Other EU data protection legislation
Introduction
Some uses of personal data fall outside the General Data Protection Regulation (GDPR) and are governed by separate pieces of legislation.
For example, the Law Enforcement Directive establishes data protection standards in the area of criminal offences and penalties. Unless a data protection issue falls clearly under the terms of the Law Enforcement Directive, it will be governed by the GDPR. The Law Enforcement Directive is implemented into Irish law through the Data Protection Act 2018.
Another area where there are a specific set of rules is in relation to the processing of airline passenger data to prevent and prosecute serious crimes and terrorism. This is governed by the Passenger Name Record Directive and the European Union (Passenger Name Record Data) Regulations 2018.
Law Enforcement Directive
The Law Enforcement Directive (Directive 2016/680) specifically regulates the processing of data by police and criminal justice authorities in the EU, such as An Garda Síochána. The Directive requires the data collected by law enforcement authorities to be:
- Processed lawfully and fairly
- Collected for specified, explicit and legitimate purposes and processed only in line with these purposes
- Adequate, relevant and not excessive in relation to the purpose in which it is processed
- Accurate and updated where necessary
- Kept in a form that allows identification of the individual for no longer than is necessary for the purpose of the processing
- Appropriately secured, including protection against unauthorised or unlawful processing
The Directive requires that the law enforcement authorities make a clear distinction between the data of different categories of persons such as:
- Suspected offenders
- Convicted offenders
- Victims
- Other witnesses
National authorities must implement measures to ensure a level of security for personal data, for example, preventing unauthorised persons access processing equipment; preventing the unauthorised reading, copying, changing or removal of data; and preventing the unauthorised input, viewing, changing or deleting of stored personal data.
Data subjects have similar rights under the Law Enforcement Directive as they have under the GDPR, such as rights to information, access, rectifying incorrect information, erasure and to be notified of data breaches.
However, there is greater scope for these rights to be limited than under the GDPR. These rights may be restricted, if proportionate and necessary, to
- Avoid obstructing official or legal investigations or procedures
- Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties
- Protect public or national security
- Protect the rights and freedoms of other persons.
Passenger Name Record Directive
The Passenger Name Record Directive (PNRD) (Directive 2016/681) regulates the use of passenger name record (PNR) data in the EU for the prevention, detection, investigation and prosecution of terrorist offences and serious crimes.
PNR data is personal information provided by passengers and collected and held by airlines. It includes:
- Travel dates
- Travel itinerary
- Ticket information
- Contact details
- Means of payment used
- Baggage information
Each EU member state has a Passenger Information Unit (PIU), which is responsible for collecting, storing and processing PNR data, as well as transferring that data or the results of its processing to the appropriate national authorities in other member states and Europol. The Irish PIU operates the remit of the Department of Justice.
Airlines must provide PIUs in EU member states with the PNR data for flights entering or departing from the EU. The Directive also allows, but does not require, EU member states to collect PNR data concerning selected internal EU flights.
Data provided by airlines will be stored in a database by a PIU for 5 years. After 6 months’ storage, the PNR data must be de-personalised so the data subject is no longer immediately identifiable.
The data collected may only be processed to prevent, detect, investigate and prosecute terrorist offences and serious crime. Serious crimes include murder, serious assaults, participation in a criminal organisation, human and drug trafficking and the sexual exploitation of children.
Data should only be processed in the following cases:
- For a pre-arrival assessment of passengers against pre-determined risk criteria
- For use in specific investigations or prosecutions
- As input in the development of risk assessment criteria
The EU (PNR Data) Regulations 2018 have transposed the PNRD into Irish law.
Further information
There is further information on the Law Enforcement Directive on dataprotection.ie.
Further information on the PNRD is available from the Department of Justice and the Council of the European Union.