - The influence of the Commission's draft on the national police laws and laws of criminal procedure’ (2012) 28(6) Computer Law & Security Rev 627, 632; Article 29 Working Party, ‘Opinion 01/2012 on the data protection reform proposals’ (WP 191, 23 March 2012), 30; and EDPS 2012 (n 13), 64.

53

Art 46(2) and (3) GDPR.

54

Art 38(1) LED.

55

Art 38(1)(a)(b)(c)(d) and (e) LED.

56

Art 38(2) LED.

57

Art 38(3) LED.

58

See EDPS 2012 (n 13) 65; and WP29 2012 (n 52) 31.

59

See Commission, ‘Communication from the Commission to the European Parliament and the Council: Exchanging and Protecting Personal Data in a Globalised World’ COM(2017) 7 final, p3. Later in 2017, in an expert group meeting on the LED, the Commission even outlined to the Member State experts ‘its plans for [LED] adequacy’, indicating that there was a strategy. Details on these plans have however been omitted from the minutes of the meeting. See Commission Expert Group October 2017 (n 49), 2. In an expert group meeting in February 2018, the Commission announced to invite the LED adequacy team to the next meeting to discuss plans on LED adequacy. Unfortunately, February 2018 is the last meeting of this expert group on public record. See Commission Expert Group February 2018 (n 5) 2.

60

Commission, ‘Communication from the Commission to the European Parliament and the Council: Data Protection rules as a trust-enabler in the EU and beyond - taking stock’ COM(2019) 374 final, 13.

61

See Case C-311/18, Schrems II (n 11) paras 92–96. The CJEU confirmed thereby the opinion of the AG. See Case C-311/18, Schrems II (AG Opinion) (n 22) para 117. The different mechanism in the LED are therefore just different ways of reaching the standard of essential equivalence. Such thinking seems from the outset also to be guiding the EDPS, since it found the standard of essential equivalence applicable for a law enforcement context for international agreements in its opinion on the planned agreement between the EU and the US on e-evidence. See European Data Protection Supervisor, ‘Opinion 2/2019 EDPS Opinion on the negotiating mandate of an EU-US agreement on cross-border access to electronic evidence’ (2 April 2019), 7–8.

62

Arts 37(1)(a) LED and rec 72 LED.

63

Art 37(1)(b) LED.

64

According to De Hert and Papakonstantinou, one of the challenges of the LED in relation to transfers will be to balance these existing arrangements with the newly established data protection level of the EU. See De Hert and Papakonstantinou (n 6) 15.

65

See for a comprehensive explanation of MLATs: Sergio Carrera, Gloria González Fuster, Elspeth Guild, and Valsamis Mitsilegas, ‘Access to Electronic Data by Third-Country Law Enforcement Authorities’ (CEPS Study 2015), 2–3 and 7–9.

66

Agreement on mutual legal assistance between the European Union and the United States of America, OJ 2003 L 181/43; and Agreement between the European Union and Japan on mutual legal assistance in criminal matters, OJ 2010 L 39/20.

67

See Framework Decision (n 23) Art 26.

68

The importance of securing fundamental rights protection in international agreements on personal data transfer was confirmed by the CJEU in Opinion 1/15, where the court considered the fundamental rights of privacy (Art 7 CFR), personal data protection (Art 8 CFR), non-discrimination (Art 21 CFR) and effective remedies (Art 47 CFR). See Opinion 1/15 (n 21) paras 134, 149, 150, 165 and 220. See further Christopher Kuner, ‘International agreements, data protection, and EU fundamental rights on the international stage: Opinion 1/15, EU-Canada PNR’ (2018) 55(3) Common Market Law Rev 857, 881.

69

See Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, ‘Minutes of the ninth meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680’ (4 May 2017), 2.

70

EU-US MLAT (n 66).

71

Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, OJ 2016 L 336/3 (Umbrella Agreement).

72

See Commission Expert Group May 2017 (n 69), 2. This opinion was recently reconfirmed when the Commission reviewed the compatibility of the MLAT with the US with the LED and found that ‘appropriate safeguards’ were provided by the Umbrella Agreement, making it unnecessary to compliment the MLAT with additional rules. See EC Communication 2020 (n 5) p 6.

73

See EC Communication 2019 (n 60) 13.

74

See Commission Expert Group May 2017 (n 69) 2 and Sajfert and Quintel (n 8) 19.

75

See also the critique by the EDPS in European Data Protection Supervisor, ‘Opinion 1/2016: Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences’ (12 February 2016), 13–15.

76

Ibid 7–8.

77

See Umbrella Agreement (n 71) Arts 16–19 and Art 21.

78

The lack of effective data subject rights for EU citizen in the US system against US public authorities including law enforcement did after all led to the end of the Safe Harbour Agreement in the Schrems case. It was also considered a breach of the essence of Art 47 CFR. See Case C-326/14, Schrems (n 11) para 95.

79

Problems with independent supervision contributed to the negative opinion on the draft PNR Canada agreement by the CJEU in Opinion 1/15. See Opinion 1/15 (n 21) para 231.

80

Case C-326/14, Schrems (n 11) paras 94 and 95.

81

Case C-311/18, Schrems II (n 11) paras 151–202. See further Case C-311/18, Schrems II (AG Opinion) (n 22) paras 266–340.

82

According to the Umbrella Agreement, a first joint review shall take place no later than three years from entry into force of the agreement, which should have been December 2019 the latest. See Umbrella Agreement (n 71), Art 23(2). It will be interesting to see whether this review will discuss whether the Umbrella agreement actually fulfils the standard of essential equivalence for EU fundamental rights especially considering that the CJEU in Schrems II annulled the Privacy Shield, inter alia because of a lack of effective remedies for data subjects against US law enforcement and intelligence authorities accessing their personal data. See Case C-311/18, Schrems II (n 11) paras 151–202.

83

This was criticized by the Article 29 Working Party (WP29). See WP29 2015 (n 33) 16.

84

See further De Hert and Papakonstantinou (n 6), 15; and Thomas Marquenie, ‘The Police and Criminal Justice Authorities Directive: Data protection standards and impact on the legal framework’ (2017) 33 Computer Law & Security Rev 324, 338.

85

See Art 351 TFEU. This arguably extends to international agreements threatening the protection of Art 16 TFEU and EU fundamental rights protected by the CFR and implemented by the LED.

86

In an expert group meeting, the Commission confirmed that there was an obligation to align international agreements with the LED for Member States, but also pointed out that for compliance often interpretative solutions might suffice. See Commission Expert Group May 2017 (n 69), 2.

87

The procedure for implementing decisions is set out in the Comitology Regulation. In short, this procedure means that the Commission is accompanied by a Committee made up of Member State representatives when taking an adequacy decision. The Committee will have to approve the adequacy decision before it is adopted by a majority decision. See Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers, OJ 2011 L 55/13, Art 5. In an expert group meeting, the Commission confirmed that Member States will be involved in a LED adequacy process to the same extent as under the GDPR. See Commission Expert Group March 2017 (n 8), 2.

88

Art 51(1)(g) LED.

89

Art 36(3) and (4) LED.

90

Art 36(5) LED.

91

This has proven to be an effective safeguard, when considering that the CJEU repealed the adequacy decision for the US already twice (Safe Harbour Agreement, Privacy Shield) because of fundamental rights issues. See Case C-326/14, Schrems (n 11); Case C-311/18, Schrems II (n 11).

92

This is criticized by Kuner for the GDPR, and since the LED adoption process is presumably the same, the critique would also apply in that context. See Christopher Kuner, ‘Article 45’ in Christoper Kuner, Lee A. Bygrave and Christopher Docksey (eds), The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020) 785.

93

Art 37(3) LED.

94

Art 37(2) LED.

95

Recent experiences with the Privacy Shield, the Japan adequacy decision but also the Umbrella Agreement have shown that these decisions benefit from feedback by the WP29, the EDPB, or the EDPS on their draft versions and the wider public debate surrounding these feedbacks. Such a reflection period would not exist in case of a self-assessment. See Article 29 Working Party, ‘Opinion 01/2016 on the EU—U.S. Privacy Shield draft adequacy decision (WP238, 13 April 2016), EDPS 2016 (n 75), and European Data Protection Board, ‘Opinion 28/2018 regarding the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan’ (5 December 2018). While not all suggestions in these opinions have been picked up by the Commission for the final adequacy decisions, some did come through, improving the overall result.

96

So far one case has reached the CJEU, concerning the self-assessment of Interpol. See Case C-505/19, Bundesrepublik (n 16). For a discussion of the case and its meaning for appropriate safeguards under the LED, see Laura Drechsler, 'The Achilles heel of EU Data Protection in a law enforcement context: international transfers under appropriate safeguards in the Law Enforcement Directive' in Cybercrime: new threats, new responses: Proceedings of the XVth International Conference on Internet Law & Politics (Huygens editorial, 2020, e-book).

97

Case C-311/18, Schrems II (n 11) para 104.

98

See Art 36(2) LED.

99

Case C-326/14, Schrems (n 11); and Case C-311/18, Schrems II (n 11).

100

See further Caruana (n 31) 18; and EDPS 2015 (n 30) 9. As was confirmed in Schrems II, controllers under the GDPR relying on SCC are in a somehow similar position, as they now also have to assess before relying on SCC for international personal data transfers, whether the destination of the personal data offers an essentially equivalent level of protection. See Case C-311/18, Schrems II (n 11) para 134. While there are differences between such GDPR controllers and law enforcement authorities in resources and time available for such an assessment, the critique that such an assessment is very complex in absence of concrete guidance is also applicable to the GDPR context. The first guidance issued by the EDPB focused on immediate questions after the invalidation of the Privacy Shield and did not contain much guidance on how controllers should conduct their assessments of third countries under the standard of essential equivalence. See European Data Protection Board, ‘Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems’ (23 July 2020).

101

Europol Regulation (n 4) Art 25(1)(a). The Europol Management Board can even ‘suggest’ via the Council that the Commission be alerted to a need for an adequacy decision or an international agreement (Art 11(2)).

102

Eurojust Regulation (n 4) Arts 56(2) and 57.

103

EPPO Regulation (n 4) Art 81.

104

According to De Hert and Papakonstantinou, the way in which EU agencies in the area of law enforcement exchange data with third countries or organisations in third countries is largely unexplored, while a variety of agreements exist that enable such exchanges. See Paul de Hert and Vagelis Papakonstantinou, ‘The data protection regime applying to the inter-agency cooperation and future architecture of the EU criminal justice and law enforcement area’, 1(1) Brussels Privacy Hub Working Paper Series (2014), <https://brusselsprivacyhub.eu/publications/wp11.html> accessed 29 September 2020, 23.

105

Europol Regulation (n 4) Art 25(1)(a), Eurojust Regulation (n 4) Art 57, and EPPO Regulation (n 4) Art 81.

106

Council Decision of 6 April 2009 establishing the European Police Office (Europol), OJ 2009 L 121/37 (no longer in force).

107

Ibid Art 23.

108

Europol Regulation (n 4) Art 25(1)(c). In July 2020, such operational agreements existed with Albania, Australia, Bosnia and Herzegovina, Canada, Columbia, Georgia, Iceland, Liechtenstein, Moldova, Monaco, Montenegro, North Macedonia, Norway, Serbia, Switzerland, Ukraine and the United States. In addition, Europol has an operational agreement with Interpol. See Europol, ‘Operational Agreements’ <https://www.europol.europa.eu/partners-agreements/operational-agreements> accessed 29 September 2020.

109

See also Céline Cocq, ‘EU Data Protection Rules Applying to Law Enforcement Activities: Towards an Harmonised Legal Framework?’ (2016) 7(3) New J Eur Criminal Law 263, 275–276.

110

The original agreement between Europol and the US was concluded in December 2001 and stated in Art 1 that it ‘does not authorise the transmission related to an identified individual or identifiable individual’. See Agreement between the United States of America and the European Police Office, 6 December 2001. This agreement was supplemented one year later with another agreement specifically aimed at the exchange of personal data. See Supplemental Agreement between Europol Police Office and the United States of America on the exchange of personal data and related information, 2002.

111

Compare to Case C-362/14, Schrems (n 11) para 95; Case C-311/18, Schrems II (n 11) paras 191–202. While provisions on data subject rights (on access at least) and independent authorities exist in the US-Europol arrangement, they are so non-specific it seems unlikely that they provide an equivalent standard to what is provided in the LED (or the Europol Regulation). Interestingly, the agreement suggests that EU individuals could still use their rights provided by the Europol legal framework against Europol for protection. See Supplemental Agreement (n 110) Art 10.

112

Europol Regulation (n 4) Art 25(4).

113

Compare to the issues linked to Art 37(1)(b) LED discussed above.

114

In July 2020, such arrangements exist with Serbia, Georgia, Albania, Ukraine, Montenegro, Moldova, Liechtenstein, Switzerland, North Macedonia, United States, Iceland, Norway, Interpol, United Nations Office on Drugs and Crime, Iberoamerican Network of International Legal Cooperation (Iber-RED), and the International Criminal Court (ICC). See Eurojust, ‘Eurojust legal framework’, <http://www.eurojust.europa.eu/about/legal-framework/Pages/eurojust-legal-framework.aspx> accessed 29 September 2020.

115

Agreement between Eurojust and the United States of America, 6 November 2006, Arts 9–19.

117

This criticism comes for example from the US Department of Justice, that mentions that their ‘foreign partners’ complained that the MLAT process takes too long for obtaining electronic evidence from the US. See US Department of Justice, ‘Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act (White Paper)’ (April 2019), 2–3. It is also brought up by the Commission, when arguing for the need for a new international agreement concerning the exchange of electronic evidence with the US. According to the Commission, a request using MLAT can take ‘an average of 10 months’ ‘and can entail a disproportionate expense of resources’. See EC Recommendation 2019 (n 9) 1. The critique that MLATs are time-consuming was also raised by Europol and Eurojust in their joint report, noting that this means that the period evidence is preserved might elapse before access is granted, leading to loss of evidence. See Europol and Eurojust, ‘Common challenges in combatting cybercrime’ (June 2019), 15.

118

According to the Commission, MLATs were ‘designed at a time before the internet, when volumes of requests were a fraction of today’s’. See EC Recommendation 2019 (n 9) 1.

119

This is a concern the EDPB and the EDPS voiced in light of requests under the US CLOUD Act to EU service providers. To address this concern, EDPB and EDPS propose that providers refuse to comply with a request under the CLOUD Act, if it could be handled with under the MLAT. See European Data Protection Board and European Data Protection Supervisor, ‘Annex: Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence’ (10 July 2019), 1–3. The US Department of Justice however argues that the CLOUD Act does not replace the MLAT but applies in parallel. US Department of Justice 2019 (n 117) 5.

120

For example, a decision by the German constitutional court (Bundesverfassungsgericht) clearly considers a lower standard than the ‘standard of essential equivalence’ pronounced in Schrems as relevant for a law enforcement context, as they for example considered that it is not necessary that a third country offers the same institutional guarantees than the German (!) system. Thus, not mentioning any EU wide guarantees and negating the importance of independent supervisory authorities that the CJEU considered very relevant in this area in the past. See Bundesverfassungsgericht, Urteil vom 20 April 2016, 1 BvR 966/09 and 1 BvR 1140/09, para 335.

121

Consider a recent judgment by the CJEU allowing for the first time for national fundamental rights to override EU law, as discussed by Rauchegger. See Clara Rauchegger, ‘National Constitutional Rights and the Primacy of EU Law: M.A.S.’ (2018) 55 Common Market Law Rev 1521, 1546–1547.

Author notes

Laura Drechsler, Research Foundation - Flanders (FWO)/Brussels Privacy Hub/Law, Science, Technology and Society Research Group (LSTS), Vrije Universiteit Brussel, Brussels, Belgium.

This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic-oup-com.libproxy.ucl.ac.uk/journals/pages/open_access/funder_policies/chorus/standard_publication_model)